diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 90b709a31..c7a76f871 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,25 +9,21 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 - - name: Install linter dependencies - run: | - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH - - name: Run basic profile linter check run: | - just check + make check build: runs-on: ${{ matrix.os }} needs: check strategy: matrix: - include: - - os: ubuntu-24.04 - mode: default - - os: ubuntu-24.04 - mode: full-system-policy + os: + - ubuntu-24.04 + - ubuntu-22.04 + mode: + - default + - full-system-policy steps: - name: Check out repository code uses: actions/checkout@v4 @@ -38,14 +34,12 @@ jobs: sudo apt-get install -y \ devscripts debhelper config-package-dev \ auditd apparmor-profiles apparmor-utils - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - sed -e "s/just complain/just fsp-complain/" -i debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules fi bash dists/build.sh dpkg @@ -54,10 +48,13 @@ jobs: - name: Reload AppArmor run: | - if ! sudo systemctl restart apparmor.service; then - sudo journalctl -xeu apparmor.service - exit 1 - fi + sudo systemctl restart apparmor.service || true + sudo systemctl status apparmor.service + + - name: Ensure compatibility with some AppArmor userspace tools + if: matrix.os != 'ubuntu-24.04' + run: | + sudo aa-enforce /etc/apparmor.d/aa-notify - name: Show AppArmor log and rules run: | @@ -78,7 +75,6 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build - if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 @@ -98,15 +94,11 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - pipx install rust-just - echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service - sudo systemctl daemon-reload - systemctl --user daemon-reload - name: Restart some services to ensure they are confined run: | @@ -125,18 +117,16 @@ jobs: for service in "${services[@]}"; do sudo systemctl restart "$service" || systemctl status "$service.service" || true done - systemctl restart --user dbus || systemctl status --user "dbus.service" || true sudo ps auxZ | grep -v '\[.*\]' sudo aa-log -s --raw - name: Install integration dependencies run: | - just init - find /usr/sbin/ -type f + bash tests/requirements.sh - - name: Run the integration tests + - name: Run the bats integration tests run: | - just integration + make bats - name: Show final AppArmor logs if: always() diff --git a/.gitignore b/.gitignore index 077d62cbf..d888d6d5c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ # Build .build .logs -.pkg tests/tldr tests/tldr.tar.gz diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 80dc69c7b..960dd2884 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -24,13 +24,13 @@ bash: script: - shellcheck --shell=bash PKGBUILD dists/build.sh dists/docker.sh tests/check.sh - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh + tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh golangci-lint: stage: lint image: golangci/golangci-lint script: - - golangci-lint run + - golangci-lint run --exclude-dirs pkg/paths packer: stage: lint @@ -54,6 +54,7 @@ tests: image: golang coverage: '/Coverage: \d+.\d+/' script: + - apt update && apt install -y rsync - cp tests/journalctl /usr/bin/journalctl - chmod 755 /usr/bin/journalctl - mkdir -p /var/log/audit/ @@ -66,7 +67,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - just check + - make check # Package Build # ------------- @@ -84,12 +85,13 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:trixie + image: registry.gitlab.com/roddhjav/builders/debian script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl + - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync + - sudo apt-get install -y -t bookworm-backports golang-go - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -98,13 +100,12 @@ debian: ubuntu: stage: build - image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04 - variables: - GOFLAGS: "-buildvcs=false" + image: registry.gitlab.com/roddhjav/builders/ubuntu script: + - sudo chown -R ubuntu:ubuntu /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl + - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -116,14 +117,14 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - sed -e "s/just complain/just fsp-complain/" -i debian/rules + - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules opensuse: stage: build image: registry.gitlab.com/roddhjav/builders/opensuse script: - mkdir -p "$PKGDEST" - - sudo zypper install -y distribution-release golang-packaging apparmor-profiles + - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles - bash dists/build.sh rpm artifacts: expire_in: 1 day @@ -146,7 +147,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian:trixie + image: debian dependencies: - debian script: @@ -166,7 +167,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -.preprocess-whonix: +preprocess-whonix: extends: preprocess-debian dependencies: - whonix diff --git a/.golangci.yaml b/.golangci.yaml index 6861d253d..7718ccda2 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -1,15 +1,5 @@ --- -version: "2" -linters: - settings: - staticcheck: - checks: - - all - - -SA1019 - - -ST1000 - exclusions: - paths: - - pkg/paths - - tests/cmd/ - +linters-settings: + staticcheck: + checks: ["all", "-SA1019" ] diff --git a/Justfile b/Justfile deleted file mode 100644 index 64e333079..000000000 --- a/Justfile +++ /dev/null @@ -1,399 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Usage: `just` -# See https://apparmor.pujol.io/development/ for more information. - -# Build settings -destdir := "/" -build := ".build" -pkgdest := `pwd` / ".pkg" -pkgname := "apparmor.d" - -# Admin username -username := "user" - -# Default admin password -password := "user" - -# Disk size of the VM to build -disk_size := "40G" - -# Virtual machine CPU -vcpus := "6" - -# Virtual machine RAM -ram := "4096" - -# Path to the ssh key -ssh_keyname := "id_ed25519" -ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname -ssh_publickey := ssh_privatekey + ".pub" - -# Where the VM are stored -vm := home_dir() / ".vm" - -# Where the VM images are stored -base_dir := home_dir() / ".libvirt/base" - -# Where the packer temporary output is stored -output_dir := base_dir / "packer" - -# SSH options -sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" - -# Libvirt connection address -c := "--connect=qemu:///system" - -# VM prefix -prefix := "aa-" - -# Show this help message -help: - @just --list --unsorted - @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." - -# Build the go programs -[group('build')] -build: - @go build -o {{build}}/ ./cmd/aa-log - @go build -o {{build}}/ ./cmd/prebuild - -# Prebuild the profiles in enforced mode -[group('build')] -enforce: build - @./{{build}}/prebuild --buildir {{build}} - -# Prebuild the profiles in enforce mode (test) -enforce-test: build - @./{{build}}/prebuild --buildir {{build}} --test - -# Prebuild the profiles in complain mode -[group('build')] -complain: build - ./{{build}}/prebuild --buildir {{build}} --complain - -# Prebuild the profiles in complain mode (test) -complain-test: build - @./{{build}}/prebuild --buildir {{build}} --complain --test - -# Prebuild the profiles in FSP mode -[group('build')] -fsp: build - @./{{build}}/prebuild --buildir {{build}} --full - -# Prebuild the profiles in FSP mode (complain) -[group('build')] -fsp-complain: build - @./{{build}}/prebuild --buildir {{build}} --complain --full - -# Prebuild the profiles in FSP mode (debug) -[group('build')] -fsp-debug: build - @./{{build}}/prebuild --buildir {{build}} --complain --full --debug - -# Install prebuild profiles -[group('install')] -install: - #!/usr/bin/env bash - set -eu -o pipefail - install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") - for file in "${share[@]}"; do - install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" - done - mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") - for file in "${aa[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done - mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") - for file in "${links[@]}"; do - mkdir -p "{{destdir}}/etc/apparmor.d/disable" - cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done - for file in "{{build}}/systemd/system/"*; do - service="$(basename "$file")" - install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf" - done - for file in "{{build}}/systemd/user/"*; do - service="$(basename "$file")" - install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" - done - -# Locally install prebuild profiles -[group('install')] -local +names: - #!/usr/bin/env bash - set -eu -o pipefail - install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") - for file in "${abs[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" - done; - mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") - for file in "${tunables[@]}"; do - install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" - done; - echo "Warning: profile dependencies fallback to unconfined." - for file in {{names}}; do - grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true - sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" - install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" - done; - systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -# Prebuild, install, and load a dev profile -[group('install')] -dev name: - go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` - sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} - sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -# Build & install apparmor.d on Arch based systems -[group('packages')] -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -# Build & install apparmor.d on Debian based systems -[group('packages')] -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb - -# Build & install apparmor.d on OpenSUSE based systems -[group('packages')] -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm - -# Run the unit tests -[group('tests')] -tests: - @go test ./cmd/... -v -cover -coverprofile=coverage.out - @go test ./pkg/... -v -cover -coverprofile=coverage.out - @go tool cover -func=coverage.out - -# Run the linters -[group('linter')] -lint: - golangci-lint run - packer fmt tests/packer/ - packer validate --syntax-only tests/packer/ - shellcheck --shell=bash \ - PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ - tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ - debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm - -# Run style checks on the profiles -[group('linter')] -check: - @bash tests/check.sh - -# Generate the man pages -[group('docs')] -man: - @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md - -# Build the documentation -[group('docs')] -docs: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict - -# Serve the documentation -[group('docs')] -serve: - @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve - -# Remove all build artifacts -clean: - @rm -rf \ - debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - {{pkgdest}}/{{pkgname}}* {{build}} coverage.out - -# Build the package in a clean OCI container -[group('packages')] -package dist: - #!/usr/bin/env bash - set -eu -o pipefail - dist="{{dist}}" - version="" - if [[ $dist =~ ubuntu([0-9]+) ]]; then - version="${BASH_REMATCH[1]}.04" - dist="ubuntu" - elif [[ $dist == debian* ]]; then - version="trixie" - dist="debian" - fi - bash dists/docker.sh $dist $version - -# Build the VM image -[group('vm')] -img dist flavor: (package dist) - @mkdir -p {{base_dir}} - packer build -force \ - -var dist={{dist}} \ - -var flavor={{flavor}} \ - -var prefix={{prefix}} \ - -var username={{username}} \ - -var password={{password}} \ - -var ssh_publickey={{ssh_publickey}} \ - -var disk_size={{disk_size}} \ - -var cpus={{vcpus}} \ - -var ram={{ram}} \ - -var base_dir={{base_dir}} \ - -var output_dir={{output_dir}} \ - tests/packer/ - -# Create the machine -[group('vm')] -create dist flavor: - @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 - @virt-install {{c}} \ - --import \ - --name {{prefix}}{{dist}}-{{flavor}} \ - --vcpus {{vcpus}} \ - --ram {{ram}} \ - --machine q35 \ - {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ - --memorybacking source.type=memfd,access.mode=shared \ - --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ - --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just _get_osinfo {{dist}}`" \ - --graphics spice \ - --audio id=1,type=spice \ - --sound model=ich9 \ - --noautoconsole - -# Start a machine -[group('vm')] -up dist flavor: - @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} - -# Stops the machine -[group('vm')] -halt dist flavor: - @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} - -# Reboot the machine -[group('vm')] -reboot dist flavor: - @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} - -# Destroy the machine -[group('vm')] -destroy dist flavor: - @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true - @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram - @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 - -# Connect to the machine -[group('vm')] -ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` - -# Mount the shared directory on the machine -[group('vm')] -mount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' - -# Unmout the shared directory on the machine -[group('vm')] -umount dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' - -# List the machines -[group('vm')] -list: - @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" - @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' - -# List the VM images -[group('vm')] -images: - #!/usr/bin/env bash - set -eu -o pipefail - mkdir -p {{base_dir}} - ls -lh {{base_dir}} | awk ' - BEGIN { - printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") - } - { - if ($9 ~ /^{{prefix}}.*\.qcow2$/) { - split($9, arr, "-|\\.") - printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8) - } - } - ' - -# List the VM images that can be created -[group('vm')] -available: - #!/usr/bin/env bash - set -eu -o pipefail - ls -lh tests/cloud-init | awk ' - BEGIN { - printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") - } - { - if ($9 ~ /^.*\.user-data.yml$/) { - split($9, arr, "-|\\.") - printf("%-18s %s\n", arr[1], arr[2]) - } - } - ' - -# Install dependencies for the integration tests -[group('tests')] -init: - @bash tests/requirements.sh - -# Run the integration tests -[group('tests')] -integration name="": - bats --recursive --timing --print-output-on-failure tests/integration/{{name}} - -# Install dependencies for the integration tests (machine) -[group('tests')] -tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init - -# Synchronize the integration tests (machine) -[group('tests')] -tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ - -# Re-synchronize the integration tests (machine) -[group('tests')] -tests-resync dist flavor: (mount dist flavor) \ - (tests-sync dist flavor) \ - (umount dist flavor) - -# Run the integration tests (machine) -[group('tests')] -tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ - bats --recursive --pretty --timing --print-output-on-failure \ - /home/{{username}}/Projects/tests/integration/{{name}} - -_get_ip dist flavor: - @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ - head -1 | \ - grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' - -_get_osinfo dist: - #!/usr/bin/env python3 - osinfo = { - "archlinux": "archlinux", - "debian12": "debian12", - "debian13": "debian13", - "ubuntu22": "ubuntu22.04", - "ubuntu24": "ubuntu24.04", - "ubuntu25": "ubuntu25.04", - "opensuse": "opensusetumbleweed", - } - print(osinfo.get("{{dist}}", "{{dist}}")) diff --git a/Makefile b/Makefile new file mode 100644 index 000000000..911bd4027 --- /dev/null +++ b/Makefile @@ -0,0 +1,134 @@ +#!/usr/bin/make -f +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +DESTDIR ?= / +BUILD ?= .build +PKGDEST ?= ${PWD}/.pkg +PKGNAME := apparmor.d +PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) + +.PHONY: all +all: build + @./${BUILD}/prebuild --complain + +.PHONY: build +build: + @go build -o ${BUILD}/ ./cmd/aa-log + @go build -o ${BUILD}/ ./cmd/prebuild + +.PHONY: enforce +enforce: build + @./${BUILD}/prebuild + +.PHONY: full +full: build + @./${BUILD}/prebuild --complain --full + +.PHONY: install +install: + @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ + install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ + done; + @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ + install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ + mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ + cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @for file in ${BUILD}/systemd/system/*; do \ + service="$$(basename "$$file")"; \ + install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ + done; + @for file in ${BUILD}/systemd/user/*; do \ + service="$$(basename "$$file")"; \ + install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ + done + + +.PHONY: $(PROFILES) +$(PROFILES): + @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log + @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ + install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ + done; + @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ + install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ + done; + @echo "Warning: profile dependencies fallback to unconfined." + @for file in ${@}; do \ + grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ + sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ + install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ + done; + @systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +.PHONY: dev +name ?= +dev: + @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) + @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} + @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +.PHONY: package +dist ?= archlinux +package: + @bash dists/docker.sh ${dist} + +.PHONY: pkg +pkg: + @makepkg --syncdeps --install --cleanbuild --force --noconfirm + +.PHONY: dpkg +dpkg: + @bash dists/build.sh dpkg + @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb + +.PHONY: rpm +rpm: + @bash dists/build.sh rpm + @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm + +.PHONY: tests +tests: + @go test ./cmd/... -v -cover -coverprofile=coverage.out + @go test ./pkg/... -v -cover -coverprofile=coverage.out + @go tool cover -func=coverage.out + +.PHONY: lint +lint: + @golangci-lint run + @make --directory=tests lint + @shellcheck --shell=bash \ + PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \ + tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \ + debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm + +.PHONY: check +check: + @bash tests/check.sh + +.PHONY: bats +bats: + @bats --timing --print-output-on-failure tests/bats/ + +.PHONY: manual +manual: + @pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md + +.PHONY: docs +docs: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict + +.PHONY: serve +serve: + @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve + +.PHONY: clean +clean: + @rm -rf \ + debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \ + .pkg/${PKGNAME}* ${BUILD} coverage.out diff --git a/PKGBUILD b/PKGBUILD index a68ba817d..5bac14835 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,25 +3,19 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgbase=apparmor.d -pkgname=( - apparmor.d - # apparmor.d.enforced - # apparmor.d.fsp apparmor.d.fsp.enforced - # apparmor.d.server apparmor.d.server.enforced - # apparmor.d.server.fsp apparmor.d.server.fsp.enforced -) -pkgver=0.0001 +pkgname=apparmor.d +pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/apparmor.d" -license=('GPL-2.0-only') -depends=('apparmor>=4.1.0' 'apparmor<5.0.0') -makedepends=('go' 'git' 'rsync' 'just') +arch=("x86_64") +url="https://github.com/roddhjav/$pkgname" +license=('GPL2') +depends=('apparmor') +makedepends=('go' 'git' 'rsync') +conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" echo "0.$(git rev-list --count HEAD)" } @@ -30,104 +24,16 @@ prepare() { } build() { - cd "$srcdir/$pkgbase" + cd "$srcdir/$pkgname" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" - export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - export DISTRIBUTION=arch - local -A modes=( - # Mapping of modes to just build target. - [default]=complain - # [enforced]=enforce - # [fsp]=fsp-complain - # [fsp.enforced]=fsp - # [server]=server-complain - # [server.enforced]=server - # [server.fsp]=server-fsp-complain - # [server.fsp.enforced]=server-fsp - ) - for mode in "${!modes[@]}"; do - just build=".build/$mode" "${modes[$mode]}" - done + make DISTRIBUTION=arch } -_conflicts() { - local mode="$1" - local pattern=".$mode" - if [[ "$mode" == "default" ]]; then - pattern="" - else - echo "$pkgbase" - fi - for pkg in "${pkgname[@]}"; do - if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then - continue - fi - echo "$pkg" - done -} - -_install() { - local mode="${1:?}" - cd "$srcdir/$pkgbase" - just build=".build/$mode" destdir="$pkgdir" install -} - -package_apparmor.d() { - mode=default - pkgdesc="$pkgdesc (complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.enforced() { - mode=enforced - pkgdesc="$pkgdesc (enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp() { - mode="fsp" - pkgdesc="$pkgdesc (FSP mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.fsp.enforced() { - mode="fsp.enforced" - pkgdesc="$pkgdesc (FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server() { - mode="server" - pkgdesc="$pkgdesc (server complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.enforced() { - mode="server.enforced" - pkgdesc="$pkgdesc (server enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp() { - mode="server.fsp" - pkgdesc="$pkgdesc (server FSP complain mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode -} - -package_apparmor.d.server.fsp.enforced() { - mode="server.fsp.enforced" - pkgdesc="$pkgdesc (server FSP enforced mode)" - mapfile -t conflicts < <(_conflicts $mode) - _install $mode +package() { + cd "$srcdir/$pkgname" + make install DESTDIR="$pkgdir" } diff --git a/README.md b/README.md index c1c7726c5..7aed183da 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] **Full set of AppArmor profiles** @@ -35,11 +35,8 @@ * Gnome (GDM) * KDE (SDDM) * XFCE (Lightdm) *(work in progress)* -- [Fully tested](https://apparmor.pujol.io/development/tests/) +- Fully tested *(work in progress)* -**Demo** - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. @@ -62,10 +59,6 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* -Lessons learned while making an AppArmor Play machine: - -- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* - ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) @@ -100,8 +93,6 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org -[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square -[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index a92058206..4c506da69 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,25 +4,25 @@ abi , + # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), - unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), - unix type=stream addr=@/tmp/.ICE-unix/@{int}, - unix type=stream addr=@/tmp/.X11-unix/X@{int}, + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", + unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions - /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/@{int} rw, + /tmp/.ICE-unix/* rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/X@{int} rw, + /tmp/.X11-unix/* rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility deleted file mode 100644 index 894ee467e..000000000 --- a/apparmor.d/abstractions/accessibility +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) - - abi , - - include - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu deleted file mode 100644 index 181d86864..000000000 --- a/apparmor.d/abstractions/amdgpu +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Kernel Fusion Driver for AMD GPUs - - abi , - - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, - - @{sys}/devices/virtual/kfd/kfd/dev r, - @{sys}/devices/virtual/kfd/kfd/topology/ r, - @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, - @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, - @{sys}/devices/virtual/kfd/kfd/uevent r, - @{sys}/module/amdgpu/initstate r, - - /dev/kfd rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible deleted file mode 100644 index 579783096..000000000 --- a/apparmor.d/abstractions/ansible +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 7f7e2a673..5d2f74363 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,12 +5,14 @@ abi , - include - @{bin}/** PUx, - @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, + @{bin}/ r, + / r, + /usr/ r, + /usr/local/{s,}bin/ r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 3f35d5882..800de5106 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,8 +5,6 @@ abi , - include - @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -20,7 +18,13 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{user_bin_dirs}/** PUx, + @{bin}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, + + @{user_bin_dirs}/ r, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index e0c8d3d59..d257797eb 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,7 +18,6 @@ # Labeled programs @{archive_viewers_path} PUx, - @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -26,7 +25,6 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, - @{terminal_path} Px, @{text_editors_path} PUx, # Others @@ -35,19 +33,17 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, - @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp{,-3.0} Px, - @{bin}/gnome-calculator Px, + @{bin}/gimp* PUx, + @{bin}/gnome-calculator PUx, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, - @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/keepassxc Px, + @{bin}/kgx Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, @@ -55,12 +51,15 @@ @{bin}/telegram-desktop Px, @{bin}/transmission-gtk Px, @{bin}/viewnior PUx, - @{bin}/vlc Px, + @{bin}/vlc PUx, @{bin}/xbrlapi Px, #aa:only opensuse @{lib}/YaST2/** PUx, + # Backup + @{lib}/deja-dup/deja-dup-monitor PUx, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dcb29fecb..666387d0a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,11 +2,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -25,32 +20,39 @@ abi , include - include include include + include + include include + include + include + include + include include - include - include - include - include + include + include + include include include - include - include + include include - include + include include - include - include - include - include include include include - include include include + include + + userns, + + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, network inet dgram, network inet6 dgram, @@ -76,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -84,11 +86,16 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions, applications, and stacked xdg menus - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{coreutils_path} ix, + # Installing/removing extensions & applications + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/mkdir rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 @@ -108,14 +115,23 @@ /etc/@{name}/{,**} r, /etc/fstab r, + /etc/{,opensc/}opensc.conf r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, / r, owner @{HOME}/ r, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, - owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -125,7 +141,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/*.menu rw, + owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -139,8 +155,10 @@ /tmp/ r, /var/tmp/ r, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, @@ -148,6 +166,9 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, + /dev/shm/ r, + owner /dev/shm/.@{domain}.@{rand6} rw, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -155,7 +176,12 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/**/report_descriptor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -169,17 +195,20 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, + owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/smaps_rollup r, + owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/uid_map w, /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index b33dbc7f4..3992fb7b0 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,12 +10,11 @@ include @{sh_path} rix, - @{bin}/nvim mrix, + @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim* mrix, - @{bin}/which{,.debianutils} rix, + @{bin}/vim{,.*} mrix, + @{bin}/which{,.debianutils} ix, - /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -25,8 +24,6 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.vim/{after/,}spell/{,**} rw, - owner @{HOME}/.vim/** r, owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 0648e68d1..87865197e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,10 +2,6 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the @@ -22,21 +18,17 @@ include include include + include include include - include - include - include include include include - include include include - include + include include include - include include include include @@ -72,7 +64,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, @@ -80,6 +72,7 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, + /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, @@ -103,14 +96,8 @@ /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, - owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, - owner @{tmp}/remote-settings-startup-bundle- rw, - owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, @@ -137,10 +124,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, @@ -164,6 +149,7 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, + /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount deleted file mode 100644 index a394e2528..000000000 --- a/apparmor.d/abstractions/app/fusermount +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should -# be defined in the calling profile. - - abi , - - include - include - - capability dac_override, - capability dac_read_search, - capability sys_admin, # To mount anything - - @{bin}/fusermount{,3} mr, - - @{bin}/mount rix, - @{bin}/umount rix, - - @{etc_ro}/fuse{,3}.conf r, - - @{run}/mount/utab r, - @{run}/mount/utab.* rwk, - - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/mounts r, - - /dev/fuse rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index b6beeb7f6..25a0c0c38 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,7 +7,13 @@ include - @{bin}/kmod mr, + @{bin}/depmod mr, + @{bin}/insmod mr, + @{bin}/kmod mr, + @{bin}/lsmod mr, + @{bin}/modinfo mr, + @{bin}/modprobe mr, + @{bin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 8dffc39b9..256eb5a6d 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -3,44 +3,19 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Full set of rules for desktop generic open-* used in child-open-* profiles. +# Full set of rules for child-open-* profiles. abi , - include - include include - # We cannot use `@{open_path} mrix,` here because it includes: - # @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop - # And `@{multiarch}` has a wildcard that cannot be merged and that will generate - # "has merged rule with conflicting x modifiers" error when used with other - # wilcard over PUx transition. - @{bin}/exo-open mrix, - @{bin}/xdg-open mrix, - @{bin}/gio mrix, - @{bin}/kde-open mrix, - @{bin}/gio-launch-desktop mrix, - @{lib}/gio-launch-desktop mrix, + @{open_path} mrix, - @{bin}/env rix, @{sh_path} r, + @{bin}/env rix, /dev/tty rw, - # if @{DE} == kde - - include - include - include - - owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - - @{PROC}/sys/kernel/random/boot_id r, - - # fi - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager deleted file mode 100644 index 30acc5612..000000000 --- a/apparmor.d/abstractions/app/pager +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Minimal set of rules for pagers. - - abi , - - include - - capability dac_override, - capability dac_read_search, - - signal receive set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mrix, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{etc_ro}/lesskey.bin r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index f563712ca..211c2710d 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,13 +19,10 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec index 87b3ea842..65d34ec6a 100644 --- a/apparmor.d/abstractions/app/pkexec +++ b/apparmor.d/abstractions/app/pkexec @@ -30,8 +30,6 @@ /etc/shells r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/loginuid r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1c47490cd..4c7de6ba5 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. +# Minimal set of rules for sudo. Interactive sudo need more rules. abi , @@ -24,10 +24,10 @@ network netlink raw, # PAM - unix type=stream addr=@@{udbus}/bus/sudo/system, + unix bind type=stream addr=@@{udbus}/bus/sudo/system, - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index b707add4d..8489bb275 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -11,12 +11,9 @@ ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemctl/, - unix bind type=stream addr=@@{udbus}/bus/systemctl/system, @{bin}/systemctl mr, - @{att}/@{run}/systemd/private rw, - owner @{run}/systemd/private rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index d659143d6..e8414d026 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,8 +11,7 @@ /etc/udev/udev.conf r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/** r, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 8741942ff..9a53d1548 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,21 +3,15 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the base abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. + # Do not use it manually, it is automatically included in profiles when it is required. abi , - include - @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, - @{att}/@{run}/systemd/journal/stdout rw, - @{att}/dev/null rw, - - /apparmor/.null rw, - @{att}/apparmor/.null rw, + deny /apparmor/.null rw, + deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index f306c2273..bf76e4a43 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,26 +3,10 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, It automatically replaces the consoles abstraction in a - # profile with the attach_disconnected flag set and the re-attached path enabled. - abi , - # There are the common ways to refer to consoles - /dev/console rw, - /dev/tty rw, - /dev/tty@{u8} rw, - @{att}/dev/tty rw, - @{att}/dev/tty@{u8} rw, - - # These entries are a bit unfortunate; /dev/tty will always be - # associated with the controlling terminal by the kernel, but if a - # program uses the /dev/pts/ interface, it actually has access to - # -all- xterm, sshd, etc, terminals on the system. - /dev/pts/ r, - owner /dev/pts/@{u16} rw, - @{att}/pts/ r, - owner @{att}/dev/pts/@{u16} rw, + @{att}/dev/tty@{int} rw, + owner @{att}/dev/pts/@{int} rw, include if exists diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 1ebdf4c76..166229a09 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,7 +21,6 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, - /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, @@ -57,18 +56,12 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/+sound:card@{int} r, # For sound card - - @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, - /dev/snd/pcmC@{int}D@{int}[cp] r, - /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index a7f89b91b..10bcef426 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,6 +9,11 @@ include + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{sys}/class/ r, + @{sys}/class/sound/ r, + @{PROC}/asound/** rw, /dev/admmidi* rw, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index a4ed65e8c..ef54e6e78 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -3,10 +3,9 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/pam-tmpdir-helper rPx, - @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{sbin}/unix_chkpwd rPx, + @{bin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe deleted file mode 100644 index aac14fa7d..000000000 --- a/apparmor.d/abstractions/avahi-observe +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows domain, record, service, and service type browsing as well as address, -# host and service resolving - - abi , - - include - - include - include - include - include - include - include - include - - @{run}/avahi-daemon/socket rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict deleted file mode 100644 index 22ca5ec5e..000000000 --- a/apparmor.d/abstractions/base-strict +++ /dev/null @@ -1,132 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - # Do not use it manually, It automatically replaces the base abstraction in - # profiles when the re-attached mode is enabled. - - # For now, it is only a restructuring of the base abstraction with awareness - # of the apparmor.d architecture. - - abi , - - include - include - include - include - - # Allow us to signal ourselves - signal peer=@{profile_name}, - - # Checking for PID existence is quite common so add it by default for now - signal (receive, send) set=exists, - - #aa:exclude RBAC - # Allow unconfined processes to send us signals by default - signal receive peer=unconfined, - - # Systemd: allow to receive any signal from the systemd profiles stack - signal receive peer=@{p_systemd}, - signal receive peer=@{p_systemd_user}, - - # Htop like programs can send any signal to any process - signal receive peer=btop, - signal receive peer=htop, - signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, - - # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd - signal receive peer=su, - signal receive peer=sudo, - signal receive set=(cont,term,kill,stop) peer=gnome-shell, - signal receive set=(cont,term,kill,stop) peer=login, - signal receive set=(cont,term,kill,stop) peer=openbox, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(cont,term,kill,stop) peer=xinit, - - # Allow other processes to read our /proc entries, futexes, perf tracing and - # kcmp for now (they will need 'read' in the first place). Administrators can - # override with: - # deny ptrace readby ... - ptrace readby, - - # Allow other processes to trace us by default (they will need 'trace' in - # the first place). Administrators can override with: - # deny ptrace tracedby ... - ptrace tracedby, - - # Allow us to ptrace read ourselves - ptrace read peer=@{profile_name}, - - # Allow us to create and use abstract and anonymous sockets - unix peer=(label=@{profile_name}), - - # Allow unconfined processes to us via unix sockets - unix receive peer=(label=unconfined), - - # Allow communication to children and stacked profiles - signal peer=@{profile_name}//*, - signal peer=@{profile_name}//&*, - unix type=stream peer=(label=@{profile_name}//*), - - # Allow us to create abstract and anonymous sockets - unix create, - - # Allow us to getattr, getopt, setop and shutdown on unix sockets - unix (getattr, getopt, setopt, shutdown), - - # Allow all programs to use common libraries - @{lib}/** r, - @{lib}/**.so* m, - @{lib}/@{multiarch}/**.so* m, - @{lib}/@{multiarch}/** r, - - # Some applications will display license information - /usr/share/common-licenses/** r, - - # Allow access to the uuidd daemon (this daemon is a thin wrapper around - # time and getrandom()/{,u}random and, when available, runs under an - # unprivilged, dedicated user). - @{run}/uuidd/request r, - - # Transparent hugepage support - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - - # Systemd's equivalent of /dev/log - @{run}/systemd/journal/dev-log w, - - # Systemd native journal API (see sd_journal_print(4)) - @{run}/systemd/journal/socket w, - - # Nested containers and anything using systemd-cat need this. 'r' shouldn't - # be required but applications fail without it. journald doesn't leak - # anything when reading so this is ok. - @{run}/systemd/journal/stdout rw, - - # Allow determining the highest valid capability of the running kernel - @{PROC}/sys/kernel/cap_last_cap r, - - # Controls how core dump files are named - @{PROC}/sys/kernel/core_pattern r, - - # Sometimes used to determine kernel/user interfaces to use - @{PROC}/sys/kernel/version r, - - # Harmless and frequently used - /dev/null rw, - /dev/random r, - /dev/urandom r, - /dev/zero rw, - - # The __canary_death_handler function writes a time-stamped log - # message to /dev/log for logging by syslogd. So, /dev/log, timezones, - # and localisations of date should be available EVERYWHERE, so - # StackGuard, FormatGuard, etc., alerts can be properly logged. - /dev/log w, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index d89688b70..3b5ecaf41 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,33 +3,34 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Systemd: allow to receive any signal from the systemd profiles stack - signal receive peer=@{p_systemd}, - signal receive peer=@{p_systemd_user}, - # Allow to receive some signals from new well-known profiles - signal receive peer=btop, - signal receive peer=htop, - signal receive peer=pkill, - signal receive peer=sudo, - signal receive peer=top, - signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, - signal receive set=(hup term) peer=login, - signal receive set=(hup) peer=xinit, - signal receive set=(term,kill) peer=gnome-shell, - signal receive set=(term,kill) peer=gnome-system-monitor, - signal receive set=(term,kill) peer=openbox, - signal receive set=(term,kill) peer=su, + signal (receive) peer=btop, + signal (receive) peer=htop, + signal (receive) peer=sudo, + signal (receive) peer=top, + signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, + signal (receive) set=(cont,term) peer=@{p_systemd_user}, + signal (receive) set=(cont,term) peer=@{p_systemd}, + signal (receive) set=(hup term) peer=login, + signal (receive) set=(hup) peer=xinit, + signal (receive) set=(term,kill) peer=gnome-shell, + signal (receive) set=(term,kill) peer=gnome-system-monitor, + signal (receive) set=(term,kill) peer=openbox, + signal (receive) set=(term,kill) peer=su, - ptrace readby peer=@{p_systemd_coredump}, + ptrace (readby) peer=systemd-coredump, @{etc_rw}/localtime r, /etc/locale.conf r, + # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd. + # They are not closed and get inherited by child programs. Denying it can cause + # crash, so we are allowing it globally while the issue is beeing fixed in mesa. + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw, + owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw, + @{sys}/devices/system/cpu/possible r, @{PROC}/sys/kernel/core_pattern r, - /apparmor/.null rw, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index cd4a7c8a7..9ea35f8c2 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index 70850b2ba..eba12457f 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -9,6 +9,11 @@ member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + dbus send bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), + owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, owner @{run}/user/@{uid}/at-spi/bus_@{int} rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index a1226d8e7..95325d7d3 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -4,13 +4,20 @@ abi , - unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, + unix (bind, listen) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*", + unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"), - dbus send bus=session path=/org/freedesktop/{dbus,DBus} + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index d05c018c7..870443002 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -4,15 +4,17 @@ abi , - unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system, - dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{run}/dbus/system_bus_socket rw, - @{att}/@{run}/dbus/system_bus_socket rw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + @{run}/dbus/system_bus_socket rw, include if exists diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y deleted file mode 100644 index 0145fc494..000000000 --- a/apparmor.d/abstractions/bus/accessibility/org.a11y +++ /dev/null @@ -1,65 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Allow the accessibility services in the user session to send us any events - - dbus receive bus=accessibility - peer=(label="@{p_at_spi2_registryd}"), - - # Allow querying for capabilities and registering - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member=NotifyListenersSync - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - # org.a11y.atspi is not designed for application isolation and these rules - # can be used to send change events for other processes. - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Event.Object - member=ChildrenChanged - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Accessible - member=Get* - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.a11y.atspi.Event.Object - member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/cache - interface=org.a11y.atspi.Cache - member={AddAccessible,RemoveAccessible} - peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own deleted file mode 100644 index d1eab1ce7..000000000 --- a/apparmor.d/abstractions/bus/accessibility/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - - dbus send bus=accessibility path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer b/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer deleted file mode 100644 index 9bad3655d..000000000 --- a/apparmor.d/abstractions/bus/ca.desrt.dconf.Writer +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Change - peer=(name=ca.desrt.dconf), # no peer's labels - - dbus receive bus=session path=/ca/desrt/dconf/Writer/user - interface=ca.desrt.dconf.Writer - member=Notify - peer=(name=@{busname}, label=dconf-service), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu index 61ce81111..c5f74a6de 100644 --- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu +++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu @@ -4,10 +4,6 @@ abi , - dbus send bus=session path=/com/canonical/unity/launcherentry/** - interface=com.canonical.dbusmenu - member={GetGroupProperties,GetLayout} - peer=(name=@{busname}, label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 index 7989ea4c5..4b7d6c89d 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 @@ -4,11 +4,14 @@ abi , - #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant + dbus send bus=system path=/fi/w1/wpa_supplicant1 + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=org.freedesktop.DBus.Properties - member=Set + member={GetAll,Set} peer=(name="@{busname}", label=wpa-supplicant), dbus send bus=system path=/fi/w1/wpa_supplicant1 @@ -36,6 +39,16 @@ member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name="@{busname}", label=wpa-supplicant), + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="@{busname}", label=wpa-supplicant), + + dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int} + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="@{busname}", label=wpa-supplicant), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 7e7560992..4da873247 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" + dbus send bus=system path=/net/hadess/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=power-profiles-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl index df65417da..7f68d2d06 100644 --- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl +++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + dbus send bus=system path=/net/hadess/SwitcherooControl + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=switcheroo-control), include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 0241fc889..41735f1be 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,10 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" - dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label="@{p_fprintd}"), + peer=(name="@{busname}", label=fprintd), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +17,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), + peer=(name=net.reactivated.Fprint, label=fprintd), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y new file mode 100644 index 000000000..bb31a079c --- /dev/null +++ b/apparmor.d/abstractions/bus/org.a11y @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Accessibility bus + + dbus receive bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=EventListenerDeregistered + peer=(name="@{busname}", label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="@{busname}", label=at-spi2-registryd), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + + # Session bus + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.bluez b/apparmor.d/abstractions/bus/org.bluez similarity index 54% rename from apparmor.d/abstractions/bus/system/org.bluez rename to apparmor.d/abstractions/bus/org.bluez index acaa7bb36..7b709ab9b 100644 --- a/apparmor.d/abstractions/bus/system/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,38 +4,46 @@ abi , - #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" - dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), + member=InterfacesRemoved + peer=(name="{@{busname},org.bluez}", label=bluetoothd), + + dbus receive bus=system path=/org/bluez/hci@{int}{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), + + dbus send bus=system path=/org/bluez/hci@{int} + interface=org.freedesktop.DBus.Properties + member=Set + peer=(name="{@{busname},org.bluez}", label=bluetoothd), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label="@{p_bluetoothd}"), + peer=(name=org.bluez, label=bluetoothd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index e77f17b88..f2048c80e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,30 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers,FindUserById} - peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers} + peer=(name="@{busname}", label=accounts-daemon), + + dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name="@{busname}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + peer=(name="@{busname}", label=accounts-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 4ddf95af3..ccf5b30a9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,42 +4,25 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" - dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,ItemRemove,AllForNow,CacheExhausted} - peer=(name="@{busname}", label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + member={ItemNew,AllForNow,CacheExhausted} + peer=(name="@{busname}", label=avahi-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager new file mode 100644 index 000000000..205557ad5 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=GetDevices + peer=(name="@{busname}", label=colord), + + dbus send bus=system path=/org/freedesktop/ColorManager{,/**} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=colord), + + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=CreateDevice + peer=(name="@{busname}", label=colord), + + dbus receive bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member={DeviceAdded,DeviceRemoved} + peer=(name="@{busname}", label=colord), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index a08c98b26..101e493ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -4,12 +4,15 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus - dbus send bus=session path=/org/freedesktop/FileManager1 - interface=org.freedesktop.FileManager1 - member=ShowItems - peer=(name=org.freedesktop.FileManager1, label=nautilus), + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=nautilus), + + dbus receive bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=nautilus), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index 9957c7b67..17ea4e45a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,35 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=geoclue), + dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), + peer=(name=org.freedesktop.DBus, label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), + peer=(name="@{busname}", label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), + peer=(name="@{busname}", label=geoclue), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label="@{p_geoclue}"), + peer=(name="@{busname}", label=geoclue), + + dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=geoclue), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 4f53ba497..5c514d54c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,20 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" + dbus send bus=system path=/org/freedesktop/ModemManager1 + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=org.freedesktop.ModemManager1, label=ModemManager), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), + peer=(name="@{busname}", label=ModemManager), dbus send bus=system path=/org/freedesktop/ModemManager1 - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="@{busname}", label="@{p_ModemManager}"), + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=ModemManager), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index a22a235fb..af2b6d2b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -4,11 +4,14 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager - dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={GetManagedObjects,InterfacesRemoved} + member=GetManagedObjects + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -26,9 +29,19 @@ member=GetSettings peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus send bus=system path=/org/freedesktop/NetworkManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} + member=InterfacesAdded + peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + + dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager @@ -51,11 +64,6 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} - interface=org.freedesktop.NetworkManager.Connection.Active - member=StateChanged - peer=(name=@{busname}, label=NetworkManager), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications new file mode 100644 index 000000000..eee09ffad --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gjs-console), + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetCapabilities,GetServerInformation,Notify} + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member={GetAll,NotificationClosed,CloseNotification} + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.DBus.Properties + member=Notify + peer=(name=org.freedesktop.DBus, label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index a4f9ba9b9..b65bc1ef5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,13 +2,17 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with PackageKit transactions. Transactions are exported -# with random object paths that currently take the form /@{int}_@{hex8}. - abi , - #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=packagekitd), + dbus send bus=system path=/org/freedesktop/PackageKit + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.PackageKit, label=packagekitd), dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -17,15 +21,7 @@ dbus send bus=system path=/org/freedesktop/PackageKit interface=org.freedesktop.PackageKit member=StateHasChanged - peer=(name=org.freedesktop.PackageKit), - - dbus send bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), - - dbus receive bus=system path=/@{int}_@{hex8} - interface=org.freedesktop.PackageKit.Transaction - peer=(label=packagekitd), + peer=(name=org.freedesktop.PackageKit, label=packagekitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 2a4e8c1e5..ab9e373ab 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,26 +2,36 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Can talk to polkitd's CheckAuthorization API - abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label="@{p_polkitd}"), + peer=(name="@{busname}", label=polkitd), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member={CheckAuthorization,CancelCheckAuthorization} - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1, label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgentWithOptions - peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), + member=CheckAuthorization + peer=(name="@{busname}", label=polkitd), + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=CheckAuthorization + peer=(name=org.freedesktop.PolicyKit1), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="@{busname}", label=polkitd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index f66fdb20a..ff2906932 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,25 +2,32 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow setting realtime priorities. - abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get peer=(name=org.freedesktop.RealtimeKit1), dbus send bus=system path=/org/freedesktop/RealtimeKit1 - interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="@{busname}", label=rtkit-daemon), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), + member=MakeThread* + peer=(name="@{busname}", label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member=MakeThread* + peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..43ed93af6 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index c55736c1e..48fa7e394 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -7,12 +7,12 @@ dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 index c97e83d71..30abb2199 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 @@ -4,13 +4,16 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd - dbus send bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + dbus send bus=system path=/org/freedesktop/UDisks2/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + dbus send bus=system path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -26,6 +29,16 @@ member=Introspect peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + + dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + dbus receive bus=system path=/org/freedesktop/UDisks2 interface=org.freedesktop.DBus.ObjectManager member=InterfacesAdded @@ -36,6 +49,11 @@ member=Completed peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower new file mode 100644 index 000000000..369448079 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=EnumerateDevices + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + dbus send bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.DBus.Properties + member=GetDisplayDevice + peer=(name=org.freedesktop.UPower, label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + + dbus send bus=system path=/org/freedesktop/UPower{,/**} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower + interface=org.freedesktop.UPower + member=DeviceAdded + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + + dbus receive bus=system path=/org/freedesktop/UPower/devices/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles deleted file mode 100644 index 45e88b103..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor index 0f371f79b..f6019eedb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor +++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor @@ -4,7 +4,15 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/background/monitor + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 165e3ae6e..7dcb187f1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,13 +4,21 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties - member=Get + member={Get,GetAll} peer=(name=org.freedesktop.hostname1), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 22886c8a5..c4e4a5fbf 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -4,18 +4,16 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=xdg-permission-store), dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore interface=org.freedesktop.impl.portal.PermissionStore member=Lookup peer=(name="@{busname}", label=xdg-permission-store), - dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore - interface=org.freedesktop.impl.portal.PermissionStore - member=Lookup - peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 similarity index 59% rename from apparmor.d/abstractions/bus/system/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/org.freedesktop.locale1 index e2377a14b..50218ced3 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,11 +4,15 @@ abi , + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=systemd-localed), dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index ad368ed98..77271fe23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,35 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager - member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*} + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index f60c69301..4affc3d22 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,40 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label="@{p_systemd_logind}"), + peer=(name="@{busname}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="@{busname}", label=systemd-logind), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + + dbus send bus=system path=/org/freedesktop/login1/seat/* + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + + dbus receive bus=system path=/org/freedesktop/login1/session/* + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=systemd-logind), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), + peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index 7583a3e9d..56460a52b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,10 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.network1, label=systemd-networkd), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4778dd6dc..1561491cc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,57 +4,30 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties - member=Read + member={Get,GetAll,Read} peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.host.portal.Registry - member=Register - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop/** - interface=org.freedesktop.portal.Request - member=Response - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Inhibit - member={StateChanged,CreateMonitor} - peer=(name=@{busname}, label=xdg-desktop-portal), - - dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** - interface=org.freedesktop.impl.portal.Session - member=Close - peer=(name=@{busname}, label=xdg-desktop-portal), + peer=(name="@{busname}", label=xdg-desktop-portal), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 new file mode 100644 index 000000000..7714a871b --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.resolve1.Manager + member={SetLink*,ResolveHostname} + peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index e30e7b1c2..0b169a04e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -4,12 +4,15 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,ReadAlias} + peer=(name="@{busname}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection @@ -21,6 +24,11 @@ member=ItemCreated peer=(name="@{busname}", label=gnome-keyring-daemon), + dbus receive bus=session path=/org/freedesktop/secrets/collection/login + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-keyring-daemon), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 167e66d65..41b08a80b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,16 +4,14 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member=ListUnitsByPatterns + member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=session path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session similarity index 51% rename from apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 rename to apparmor.d/abstractions/bus/org.freedesktop.systemd1-session index 0c8185be6..97db8023f 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session @@ -4,23 +4,21 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=org.freedesktop.systemd1), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=GetUnit peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 8f6118355..443d35eed 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,21 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=systemd-timedated), + + # FIXME: should be under the systemd-timedated label + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.timedate1, label=unconfined), + + dbus send bus=system path=/org/freedesktop/timedate1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=systemd-timedated), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 similarity index 52% rename from apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index f69667e08..120330ac1 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,13 +4,16 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" + dbus send bus=session path=/org/gnome/ArchiveManager1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=file-roller), dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label="@{p_file_roller}"), + peer=(name="@{busname}", label=file-roller), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager similarity index 60% rename from apparmor.d/abstractions/bus/system/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/org.gnome.DisplayManager index 4833b1512..107868836 100644 --- a/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager @@ -1,16 +1,14 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - #aa:dbus common bus=system name=org.gnome.DisplayManager label=gdm - dbus send bus=system path=/org/gnome/DisplayManager/Manager interface=org.gnome.DisplayManager.Manager member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig index f275850cd..605e90311 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig @@ -4,8 +4,6 @@ abi , - #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell - dbus send bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member={GetResources,GetCrtcGamma} @@ -16,6 +14,16 @@ member=GetCurrentState peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell), + dbus send bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member={GetAll,PropertiesChanged} + peer=(name="@{busname}", label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-shell), + dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig interface=org.gnome.Mutter.DisplayConfig member=MonitorsChanged diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index d1ff350fc..68769f2c9 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -4,8 +4,6 @@ abi , - #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell - dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -13,8 +11,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} + peer=(name="@{busname}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 new file mode 100644 index 000000000..185937e70 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=nautilus), + + dbus send bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name="@{busname}", label=nautilus), + + dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=nautilus), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver new file mode 100644 index 000000000..ba13aa7d2 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gjs-console), + + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name="@{busname}", label=gjs-console), + + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name="@{busname}", label=gjs-console), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager new file mode 100644 index 000000000..c683eddac --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -0,0 +1,66 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# FIXME: Too large, restrict it. + + abi , + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={RegisterClient,IsSessionRunning} + peer=(name="@{busname}", label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Setenv,IsSessionRunning} + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} + peer=(name="@{busname}", label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member=EndSessionResponse + peer=(name="@{busname}", label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.gnome.SessionManager.ClientPrivate + member={CancelEndSession,QueryEndSession,EndSession,Stop} + peer=(name="@{busname}", label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-session-binary), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name="@{busname}", label=gnome-session-binary), + + dbus send bus=session path=/org/gnome/SessionManager + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect index b53acf610..efe53af62 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect @@ -4,7 +4,15 @@ abi , - #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gnome-shell), + + dbus send bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.gnome.Shell.Introspect, label=gnome-shell), dbus send bus=session path=/org/gnome/Shell/Introspect interface=org.gnome.Shell.Introspect @@ -16,6 +24,11 @@ member={RunningApplicationsChanged,WindowsChanged} peer=(name="@{busname}", label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell/Introspect + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="@{busname}", label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 deleted file mode 100644 index ae8b68448..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell - - dbus receive bus=session path=/org/gnome/Characters/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/Characters/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - member=*Cancel - peer=(name=@{busname}, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor - diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter deleted file mode 100644 index 0816b046f..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow accessing the GNOME crypto services prompt APIs as used by -# applications using libgcr (such as pinentry-gnome3) for secure pin -# entry to unlock GPG keys etc. See: -# https://developer.gnome.org/gcr/unstable/GcrPrompt.html -# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html -# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - - abi , - - unix type=stream peer=(label=gnome-keyring-daemon), - - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name=@{busname}, label=pinentry-*), - - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name=@{busname}, label=pinentry-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor index b8160dcb2..9060c8c15 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon new file mode 100644 index 000000000..e813f5c4f --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member={GetConnection,ListMonitorImplementations,ListMountableInfo} + peer=(name="@{busname}", label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata new file mode 100644 index 000000000..80daa4927 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name="@{busname}", label=gvfsd-metadata), + + dbus receive bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=AttributeChanged + peer=(name="@{busname}", label=gvfsd-metadata), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker similarity index 68% rename from apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index 107c3dc13..1c80ca6ea 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -2,13 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# The mount tracking interface. - abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=LookupMount + member=ListMountableInfo peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker @@ -16,16 +14,11 @@ member=ListMounts2 peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), - dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member={Mounted,Unmounted} + member=Mounted peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem similarity index 52% rename from apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 8a3e7d74e..43947d52a 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,8 +4,6 @@ abi , - #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index 90a78d2ed..5217a50f5 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,52 +2,22 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow to display Status Notifier Items in the KDE Plasma systray - abi , - #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(label="@{pp_app_indicator}"), - - - dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} - interface=com.canonical.dbusmenu - member={LayoutUpdated,ItemsPropertiesUpdated} - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} - interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} - member={Get*,AboutTo*,Event*} - peer=(label="@{pp_app_indicator}"), + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(label="@{pp_app_indicator}"), + peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), - dbus receive bus=session path=/StatusNotifierItem - interface=org.kde.StatusNotifierItem - member={ProvideXdgActivationToken,Activate} - peer=(label="@{pp_app_indicator}"), - - dbus receive bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={AboutToShow,GetLayout,Event} - peer=(label="@{pp_app_indicator}"), + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/session/org.kde.kwalletd rename to apparmor.d/abstractions/bus/org.kde.kwalletd index 0afce1cdf..1ae5a1ace 100644 --- a/apparmor.d/abstractions/bus/session/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher deleted file mode 100644 index ca2bf92c8..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal xdg-open - - abi , - - dbus send bus=session path=/ - interface=com.canonical.SafeLauncher - member=OpenURL - peer=(name=@{busname}, label=snap), - - dbus send bus=session path=/io/snapcraft/Launcher - interface=io.snapcraft.Launcher - member={OpenURL,OpenFile} - peer=(name=@{busname}, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher deleted file mode 100644 index 704d9010d..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can identify and launch other snaps. - - abi , - - dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher - interface=io.snapcraft.PrivilegedDesktopLauncher - member=OpenDesktopEntry - peer=(name=io.snapcraft.Launcher, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings deleted file mode 100644 index c50753cd6..000000000 --- a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow use of snapd's internal 'xdg-settings' - - abi , - - dbus send bus=session path=/io/snapcraft/Settings - interface=io.snapcraft.Settings - member={Check,CheckSub,Get,GetSub,Set,SetSub} - peer=(name=io.snapcraft.Settings, label=snap), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y deleted file mode 100644 index 8f517fe99..000000000 --- a/apparmor.d/abstractions/bus/session/org.a11y +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal deleted file mode 100644 index e7c0f9cef..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow access to the IBus portal - - abi , - - dbus send bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.IBus.Portal - member=CreateInputContext - peer=(name=org.freedesktop.portal.IBus), - - dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} - interface=org.freedesktop.IBus.InputContext - peer=(label=ibus-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications deleted file mode 100644 index b51c4bdcb..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={GetCapabilities,GetServerInformation,Notify,CloseNotification} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.Notifications - member={ActionInvoked,NotificationClosed,NotificationReplied} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver deleted file mode 100644 index ee837b886..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), - - dbus send bus=session path=/{,org/freedesktop/}ScreenSaver - interface=org.freedesktop.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - dbus receive bus=session path=/org/freedesktop/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret deleted file mode 100644 index 8ded1b6d7..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon - - dbus send bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus receive bus=session path=/org/freedesktop/secrets{,/**} - interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} - peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=ReadAlias - peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.Secret.Service - member=SearchItems - peer=(name=@{busname}, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings deleted file mode 100644 index 01cf21c46..000000000 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=Read - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Settings - member=ReadAll - peer=(name=@{busname}, label=xdg-desktop-portal), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver deleted file mode 100644 index 27c456637..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver (GNOME version) - - abi , - - dbus send bus=session path=/{,org/gnome/}ScreenSaver - interface=org.gnome.ScreenSaver - member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager deleted file mode 100644 index 4c641776b..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager - interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member=EndSessionResponse - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} - interface=org.gnome.SessionManager.ClientPrivate - member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys deleted file mode 100644 index 93d830828..000000000 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - # DBus.Properties: read all properties from the interface - dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys - interface=org.gnome.SettingsDaemon.MediaKeys - peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions deleted file mode 100644 index 899f244a8..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Actions +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState}, - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus deleted file mode 100644 index b21c08067..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Menus +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session - interface=org.gtk.Menus - member={Start,End} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Menus - member=Changed, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler deleted file mode 100644 index 3fce0d719..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/MountOperationHandler - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications deleted file mode 100644 index 151c642a8..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell - - dbus send bus=session path=/org/gtk/Notifications - interface=org.gtk.Notifications - member={AddNotification,RemoveNotification} - peer=(name=org.gtk.Notifications, label=gnome-shell), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings deleted file mode 100644 index 9d2dd282a..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.Settings +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon deleted file mode 100644 index edf954ac5..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Each daemon (main and for mounts) implement this. - - abi , - - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name=@{busname}, label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata deleted file mode 100644 index 9f1a77daf..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gvfsd-metadata), - - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member={Set,Move,GetTreeFromDevice,Remove} - peer=(name=@{busname}, label=gvfsd-metadata), - - dbus receive bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=AttributeChanged - peer=(name=@{busname}, label=gvfsd-metadata), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation deleted file mode 100644 index 54dfc837f..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskPassword,AskQuestion} - peer=(name=@{busname}, label=gvfsd-*), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable deleted file mode 100644 index 603ef709b..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner deleted file mode 100644 index 7090afe24..000000000 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem deleted file mode 100644 index d017d44e3..000000000 --- a/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - - dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, - - dbus send bus=session path=/StatusNotifierWatcher - interface=org.kde.StatusNotifierWatcher - member=RegisterStatusNotifierItem - peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), - - dbus send bus=session path=/StatusNotifierItem - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} - interface=org.kde.StatusNotifierItem - member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} - peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player deleted file mode 100644 index b2b934074..000000000 --- a/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # DBus.Properties: read all properties from the interface - dbus send bus=system path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name=@{busname}), - - # DBus.Properties: receive property changed events - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}), - - # DBus.Introspectable: allow clients to introspect the service - dbus send bus=system path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}), - - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member={Seeked,Next,PlayPause} - peer=(name=@{busname}), - - # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member=Seeked - peer=(name=org.freedesktop.DBus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own deleted file mode 100644 index d975ebb48..000000000 --- a/apparmor.d/abstractions/bus/session/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver deleted file mode 100644 index f6a1a251c..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Address resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=AddressResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser deleted file mode 100644 index 39f5e4496..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Domain browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=DomainBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} - interface=org.freedesktop.Avahi.DomainBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver deleted file mode 100644 index 403a4db0f..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Hostname resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=HostNameResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} - interface=org.freedesktop.Avahi.HostNameResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser deleted file mode 100644 index bff079b13..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Record browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server deleted file mode 100644 index bfc87b3cc..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow service introspection - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - # Allow accessing DBus properties and resolving - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={Get*,Resolve*,IsNSSSupportAvailable} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - # Allow receiving anything from the Avahi server - dbus receive bus=system - interface=org.freedesktop.Avahi.Server - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser deleted file mode 100644 index 6a3b1510d..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver deleted file mode 100644 index d90e9ca14..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service resolving - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceResolverNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser deleted file mode 100644 index 93affdc51..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Service type browsing - - abi , - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=ServiceTypeBrowserNew - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager deleted file mode 100644 index 4b5dcc746..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow for color managed applications to communicate with colord - - abi , - - #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=GetDevices - peer=(name="@{busname}", label="@{p_colord}"), - - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={CreateProfile,CreateDevice,DeleteDevice} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - dbus receive bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - dbus (receive, send) bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member={FindDeviceByProperty,FindDeviceById} - peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower deleted file mode 100644 index aa6a61371..000000000 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.UPower +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can query UPower for power devices, history and statistics. - - abi , - - #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" - - # Find all devices monitored by UPower - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - - dbus send bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.DBus.Properties - member={GetDisplayDevice,GetCriticalAction} - peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), - - dbus send bus=system path=/org/freedesktop/UPower/devices/** - interface=org.freedesktop.UPower.Device - member={GetHistory,Refresh} - peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), - - dbus receive bus=system path=/org/freedesktop/UPower - interface=org.freedesktop.UPower - member={DeviceAdded,DeviceRemoved} - peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own deleted file mode 100644 index 2b1130b32..000000000 --- a/apparmor.d/abstractions/bus/system/own +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - -# Do not use it manually, It is automatically included in a profile by the -# `aa:dbus own` directive. - -# Allow owning a name on DBus public bus - - abi , - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera deleted file mode 100644 index 0f5cff363..000000000 --- a/apparmor.d/abstractions/camera +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to all cameras - - abi , - - # Allow detection of cameras. Leaks plugged in USB device info - @{sys}/bus/usb/devices/ r, - @{sys}/devices/@{pci}/usb@{int}/**/busnum r, - @{sys}/devices/@{pci}/usb@{int}/**/devnum r, - @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, - @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, - @{sys}/devices/@{pci}/usb@{int}/**/interface r, - @{sys}/devices/@{pci}/usb@{int}/**/modalias r, - @{sys}/devices/@{pci}/usb@{int}/**/speed r, - - @{sys}/class/video4linux/ r, - @{sys}/devices/**/video4linux/** r, - @{sys}/devices/**/video4linux/video@{int}/ r, - @{sys}/devices/**/video4linux/video@{int}/uevent r, - - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux - - # VideoCore cameras (shared device with VideoCore/EGL) - /dev/vchiq rw, - - # Access to video /dev devices - /dev/video@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 28badc6db..f2201bd64 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,7 +2,6 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. @@ -13,41 +12,40 @@ abi , include - include + include include include - include + include include include include - include include include include include include include - include include - include include - include - include - include - include include + include dbus bus=accessibility, dbus bus=session, dbus bus=system, - /usr/** rk, + /usr/cache/** r, + /usr/local/{,**} r, /usr/share/** rk, /etc/{,**} r, + / r, /.* r, + /*/ r, + @{bin}/ r, @{lib}/ r, + /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, @@ -60,32 +58,32 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwmlk -> @{HOME}/**, + owner @{HOME}/** rwlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, - #aa:lint ignore=too-wide + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, - @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -97,13 +95,11 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, - @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, @@ -119,7 +115,6 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, - @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -130,23 +125,19 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, - owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, - owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - @{att}/dev/dri/card@{int} rw, - @{att}/dev/dri/renderD128 rw, - @{att}/dev/dri/renderD129 rw, - owner @{att}/dev/shm/@{uuid} r, - + /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/common/apt similarity index 72% rename from apparmor.d/abstractions/apt rename to apparmor.d/abstractions/common/apt index 25106ad6e..5dd8b26bc 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,9 +6,7 @@ abi , /usr/share/dpkg/cputable r, - /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, @@ -20,9 +18,6 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, - /etc/apt/trusted.gpg r, - /etc/apt/trusted.gpg.d/{,*} r, - /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -30,14 +25,11 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu + /var/lib/ubuntu-advantage/apt-esm/{,**} r, owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index 2d3ab179f..65bc2837f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,7 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: @@ -39,18 +38,15 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, + owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{att}/ r, - @{att}/@{run}/.userns r, - @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, - @{PROC}/sys/kernel/seccomp/actions_avail r, owner @{PROC}/@{pid}/fd/ r, @{att}/@{PROC}/sys/user/max_user_namespaces rw, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23f4544a3..9fba7b8bb 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,29 +2,17 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/app/chromium instead. - -# It works as a *function* and requires a variable to be provided as *arguments* -# and set in the header of the calling profile. Example: -# -# @{domain} = org.chromium.Chromium -# +# need to use abstractions/chromium instead. abi , userns, - # Required for dropping into PID namespace. Keep in mind that until the - # process drops this capability it can escape confinement, but once it - # drops CAP_SYS_ADMIN we are ok. - capability sys_admin, - - # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 + capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -34,26 +22,19 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, + /tmp/ r, + /var/tmp/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, - owner @{tmp}/scoped_dir@{rand6}/SS rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, - - # Allow getting the manufacturer and model of the computer where chromium is currently running. - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf deleted file mode 100644 index 1d9a6d145..000000000 --- a/apparmor.d/abstractions/common/debconf +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only -# LOGPROF-SUGGEST: no - - abi , - - include - include - include - - @{sh_path} rix, - @{bin}/locale ix, - @{bin}/whiptail Px, - - /usr/share/debconf/frontend rix, - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - - /var/ r, - /var/cache/ r, - /var/cache/debconf/ r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index dd4976f5e..8134f8681 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,34 +1,33 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: name -# NEEDS-VARIABLE: domain -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: config_dirs -# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set # in the header of the calling profile. Example: # # @{name} = spotify -# @{domain} = org.chromium.chromium -# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ +# @{lib_dirs} = /opt/@{name} # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , - include - include include include - include include include include + userns, + + capability setgid, # If kernel.unprivileged_userns_clone = 1 + capability setuid, # If kernel.unprivileged_userns_clone = 1 + capability sys_admin, + capability sys_chroot, + capability sys_ptrace, + @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -48,29 +47,49 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{user_config_dirs}/electron-flags.conf r, + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{user_config_dirs}/electron-flags.conf r, + owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + + owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/ rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, + owner @{tmp}/scoped_dir@{rand6}/SS w, + + /dev/shm/ r, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/status r, + owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 2198c8537..3b4a982f1 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) abi , @@ -17,10 +17,8 @@ include include include - include include include - include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -68,6 +66,9 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -78,6 +79,7 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, + @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, @@ -106,7 +108,11 @@ /dev/ r, /dev/hidraw@{int} rw, + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/js@{int} rw, /dev/tty rw, + /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 6dcb26860..ccb5de8b3 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,8 +6,9 @@ abi , + include include - include + include include include include @@ -31,7 +32,6 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index 851588220..b60e74a10 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,9 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# NEEDS-VARIABLE: app_dirs -# NEEDS-VARIABLE: lib_dirs -# NEEDS-VARIABLE: share_dirs abi , diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd index f4a10076e..df138bf6c 100644 --- a/apparmor.d/abstractions/common/systemd +++ b/apparmor.d/abstractions/common/systemd @@ -8,7 +8,6 @@ ptrace read peer=@{p_systemd}, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/fs/cgroup/system.slice/@{profile_name}.service/ r, @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw, @{PROC}/1/cgroup r, diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete deleted file mode 100644 index b8b7ad90f..000000000 --- a/apparmor.d/abstractions/consoles.d/complete +++ /dev/null @@ -1,8 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - # There are the common ways to refer to consoles - /dev/tty@{u8} rw, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index 8fb84d261..a163af66d 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,15 +4,7 @@ include - # FIPS-140-2 versions of some crypto libraries need to access their - # associated integrity verification file, or they will abort. - @{lib}/.lib*.so*.hmac r, - @{lib}/@{multiarch}/.lib*.so*.hmac r, - @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, - # Used to determine if Linux is running in FIPS mode - @{PROC}/sys/crypto/fips_enabled r, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete b/apparmor.d/abstractions/dbus-accessibility-strict.d/complete deleted file mode 100644 index f71f7d869..000000000 --- a/apparmor.d/abstractions/dbus-accessibility-strict.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-session-strict.d/complete b/apparmor.d/abstractions/dbus-session-strict.d/complete deleted file mode 100644 index 8d82bd277..000000000 --- a/apparmor.d/abstractions/dbus-session-strict.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - include - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dbus-strict.d/complete b/apparmor.d/abstractions/dbus-strict.d/complete deleted file mode 100644 index d35c7822a..000000000 --- a/apparmor.d/abstractions/dbus-strict.d/complete +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - @{run}/dbus/system_bus_socket rw, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 72a943527..e84ffcb2e 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -8,9 +8,8 @@ abi , include - include - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user w, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 1796c7ca0..ed8fa33e6 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -2,9 +2,19 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + dbus send bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Change + peer=(name=ca.desrt.dconf), # no peer's labels + + dbus receive bus=session path=/ca/desrt/dconf/Writer/user + interface=ca.desrt.dconf.Writer + member=Notify + peer=(name=:*, label=dconf-service), + /usr/share/dconf/profile/gdm r, - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, owner @{run}/user/@{uid}/dconf/ r, diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 68c013a51..4291762a4 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -34,7 +34,7 @@ deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_passwordstore_dirs}/{,**} mrwkl, + deny @{user_password_store_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Privacy violations diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index c4abbd574..743dfaf2d 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,17 +9,10 @@ abi , - include - include include - include - include - include - include + include + include include - include - include - include include include include @@ -29,13 +22,18 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + /usr/{local/,}share/ r, + /usr/{local/,}share/glib-@{version}/schemas/** r, + /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, + /etc/xdg/{,*-}mimeapps.list r, - / r, + /var/cache/gio-@{version}/gnome-mimeapps.list r, + + / r, # deny? owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -54,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -65,9 +63,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce @@ -80,7 +75,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, # FIXME: a bit too wide + /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files deleted file mode 100644 index 9c0a8b941..000000000 --- a/apparmor.d/abstractions/desktop-files +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/applications/{,**} r, - @{system_share_dirs}/*ubuntu/applications/{,**} r, - @{system_share_dirs}/gnome/applications/{,**} r, - @{system_share_dirs}/xfce4/applications/{,**} r, - - /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/{,**} r, - - /var/lib/snapd/desktop/applications/{,**} r, - - owner @{user_share_dirs}/applications/{,**} r, - - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f deleted file mode 100644 index c707d66e0..000000000 --- a/apparmor.d/abstractions/devices-u2f +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to Universal 2nd Factor (U2F) devices - - abi , - - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - - # Needed for dynamic assignment of U2F devices - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/**/i2c*/**/report_descriptor r, - @{sys}/devices/**/usb@{int}/**/report_descriptor r, - - # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed - /dev/hidraw@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 3361f10ec..85f8f6b92 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,22 +3,13 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow raw access to all connected USB devices - abi , include - @{PROC}/tty/drivers r, + /dev/bus/usb/@{int}/@{int} wk, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, - - # Allow access to all ttyUSB devices too - /dev/ttyACM@{int} wk, - /dev/ttyUSB@{int} wk, - - # Allow raw access to USB printers (i.e. for receipt printers in POS systems). - /dev/usb/lp@{int} wk, + @{sys}/devices/**/usb@{int}/{,**} w, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index ea3131d59..6bd0c8015 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,29 +3,26 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow detection of usb devices. Leaks plugged in USB device info - abi , + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{int}/@{int} r, + @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/ r, - @{sys}/devices/**/usb@{int}/ r, - @{sys}/devices/**/usb@{int}/** r, + @{sys}/bus/usb/devices/{,**} r, + + @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/b180:@{int} r, # USB block devices - @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems - @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices - - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e33ec2c3f..62e24b70d 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,12 +44,6 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, - # Xen PVH devices - @{sys}/devices/vbd-@{int}/block/** r, - - # Channel subsystem for IBM Z - @{sys}/devices/css@{int}/** r, - # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, @@ -81,11 +75,6 @@ # CD-ROM /dev/sr@{int} rk, - # MD RAID devices - /dev/md@{int} rk, - @{sys}/devices/virtual/block/md@{int}/ r, - @{sys}/devices/virtual/block/md@{int}/** r, - # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -96,18 +85,17 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 - @{run}/udev/data/b25[0-4]:@{int} r, # to 254 + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 + @{run}/udev/data/b25[0-4]:@{int} r, @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # for disk over usb hub include if exists diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index a52518042..ce0a05dd5 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,9 +41,6 @@ # CD-ROM /dev/sr@{int} w, - # MD RAID devices - /dev/md@{int} w, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 128da00d0..dd8f7b55a 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,11 +28,8 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, - # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, - - # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 65f97f9f2..2ae6ab93d 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when zshrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index df445cef5..4724c694a 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,16 +16,11 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, owner @{HOME}/.icons/{,**} r, - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/recently-used.xbel rw, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, - owner @{user_share_dirs}/recently-used.xbel.lock rwk, - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc deleted file mode 100644 index 8536470bd..000000000 --- a/apparmor.d/abstractions/glibc +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Used by Glibc when binding to ephemeral ports - @{etc_ro}/bindresvport.blacklist r, - - # Depending on which Glibc routine uses this file, base may not be the - # best place -- but many profiles require it, and it is quite harmless. - @{PROC}/sys/kernel/ngroups_max r, - - # Glibc's sysconf(3) routine to determine free memory, etc - @{sys}/devices/system/cpu/ r, - @{sys}/devices/system/cpu/online r, - @{sys}/devices/system/cpu/possible r, - @{PROC}/cpuinfo r, - @{PROC}/meminfo r, - @{PROC}/stat r, - - # Glibc's *printf protections read the maps file - owner @{PROC}/@{pid}/auxv r, - owner @{PROC}/@{pid}/maps r, - owner @{PROC}/@{pid}/status r, - - # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, - # but in a format that is simpler to manage, because it doesn't require to - # parse the text data inside a file, but just reading the contents of - # a directory. - owner @{PROC}/@{pid}/map_files/ r, - - # Glibc statvfs - @{PROC}/filesystems r, - - # Glibc malloc (man 5 proc) - @{PROC}/sys/vm/overcommit_memory r, - - # Recent glibc uses /dev/full in preference to /dev/null for programs - # that don't have open fds at exec() - /dev/full rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 227377f3a..9862ca5e7 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,17 +4,9 @@ abi , - include - include include - include - include - include - include - include - include - include - include + include + include include include include @@ -22,15 +14,20 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + /usr/{local/,}share/ r, + /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, + /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, + /etc/xdg/{,*-}mimeapps.list r, + + /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3d4b47f9f..90f705ac7 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,12 +2,12 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + member=Introspect + peer=(name=:*, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index c4edd09b4..37f6be70e 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,22 +13,13 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, - @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, - @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, + @{sys}/devices/system/cpu/cpu@{int}/topology/* r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, @{sys}/devices/system/cpu/present r, - @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/system/node/node@{int}/cpumap r, include if exists diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index de5f865b5..1f2b0ffd2 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,11 +4,11 @@ abi , - include include - include /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/gschemas b/apparmor.d/abstractions/gschemas deleted file mode 100644 index 21a4d860c..000000000 --- a/apparmor.d/abstractions/gschemas +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/ r, - @{system_share_dirs}/glib-2.0/schemas/ r, - @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 5a14b6f7a..1cf8869c4 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,11 +32,11 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - owner @{tmp}/orcexec.@{rand6} mrw, + #owner /tmp/orcexec.* mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters @@ -52,19 +52,14 @@ @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/descriptors r, @{sys}/devices/@{pci}/devnum r, - @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/@{pci}/speed r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/devices r, - /dev/ r, /dev/bus/usb/ r, /dev/dri/ r, - /dev/nvidia-uvm rw, include if exists diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict deleted file mode 100644 index 0bf0ab41c..000000000 --- a/apparmor.d/abstractions/gtk-strict +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - include - include - - @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, - @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, - - /usr/share/gtksourceview-2.0/{,**} r, - /usr/share/gtksourceview-3.0/{,**} r, - /usr/share/gtksourceview-4/{,**} r, - /usr/share/gtksourceview-5/{,**} r, - - /usr/share/gtk-2.0/ r, - /usr/share/gtk-2.0/gtkrc r, - - /usr/share/gtk-3.0/ r, - /usr/share/gtk-3.0/settings.ini r, - - /usr/share/gtk-4.0/ r, - /usr/share/gtk-4.0/settings.ini r, - - /etc/gtk/gtkrc r, - - /etc/gtk-2.0/ r, - /etc/gtk-2.0/gtkrc r, - - /etc/gtk-3.0/ r, - /etc/gtk-3.0/*.conf r, - /etc/gtk-3.0/settings.ini r, - - /etc/gtk-4.0/ r, - /etc/gtk-4.0/*.conf r, - /etc/gtk-4.0/settings.ini r, - - owner @{HOME}/.gtk r, - owner @{HOME}/.gtkrc r, - owner @{HOME}/.gtkrc-2.0 r, - owner @{HOME}/.gtk-bookmarks r, - - owner @{user_cache_dirs}/gtk-4.0/ rw, - owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, - owner @{user_cache_dirs}/gtkrc r, - owner @{user_cache_dirs}/gtkrc-2.0 r, - - owner @{user_config_dirs}/gtk-2.0/ rw, - owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, - - owner @{user_config_dirs}/gtk-3.0/ rw, - owner @{user_config_dirs}/gtk-3.0/bookmarks r, - owner @{user_config_dirs}/gtk-3.0/colors.css r, - owner @{user_config_dirs}/gtk-3.0/gtk.css r, - owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_config_dirs}/gtk-3.0/settings.ini r, - owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, - - owner @{user_config_dirs}/gtk-4.0/ rw, - owner @{user_config_dirs}/gtk-4.0/bookmarks r, - owner @{user_config_dirs}/gtk-4.0/colors.css r, - owner @{user_config_dirs}/gtk-4.0/gtk.css r, - owner @{user_config_dirs}/gtk-4.0/servers r, - owner @{user_config_dirs}/gtk-4.0/settings.ini r, - owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0b69d8ee1..ac702a70f 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,9 +2,32 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include - include - include + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(name=:*), + dbus send bus=session + interface=org.gtk.Actions + member=DescribeAll + peer=(label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(name=:*), + dbus receive bus=session + interface=org.gtk.Actions + member=Changed + peer=(label=gnome-shell), + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=gsd-xsettings), @{lib}/{,@{multiarch}/}gtk*/** mr, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 3ecd8c36d..33d034b5a 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,7 +8,6 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), - #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -17,15 +16,11 @@ unix (connect, receive, send) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + unix (connect, send, receive, accept, bind, listen) type=stream addr="@/home/*/.cache/ibus/dbus-????????", - dbus receive bus=session path=/org/freedesktop/IBus - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=@{busname}, label=ibus-daemon), - owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons deleted file mode 100644 index 6a721b837..000000000 --- a/apparmor.d/abstractions/icons +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/icons/{,**} r, - @{system_share_dirs}/pixmaps/{,**} r, - - /opt/**/share/icons/{,**} r, - /opt/*/**.desktop r, - /opt/*/**/*.png r, - - /var/lib/snapd/desktop/icons/{,**} r, - - owner @{HOME}/.icons/{,**} r, - - owner @{user_share_dirs}/icons/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input deleted file mode 100644 index 57905fd0c..000000000 --- a/apparmor.d/abstractions/input +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2022-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow reading and writing to raw input devices - - abi , - - # network netlink raw, - - # Allow reading for supported event reports for all input devices. See - # https://www.kernel.org/doc/Documentation/input/event-codes.txt - @{sys}/devices/**/input@{int}/capabilities/* r, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/mice rw, - /dev/input/mouse@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java deleted file mode 100644 index 91472d21e..000000000 --- a/apparmor.d/abstractions/java +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /usr/share/java/{,**} r, - - /etc/java/{,**} r, - /etc/java-*/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-open5.d/complete b/apparmor.d/abstractions/kde-open5.d/complete index adeb9a4bb..37038b129 100644 --- a/apparmor.d/abstractions/kde-open5.d/complete +++ b/apparmor.d/abstractions/kde-open5.d/complete @@ -6,6 +6,6 @@ owner @{user_config_dirs}/menus/{,**} r, - owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + owner @{run}/user/@{uid}/kioclient*.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 79e97b23f..282ae1974 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,17 +4,9 @@ abi , - include - include include - include - include - include - include + include include - include - include - include include include include @@ -27,7 +19,6 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, - /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -36,7 +27,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -47,13 +38,8 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, - owner @{user_share_dirs}/#@{int} rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld deleted file mode 100644 index 21ac745e2..000000000 --- a/apparmor.d/abstractions/ld +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - # ld.so.cache and ld are used to load shared libraries. - # As such, they can be used everywhere - - abi , - - /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, - - @{etc_ro}/ld.so.cache mr, - @{etc_ro}/ld.so.conf r, - @{etc_ro}/ld.so.conf.d/ r, - @{etc_ro}/ld.so.conf.d/*.conf r, - @{etc_ro}/ld.so.preload r, - @{etc_ro}/ld-musl-*.path r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale deleted file mode 100644 index 873c303f5..000000000 --- a/apparmor.d/abstractions/locale +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2002-2009 Novell/SUSE -# Copyright (C) 2009-2011 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{etc_ro}/locale.alias r, - @{etc_ro}/locale.conf r, - @{etc_ro}/locale/** r, - @{etc_ro}/localtime r, - @{etc_rw}/localtime r, - - /usr/share/**/locale/** r, - /usr/share/locale-bundle/** r, - /usr/share/locale-langpack/** r, - /usr/share/locale/ r, - /usr/share/locale/** r, - /usr/share/X11/locale/** r, - /usr/share/zoneinfo{,-icu}/ r, - /usr/share/zoneinfo{,-icu}/** r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 913ab3eb3..f20c24a32 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,13 +4,11 @@ abi , - include - include include + include include - include + include include - include include include include diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login deleted file mode 100644 index 7ccc2d678..000000000 --- a/apparmor.d/abstractions/mapping/login +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for login based hat mapping. - - abi , - - include - include - include - include - - capability audit_write, - capability chown, - capability fowner, - capability setgid, - capability setuid, - capability fsetid, - - deny capability net_admin, - - network netlink raw, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=ReleaseSession - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - @{etc_ro}/security/group.conf r, - @{etc_ro}/security/limits.conf r, - @{etc_ro}/security/limits.d/{,*} r, - @{etc_ro}/security/pam_env.conf r, - - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, - @{etc_ro}/security/capability.conf r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/shadow b/apparmor.d/abstractions/mapping/shadow deleted file mode 100644 index 5bf542c17..000000000 --- a/apparmor.d/abstractions/mapping/shadow +++ /dev/null @@ -1,11 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for shadow based hat mapping. - - abi , - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd deleted file mode 100644 index 0f7512710..000000000 --- a/apparmor.d/abstractions/mapping/sshd +++ /dev/null @@ -1,58 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for sshd based hat mapping. Similar to sshd-session - - abi , - - include - include - include - include - include - - capability audit_write, - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability setgid, - capability setuid, - capability sys_resource, - - # sshd doesn't require net_admin. libpam-systemd tries to - # use it if available to set the send/receive buffers size, - # but will fall back to a non-privileged version if it fails. - deny capability net_admin, - - network inet stream, - network inet6 stream, - network netlink raw, - - signal receive set=exists peer=@{p_systemd_journald}, - signal receive set=hup peer=@{p_systemd}, - - unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, - unix bind type=stream addr=@@{udbus}/bus/sshd/system, - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - /etc/motd r, - /etc/locale.conf r, - - @{run}/motd.dynamic rw, - @{run}/motd.dynamic.new rw, - - @{PROC}/1/limits r, - - /dev/ptmx rw, - /dev/pts/@{int} k, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mapping/sudo b/apparmor.d/abstractions/mapping/sudo deleted file mode 100644 index 3347a91af..000000000 --- a/apparmor.d/abstractions/mapping/sudo +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for su/sudo based hat mapping. - - abi , - - capability audit_write, - capability setgid, - capability setuid, - - network netlink raw, - - @{etc_ro}/login.defs r, - /etc/passwd r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control deleted file mode 100644 index 1cdcf66f2..000000000 --- a/apparmor.d/abstractions/media-control +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows access to media controller such as microphones, and video capture hardware. -# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst - - abi , - - # Control of media devices - /dev/media@{int} rwk, - - # Access to V4L subnodes configuration - # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html - /dev/v4l-subdev@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys deleted file mode 100644 index d9aafa764..000000000 --- a/apparmor.d/abstractions/mediakeys +++ /dev/null @@ -1,15 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow requesting interest in receiving media key events. This tells Gnome -# settings that our application should be notified when key events we are -# interested in are pressed, and allows us to receive those events. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 02a48114c..a19166367 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,20 +2,6 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # Fallback location when @{user_cache_dirs} is not available - /var/cache/mesa_shader_cache_db/ rw, - /var/cache/mesa_shader_cache_db/index rw, - /var/cache/mesa_shader_cache_db/marker rw, - /var/cache/mesa_shader_cache_db/part@{int}/ rw, - /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, - /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, - /var/cache/mesa_shader_cache/ rw, - /var/cache/mesa_shader_cache/@{hex2}/ rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, - /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, - /var/cache/mesa_shader_cache/index rw, - /var/cache/mesa_shader_cache/marker rw, - # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, @@ -42,6 +28,4 @@ @{PROC}/sys/dev/xe/observation_paranoid r, - /dev/udmabuf rw, # In upstream, but not released yet - # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime deleted file mode 100644 index 9a70edaf8..000000000 --- a/apparmor.d/abstractions/mime +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - @{system_share_dirs}/ r, - @{system_share_dirs}/mime/{,**} r, - - /etc/mime.types r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{version}/{,*-}-mimeapps.list r, - - owner @{user_config_dirs}/mimeapps.list r, - - owner @{user_share_dirs}/mime/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris deleted file mode 100644 index f06c8560e..000000000 --- a/apparmor.d/abstractions/mpris +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow operating as an MPRIS player. - - abi , - - include - - # Allow binding to the well-known DBus mpris interface based on the app's name - # See: https://specifications.freedesktop.org/mpris-spec/latest/ - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications deleted file mode 100644 index 81d5cc94c..000000000 --- a/apparmor.d/abstractions/notifications +++ /dev/null @@ -1,12 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - include - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a14691a9c..6069ddd9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,52 +6,31 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, - /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.nv/ w, + owner @{HOME}/.cache/nvidia/ w, + owner @{HOME}/.cache/nvidia/GLCache/ rw, + owner @{HOME}/.cache/nvidia/GLCache/** rwk, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, - @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, - owner @{user_cache_dirs}/nvidia/ w, - owner @{user_cache_dirs}/nvidia/GLCache/ rw, - owner @{user_cache_dirs}/nvidia/GLCache/** rwk, - - @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, - - @{PROC}/@{pid}/cmdline r, + @{PROC}/driver/nvidia/params r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/modules r, owner @{PROC}/@{pid}/comm r, - owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{u8} w, # Nvidia graphics devices - - # Nvidia proprietary modset driver + /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset rw, - - # Nvidia graphics devices /dev/nvidia@{int} rw, - - # Nvidia's Unified Memory driver - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, - - # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index e00385efd..ef9d0c40d 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{u8} rw, # Nvidia graphics devices + /dev/char/195:@{int} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi deleted file mode 100644 index 17225ef03..000000000 --- a/apparmor.d/abstractions/oneapi +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Intel oneAPI compiler libraries - - abi , - - /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, - /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/openssl.d/complete b/apparmor.d/abstractions/openssl.d/complete deleted file mode 100644 index 600a030e5..000000000 --- a/apparmor.d/abstractions/openssl.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - /usr/share/ssl/ r, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path deleted file mode 100644 index dee241b29..000000000 --- a/apparmor.d/abstractions/path +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Common directories in $PATH, used by launchers and interactive shells. - - abi , - - @{bin}/ r, - @{bin}/*/ r, - @{sbin}/ r, - @{sbin}/*/ r, - - / r, - /usr/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, - - @{user_bin_dirs}/ r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd deleted file mode 100644 index 33a981279..000000000 --- a/apparmor.d/abstractions/pcscd +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allows interacting with PC/SC Smart Card Daemon - - abi , - - # Configuration file for OPENSC - /etc/opensc.conf r, - /etc/opensc/opensc.conf r, - - # Socket for communication between PCSCD and PS/SC API library - @{run}/pcscd/pcscd.comm rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/perl.d/complete b/apparmor.d/abstractions/perl.d/complete deleted file mode 100644 index 0031356a1..000000000 --- a/apparmor.d/abstractions/perl.d/complete +++ /dev/null @@ -1,7 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - @{bin}/perl rix, - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete index e372c312c..9f8d13eb5 100644 --- a/apparmor.d/abstractions/python.d/complete +++ b/apparmor.d/abstractions/python.d/complete @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-2.0-only @{bin}/ r, - @{python_path} rm, + @{python_path} r, owner @{user_lib_dirs}/@{python_name}/ r, owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth} r, diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used deleted file mode 100644 index 66a80867b..000000000 --- a/apparmor.d/abstractions/recently-used +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2009 Canonical Ltd. -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - owner @{HOME}/.recently-used.xbel rw, - owner @{HOME}/.recently-used.xbel.@{rand6} rwl, - owner @{HOME}/.recently-used.xbel.lock rwk, - - owner @{user_share_dirs}/#@{int} rw, - owner @{user_share_dirs}/recently-used.xbel rw, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, - owner @{user_share_dirs}/recently-used.xbel.lock rwk, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver deleted file mode 100644 index 1a9369091..000000000 --- a/apparmor.d/abstractions/screensaver +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow checking status, activating and locking the screensaver - - abi , - - include if exists - include if exists - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service deleted file mode 100644 index 083672cc9..000000000 --- a/apparmor.d/abstractions/secrets-service +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2017 Canonical Ltd -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Provide full access to the secret-service API: -# - https://standards.freedesktop.org/secret-service/) -# -# The secret-service allows managing (add/delete/lock/etc) collections and -# (add/delete/etc) items within collections. The API also has the concept of -# aliases for collections which is typically used to access the default -# collection. While it would be possible for an application developer to use a -# snap-specific collection and mediate by object path, application developers -# are meant to instead to treat collections (typically the default collection) -# as a database of key/value attributes each with an associated secret that -# applications may query. Because AppArmor does not mediate member data, -# typical and recommended usage of the API does not allow for application -# isolation. For details, see: -# - https://standards.freedesktop.org/secret-service/ch03.html -# - - abi , - - include - include - - dbus send bus=session path=/org/gnome/keyring/daemon - interface=org.gnome.keyring.Daemon - member=GetEnvironment - peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite deleted file mode 100644 index 690417f87..000000000 --- a/apparmor.d/abstractions/sqlite +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# SQlite temporary files (hexadecimal from 12 to 16 characters) - - abi , - - owner /var/tmp/etilqs_@{hex12} rw, - owner /var/tmp/etilqs_@{hex12}@{h} rw, - owner /var/tmp/etilqs_@{hex12}@{hex2} rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - - owner @{tmp}/etilqs_@{hex12} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes deleted file mode 100644 index 13fe70bc6..000000000 --- a/apparmor.d/abstractions/themes +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /usr/share/themes/{,**} r, - - owner @{HOME}/.themes/{,**} r, - owner @{user_share_dirs}/themes/{,**} r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index e3b559418..5e64fc66f 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -10,7 +10,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm deleted file mode 100644 index ef7b30a2b..000000000 --- a/apparmor.d/abstractions/tpm +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2016-2017 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM -# resource manager /dev/tpmrm@{int} - - abi , - - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput deleted file mode 100644 index b97d1eb8a..000000000 --- a/apparmor.d/abstractions/uinput +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2020 Canonical Ltd -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Allow write access to the uinput device for emulating input devices from -# userspace for sending input events. - - abi , - - /dev/uinput rw, - /dev/input/uinput rw, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe deleted file mode 100644 index 67478bb6d..000000000 --- a/apparmor.d/abstractions/upower-observe +++ /dev/null @@ -1,13 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Can query UPower for power devices, history and statistics. - - abi , - - include - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs deleted file mode 100644 index 189f8eb38..000000000 --- a/apparmor.d/abstractions/user-dirs +++ /dev/null @@ -1,14 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - - owner @{user_config_dirs}/user-dirs.dirs r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index 9626bb0bc..f7eb186b5 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,7 +8,6 @@ abi , owner @{HOME}/ r, - owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 88d52203e..026825b27 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,7 +8,6 @@ abi , owner @{HOME}/ r, - owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 67f83516e..8e5b68c08 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,5 +1,4 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit deleted file mode 100644 index c9a275250..000000000 --- a/apparmor.d/abstractions/webkit +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Minimal set of rules for webkit GTK UI. - - abi , - - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - - @{bin}/xdg-dbus-proxy rix, # TODO: stack me - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, - - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - - @{sys}/firmware/acpi/pm_profile r, - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 145cd763a..139b03450 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,8 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/ rw, - owner @{att}/@{tmp}/.wine-@{uid}/** rwk, - owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index df13363fc..3046c8f6d 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,11 +4,9 @@ abi , - include include include - include - include + include include include include diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 7c734a45b..a22895c91 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,48 +3,31 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when zshrc is loaded (e.g. interactive shell). +# This abstraction is only required when an interactive shell is started. # Classic shell scripts do not need it. abi , @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/local/share/zsh/{,**} r, - /usr/share/oh-my-zsh/{,**} r, - /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, + /usr/local/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zcompdump-* rw, + owner @{HOME}/.zshrc r, + owner @{HOME}/.zshenv r, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, - owner @{HOME}/.zsh_history.new rw, - owner @{HOME}/.zshenv r, - owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{user_cache_dirs}/oh-my-zsh/{,**} r, - owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, - owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, - owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, + owner @{HOME}/.zcompdump-* rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, - owner @{user_share_dirs}/zsh/history rw, - owner @{user_share_dirs}/zsh/history.LOCK rwk, - owner @{user_share_dirs}/zsh/history.new rw, - - owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, - owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, - - @{PROC}/version r, - owner @{PROC}/@{pid}/loginuid r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap new file mode 100644 index 000000000..0a4b9efdf --- /dev/null +++ b/apparmor.d/groups/_full/bwrap @@ -0,0 +1,56 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for bwrap. + +abi , + +include + +@{exec_path} = @{bin}/bwrap +profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + capability sys_resource, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + signal (receive) set=(kill), + + @{bin}/** rm, + @{lib}/** rm, + /opt/*/** rm, + /usr/share/*/* rm, + + @{bin}/** Px -> bwrap//&bwrap-app, + @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, + # @{lib}/** Px -> bwrap//&bwrap-app, + /opt/*/** Px -> bwrap//&bwrap-app, + /usr/share/*/* Px -> bwrap//&bwrap-app, + + /usr/.ref rk, + + /bindfile@{rand6} rw, + + owner /var/cache/ w, + + owner @{run}/ld-so-cache-dir/* rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app new file mode 100644 index 000000000..b6d45478a --- /dev/null +++ b/apparmor.d/groups/_full/bwrap-app @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for user sandboxed application + +abi , + +include + +profile bwrap-app flags=(attach_disconnected,mediate_deleted) { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace peer=bwrap//&bwrap-app, + + signal peer=bwrap//&bwrap-app, + + @{bin}/** rmix, + @{lib}/** rmix, + /opt/*/** rmix, + /usr/share/*/* rmix, + + owner /var/cache/ w, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default new file mode 100644 index 000000000..acdfc0bff --- /dev/null +++ b/apparmor.d/groups/_full/default @@ -0,0 +1,122 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Default profile for unconfined programs + +abi , + +include + +@{exec_path} = /** +profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + include + include + include + include + include + + capability dac_override, + capability dac_read_search, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink dgram, + network netlink raw, + + signal receive set=hup, + + @{bin}/bwrap rPx -> bwrap, + @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, + @{bin}/pulseaudio rPx -> systemd//&pulseaudio, + @{bin}/su rPx -> default-sudo, + @{bin}/sudo rPx -> default-sudo, + @{bin}/systemctl rix, + @{coreutils_path} rix, + @{shells_path} rix, + + @{pager_path} rPx -> child-pager, + +# @{open_path} rPx -> child-open, + + audit @{bin}/** Pix, + audit @{lib}/** Pix, + audit /opt/*/** Pix, + audit /usr/share/*/* Pix, + + @{bin}/{,**} r, + @{lib}/{,**} r, + /usr/share/** r, + + /etc/xdg/** r, + + # Full access to user's data + / r, + /*/ r, + @{MOUNTDIRS}/ r, + @{MOUNTS}/ r, + @{MOUNTS}/** rwl, + owner @{HOME}/{,**} rwlk, + owner @{run}/user/@{uid}/{,**} rw, + owner @{tmp}/{,**} rwk, + owner @{run}/user/@{uid}/{,**} rwlk, + + @{run}/motd.dynamic.new rw, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/bus/pci/devices/ r, + @{sys}/class/ r, + @{sys}/class/drm/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/input/ r, + @{sys}/class/power_supply/ r, + @{sys}/devices/**/input@{int}/ r, + @{sys}/devices/**/input@{int}/capabilities/* r, + @{sys}/devices/**/input/input@{int}/ r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/seccomp/actions_avail r, + @{PROC}/zoneinfo r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/mem r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pids}/cmdline r, + owner @{PROC}/@{pids}/environ r, + owner @{PROC}/@{pids}/task/ r, + + /dev/ r, + /dev/ptmx rwk, + /dev/tty rwk, + owner /dev/tty@{int} rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo new file mode 100644 index 000000000..609191970 --- /dev/null +++ b/apparmor.d/groups/_full/default-sudo @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile default-sudo { + include + include + + capability chown, + capability mknod, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, + + ptrace (read), + + @{bin}/su mr, + + @{bin}/** Px, + @{lib}/** Px, + /opt/*/** Px, + + /var/db/sudo/lectured/ r, + /var/lib/extrausers/shadow r, + /var/lib/sudo/lectured/ r, + owner /var/db/sudo/lectured/@{uid} rw, + owner /var/lib/sudo/lectured/* rw, + + owner @{HOME}/.sudo_as_admin_successful rw, + + @{run}/ r, + @{run}/systemd/sessions/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd deleted file mode 100644 index ccdbf338b..000000000 --- a/apparmor.d/groups/_full/sd +++ /dev/null @@ -1,256 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd is a profile for SystemD-executor run as root, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd.d directory - -abi , - -include - -@{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted,complain) { - include - include - include - include - include - include - include - include - - userns, - - capability audit_control, - capability audit_write, - capability bpf, - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability linux_immutable, - capability mknod, - capability net_admin, - capability net_bind_service, - capability net_raw, - capability perfmon, - capability setfcap, - capability setgid, - capability setpcap, - capability setuid, - capability sys_admin, - capability sys_nice, - capability sys_ptrace, - capability sys_rawio, - capability sys_resource, - capability sys_time, - capability sys_tty_config, - capability syslog, - - network alg seqpacket, - network bluetooth, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 raw, - network inet6 stream, - network netlink raw, - network packet dgram, - network packet raw, - network qipcrtr dgram, - - mount -> @{run}/systemd/mount-rootfs/{,**}, - mount -> @{run}/systemd/namespace-@{rand6}/{,**}, - mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, - mount options=(rw rshared) -> /, - mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, - mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, - - remount /dev/shm/, - remount @{run}/systemd/mount-rootfs/{,**}, - - umount /, - umount /dev/shm/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - - pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - - change_profile, - - mqueue (read getattr) type=posix /, - - signal peer=sd//&*, - signal receive peer=@{p_systemd}, - signal send, - - ptrace read, - - unix type=dgram peer=(label=@{p_systemd}), - unix type=dgram peer=(label=systemd-timesyncd), - unix type=stream, - - dbus bus=system, - - @{exec_path} mr, - - @{bin}/** mPx, - @{sbin}/** mPx, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Mount operations from services and systemd - @{bin}/mount Px -> sd-mount, - @{bin}/umount Px -> sd-umount, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/kill Cx -> kill, - - # Used by very basic services, ideally should be replaced by a unit profiles - @{sh_path} ix, - @{bin}/false ix, - @{bin}/true ix, - - # Required due to stacked profiles - @{bin}/find ix, - @{bin}/gzip ix, - @{bin}/install ix, - @{bin}/readlink ix, - @{lib}/colord-sane ix, - @{lib}/systemd/systemd-nsresourcework ix, - @{lib}/systemd/systemd-userwork ix, - @{sbin}/grpck ix, - @{sbin}/pwck ix, - - / r, - @{att}/ r, - @{bin}/{,**} r, - @{lib}/{,**} r, - @{sbin}/{,*} r, - /usr/local/{,**} r, - /usr/share/** r, - /etc/*/ w, - /etc/** rk, - /home/ r, - - @{efi}/ r, - @{efi}/** rw, - - @{att}/var/lib/systemd/*/ r, - - /var/cache/*/ rw, - /var/cache/*/** rwk, - /var/lib/*/ rw, - /var/lib/*/** rwk, - /var/lib/systemd/*/ r, - /var/log/ r, - /var/log/** rw, - /var/log/journal/** rwl -> /var/log/journal/**, - - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, - - @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, - @{att}/@{run}/systemd/notify rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, - - @{run}/ rw, - @{run}/* rw, - @{run}/*/ rw, - @{run}/*/* rw, - @{run}/systemd/{,**} rw, - owner @{run}/*/** rw, - - @{run}/udev/**/ r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - - @{sys}/** r, - @{sys}/fs/bpf/systemd/{,**} w, - @{sys}/firmware/efi/efivars/** w, - @{sys}/fs/cgroup/{,**} w, - - @{PROC}/@{pids}/attr/apparmor/exec w, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/gid_map w, - @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/loginuid rw, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/oom_score_adj rw, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/setgroups r, - @{PROC}/@{pids}/setgroups w, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/uid_map r, - @{PROC}/@{pids}/uid_map w, - @{PROC}/cmdline r, - @{PROC}/interrupts r, - @{PROC}/irq/@{int}/node r, - @{PROC}/irq/@{int}/smp_affinity r, - @{PROC}/kmsg r, - @{PROC}/modules r, - @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sys/** r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/sysvipc/* r, - @{PROC}/version_signature r, - - /dev/** rwk, - - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { - include - include - - include if exists - include if exists - } - - profile kill flags=(attach_disconnected,mediate_deleted,complain) { - include - - signal send, - - @{bin}/kill mr, - - include if exists - } - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount deleted file mode 100644 index 1572a8f6d..000000000 --- a/apparmor.d/groups/_full/sd-mount +++ /dev/null @@ -1,71 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd-mount is a subprofile of sd responsible to handle mounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-mount.d directory - -abi , - -include - -@{exec_path} = @{bin}/mount -profile sd-mount flags=(complain) { - include - include - - capability dac_read_search, - capability sys_admin, - - mount -> @{efi}/, - mount -> @{HOME}/{,**}, - mount -> @{HOMEDIRS}/, - mount -> @{MOUNTDIRS}/, - mount -> @{MOUNTS}/{,**}, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, - mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - - mount options=(rw move) -> @{efi}, - mount options=(rw move) -> @{HOME}/{,**}, - mount options=(rw move) -> @{HOMEDIRS}/, - mount options=(rw move) -> @{MOUNTDIRS}/, - mount options=(rw move) -> @{MOUNTS}/{,**}, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /tmp/, - - @{exec_path} mr, - - /var/lib/snapd/snaps/*.snap r, - - @{run}/ r, - owner @{run}/mount/ rw, - owner @{run}/mount/utab{,.*} rwk, - - @{PROC}/@{pid}/mountinfo r, - - /dev/loop-control rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount deleted file mode 100644 index e5d67f0a9..000000000 --- a/apparmor.d/groups/_full/sd-umount +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd (as PID 1) profile. - -# sd-umount is a subprofile of sd responsible to handle unmounting operation. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sd-umount.d directory - -abi , - -include - -@{exec_path} = @{bin}/umount -profile sd-umount flags=(complain) { - include - - capability sys_admin, - - umount @{efi}, - - @{exec_path} mr, - - @{PROC}/@{pid}/mountinfo r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu deleted file mode 100644 index f9c50b65f..000000000 --- a/apparmor.d/groups/_full/sdu +++ /dev/null @@ -1,141 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Part of the systemd-user profile. - -# sdu is a profile for SystemD-executor run as User, it is used to run all services -# files and to encapsulate stacked services profiles (hence the short name). -# It aims at reducing the size of the systemd-user profile. - -# Only use this profile with a fully configured system. Otherwise it **WILL** -# break your computer. See https://apparmor.pujol.io/full-system-policy/. - -# Distributions and other programs can add rules in the usr/sdu.d directory - -abi , - -include - -@{exec_path} = @{bin}/systemd-executor -profile sdu flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - - network netlink raw, - - change_profile, - - ptrace read, - - unix type=dgram peer=(label=@{p_systemd_user}), - - dbus bus=session, - - @{exec_path} mr, - - @{bin}/** mPx, - @{sbin}/** mPx, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based user unit services - @{sh_path} Cx -> shell, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, - - / r, - @{bin}/* r, - @{sbin}/* r, - /usr/share/** r, - - owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, - - owner @{run}/user/@{uid}/pipewire-@{int} rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, - owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, - owner @{run}/user/@{uid}/pulse/pid rw, - - owner @{user_state_dirs}/wireplumber/ rw, - owner @{user_state_dirs}/wireplumber/stream-properties rw, - owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, - - @{run}/systemd/users/@{uid} r, - @{run}/systemd/users/@{int} r, - - @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/bus/ r, - @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, - @{sys}/devices/**/device:*/{,**/}path r, - @{sys}/devices/**/sound/**/pcm_class r, - @{sys}/devices/**/sound/**/uevent r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/sound/seq/uevent r, - @{sys}/devices/virtual/sound/timer/uevent r, - - @{sys}/module/apparmor/parameters/enabled r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - - @{PROC}/pressure/* r, - @{PROC}/sys/fs/nr_open r, - owner @{PROC}/@{pid}/attr/apparmor/exec w, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/kmsg w, - - deny capability net_admin, - - profile shell flags=(attach_disconnected,mediate_deleted,complain) { - include - - @{sh_path} mr, - @{bin}/systemctl Px -> sdu//systemctl, - - include if exists - } - - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { - include - include - - owner @{run}/user/@{uid}/systemd/private rw, - - deny capability net_admin, - - include if exists - include if exists - } - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d1ee8fd1f..9f611cf3d 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,47 +11,24 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# Overall architecture of the systemd profiles: -# systemd # PID 1, entrypoint, requires "Early policy" -# ├── systemd # To restart itself -# ├── systemd-generators-* # Systemd system and environment generators -# └── sd # Internal service starter and config handler, handles all services -# ├── Px or px, # Any service with profile -# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) -# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) -# ├── sd-mount # Handles all mounts from services -# ├── sd//systemctl # Internal system systemctl -# └── systemd-user # Profile for 'systemd --user' -# ├── systemd-user # To restart itself -# ├── systemd-user-generators-* # Systemd user and environment generators -# └── sdu # Handles all user services -# ├── Px or px, # Any user service with profile -# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) -# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) -# └── sdu//systemctl # Internal user systemctl - -# Advantages: -# - Differentiate systemd (PID 1) and `system --user` -# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. -# - Allow the executor profiles to handled stacked profiles. -# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. -# - Dedicated `sd-mount` profile for most mount from the unit services. - - -# TODO: rework this to get a controlled environment: +# TODO: rework this to get a controlled environment: (cf security model) # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` +# - Stop disabling nnp flags in systemd dropin files. +# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) +# need they own profile, profile name configured as a dropin unit file. +# - When this is done: the fallback profile as root will not be needed. abi , include -@{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted,complain) { +profile systemd flags=(attach_disconnected,mediate_deleted) { include + include include include include @@ -66,13 +43,16 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { capability dac_read_search, capability fowner, capability fsetid, - capability kill, + capability mknod, capability net_admin, - capability net_bind_service, capability perfmon, + capability setfcap, + capability setgid, capability setpcap, + capability setuid, capability sys_admin, - capability sys_boot, + capability sys_chroot, + capability sys_nice, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -82,124 +62,194 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { network inet6 dgram, network inet6 stream, network netlink raw, - network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> @{efi}/, + mount fstype=autofs systemd-1 -> /efi/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, + mount fstype=tmpfs tmpfs -> /dev/shm/, mount fstype=tmpfs tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, + mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, + mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, + mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /efi/, + mount options=(rw move) -> /tmp/, + mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, + mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, + remount @{run}/systemd/mount-rootfs/{,**}, + remount @{run}/systemd/unit-root/{,**}, + remount /, remount /snap/{,**}, - remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, - remount options=(ro bind nodev nosuid) /dev/hugepages/, - remount options=(ro bind noexec nosuid) /dev/pts/, - remount options=(ro bind nosuid) /dev/, - remount options=(ro bind) @{efi}/, - remount options=(ro bind) /, + remount options=(ro noexec noatime bind) /var/snap/{,**}, + remount options=(ro nosuid bind) /dev/, + remount options=(ro nosuid nodev bind) /dev/hugepages/, + remount options=(ro nosuid nodev bind) /var/, + remount options=(ro nosuid nodev noexec bind) /boot/, + remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, + remount options=(ro nosuid nodev noexec bind) /efi/, + remount options=(ro nosuid noexec bind) /dev/pts/, + umount /, + umount /dev/shm/, umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/credentials/*/, + umount @{run}/systemd/mount-rootfs/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, + umount @{run}/systemd/unit-root/{,**}, - mqueue (read getattr) type=posix /, + pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, - signal send, + change_profile, + + signal (receive) set=(rtmin+23) peer=plymouthd, + signal (receive) set=(term, hup, cont), + signal (send), ptrace (read, readby), - unix type=dgram, - unix type=stream, + unix (send) type=dgram, + + unix (receive) type=dgram addr=none peer=(label=systemd-timesyncd, addr=none), + unix (send, receive, connect) type=stream addr=none peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), #aa:dbus own bus=system name=org.freedesktop.systemd1 - @{exec_path} mrix, - @{sh_path} mr, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor mPx -> sd, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /usr/share/*/** Px, - # Systemd system generators. Profiles must exist - @{lib}/netplan/generate mPx, - @{lib}/systemd/system-environment-generators/* mPx, - @{lib}/systemd/system-generators/* mPx, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/mount ix, + + # Shell based systemd unit services + @{bin}/ldconfig Px -> systemd-service, + @{bin}/mandb Px -> systemd-service, + @{bin}/savelog Px -> systemd-service, + @{coreutils_path} Px -> systemd-service, + @{sh_path} Px -> systemd-service, + + # Systemd profiles that need be stacked + #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd + @{lib}/systemd/systemd-networkd Px -> systemd//&systemd-networkd, + @{lib}/systemd/systemd-oomd Px -> systemd//&systemd-oomd, + @{lib}/systemd/systemd-resolved Px -> systemd//&systemd-resolved, + @{lib}/systemd/systemd-timesyncd Px -> systemd//&systemd-timesyncd, + + @{lib}/ r, + / r, + /*/ r, + /boot/efi/ r, + /snap/*/@{int}/ r, + /var/cache/*/ r, + /var/lib/*/ r, + /var/tmp/ r, - @{etc_ro}/environment r, - @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/default/{,**} r, + /etc/credstore.encrypted/{,**} r, + /etc/credstore/{,**} r, + /etc/environment r, + /etc/environment.d/{,**} r, /etc/machine-id r, /etc/modules-load.d/{,**} r, - /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, - /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - #aa:only pacman - # It is unclear why this is needed here and not in sd - /etc/pacman.d/gnupg/S.dirmngr w, - /etc/pacman.d/gnupg/S.gpg-agent w, - /etc/pacman.d/gnupg/S.gpg-agent.browser w, - /etc/pacman.d/gnupg/S.gpg-agent.extra w, - /etc/pacman.d/gnupg/S.gpg-agent.ssh w, - /etc/pacman.d/gnupg/S.keyboxd w, - - @{efi}/ r, - /snap/*/@{int}/ r, - - /tmp/ r, - /var/tmp/ r, - owner /tmp/systemd-private-*/{,**} rw, + /var/lib/systemd/{,**} rw, owner /var/tmp/systemd-private-*/{,**} rw, - @{att}/@{run}/systemd/journal/dev-log r, - @{att}/@{run}/systemd/journal/socket r, - @{att}/@{run}/systemd/notify r, + /tmp/namespace-dev-@{rand6}/{,**} rw, + /tmp/systemd-private-*/{,**} rw, @{run}/ rw, - @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, + @{run}/auditd.pid r, @{run}/credentials/{,**} rw, + @{run}/initctl rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + + @{run}/udev/data/+module:configfs r, + @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, - @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/class/sound/ r, + @{sys}/devices/@{pci}/** r, + @{sys}/devices/**/net/** r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, + @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, - @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/coredump_filter r, + @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map rw, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -207,33 +257,30 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sys/kernel/random/boot_id r, - @{PROC}/sysvipc/msg r, - @{PROC}/sysvipc/sem r, - @{PROC}/sysvipc/shm r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/1/coredump_filter r, - owner @{PROC}/1/fdinfo/@{int} r, - owner @{PROC}/1/gid_map r, - owner @{PROC}/1/oom_score_adj rw, - owner @{PROC}/1/setgroups r, - owner @{PROC}/1/uid_map r, + @{PROC}/sysvipc/{shm,sem,msg} r, + owner @{PROC}/@{pid}/limits r, + owner @{PROC}/@{pid}/oom_score_adj rw, /dev/autofs r, - /dev/dri/card@{int} rw, - /dev/initctl w, - /dev/input/ r, /dev/kmsg w, - /dev/tty rw, - /dev/tty@{int} rw, owner /dev/console rwk, + owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, + owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ r, + owner /dev/shm/ rw, owner /dev/ttyS@{int} rwk, + profile systemctl { + include + include + + include if exists + include if exists + } + include if exists include if exists } diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service new file mode 100644 index 000000000..e6c4a4b7b --- /dev/null +++ b/apparmor.d/groups/_full/systemd-service @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-service" exec transitions from the systemd profile. + +abi , + +include + +profile systemd-service flags=(attach_disconnected) { + include + include + include + + capability chown, + capability fsetid, + + @{bin}/ldconfig rix, + @{bin}/savelog rix, + @{bin}/systemctl rix, + @{bin}/gzip rix, + @{coreutils_path} rix, + @{sh_path} rmix, + + # ifup@.service + @{bin}/ifup rPx, + + # shadow.service + @{bin}/pwck rPx, + @{bin}/grpck rPx, + + @{bin}/grub-editenv rPx, + @{bin}/ibus-daemon rPx, + + @{bin}/* r, + @{lib}/ r, + + /var/cache/ldconfig/{,**} rw, + + /boot/grub/grubenv rw, + /boot/grub/ w, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + # man-db.service + /usr/{,local/}share/man/{,**} r, + /etc/manpath.config r, + /var/cache/man/{,**} rwk, + + # snapd.system-shutdown.service + @{run}/initramfs/shutdown rw, + @{run}/initramfs/ rw, + + # cockpit.socket + @{run}/cockpit/@{rand8} rw, + @{run}/cockpit/motd w, + + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b3d751be1..919c53457 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,12 +11,14 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory +# TODO: rework this to get a controlled environment. cf comments in systemd profile. + abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { +profile systemd-user flags=(attach_disconnected,mediate_deleted) { include include include @@ -25,61 +27,91 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { network netlink raw, - signal send, + signal send set=(term, cont, kill), + signal receive set=hup peer=@{p_systemd}, - ptrace read, - - unix type=dgram peer=(label=@{p_sdu}), + ptrace read peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mrix, + @{exec_path} mr, - # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor mPx -> sdu, + @{bin}/** Px, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, - # Systemd user generators. Profiles must exist - @{lib}/systemd/user-environment-generators/* Px, - @{lib}/systemd/user-generators/* Px, + # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor ix, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based ystemd unit services + @{coreutils_path} Px -> systemd-user-service, + @{sh_path} Px -> systemd-user-service, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + # Audio profiles need to be stacked + #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber + @{bin}/pipewire Px -> systemd-user//&pipewire, + @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, + @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, + @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, + @{bin}/wireplumber Px -> systemd-user//&wireplumber, + + /usr/ r, + /usr/share/defaults/**.conf r, - @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, + / r, + + owner @{HOME}/.local/ w, + owner @{user_config_dirs}/systemd/user/{,**} rw, + @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, - @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+module:configfs r, + @{run}/udev/data/+module:fuse r, + @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, + @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -88,25 +120,27 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, + owner @{PROC}/@{pids}/oom_score_adj rw, - deny capability bpf, - deny capability dac_override, - deny capability dac_read_search, - deny capability mknod, - deny capability net_admin, - deny capability perfmon, - deny capability sys_admin, - deny capability sys_boot, - deny capability sys_resource, + /dev/tty rw, + + profile systemctl { + include + include + + include if exists + include if exists + } include if exists include if exists diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service new file mode 100644 index 000000000..d65846f82 --- /dev/null +++ b/apparmor.d/groups/_full/systemd-user-service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Profile for generic systemd unit services. Only used by tiny systemd services +# that start a shell or use context specific programs. + +# It does not specify an attachment path because it is intended to be used only +# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. + +abi , + +include + +profile systemd-user-service flags=(complain) { + include + include + + include if exists + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource index 0471cd8f4..f0145d670 100644 --- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource +++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource @@ -15,7 +15,7 @@ profile akonadi_akonotes_resource @{exec_path} { @{exec_path} mr, - owner @{user_config_dirs}/akonadi_akonotes_resource_@{int}rc r, + owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource index 58c7443fc..c3e5dc716 100644 --- a/apparmor.d/groups/akonadi/akonadi_contacts_resource +++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource @@ -17,7 +17,7 @@ profile akonadi_contacts_resource @{exec_path} { /usr/share/akonadi/plugins/serializer/{,*.desktop} r, - owner @{user_config_dirs}/akonadi_contacts_resource_@{int}rc r, + owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource index 2a5c95729..5f37f797c 100644 --- a/apparmor.d/groups/akonadi/akonadi_ical_resource +++ b/apparmor.d/groups/akonadi/akonadi_ical_resource @@ -15,9 +15,9 @@ profile akonadi_ical_resource @{exec_path} { @{exec_path} mr, - owner @{user_cache_dirs}/akonadi_ical_resource_@{int}/{,*} rwl, + owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl, - owner @{user_config_dirs}/akonadi_ical_resource_@{int}rc rwl, + owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource index be9621437..fc518e4f7 100644 --- a/apparmor.d/groups/akonadi/akonadi_maildir_resource +++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource @@ -19,11 +19,11 @@ profile akonadi_maildir_resource @{exec_path} { owner @{user_mail_dirs}/{,**} rw, - owner @{user_config_dirs}/akonadi_maildir_resource_@{int}rc r, + owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r, owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**, - owner @{user_share_dirs}/akonadi_maildir_resource_@{int}/{,**} rw, + owner @{user_share_dirs}/akonadi_maildir_resource_[0-9]/{,**} rw, owner @{user_share_dirs}/akonadi/{,**} rwk, owner @{user_share_dirs}/local-mail*/{,**} rw, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify deleted file mode 100644 index 07706d052..000000000 --- a/apparmor.d/groups/apparmor/aa-notify +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/aa-notify -profile aa-notify @{exec_path} { - include - include - include - include - include - include - include - - capability setgid, - capability setuid, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{bin}/gtk-launch ix, - @{bin}/pkexec Cx -> pkexec, - @{bin}/xdg-mime Px, - @{open_path} Cx -> open, - - @{bin}/ r, - - /usr/share/apparmor/** r, - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - /etc/apparmor.d/{,**} r, - /etc/apparmor/*.conf r, - - /var/log/audit/audit.log r, - - owner @{HOME}/.inputrc r, - owner @{HOME}/.terminfo/@{int}/dumb r, - - owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - - profile open { - include - include - - @{editor_ui_path} rPx -> aa-notify//editor, - - include if exists - } - - profile editor { - include - include - include - include - include - - @{editor_ui_path} rix, - @{open_path} rPx -> child-open-help, - - /etc/apparmor.d/{,**} r, - - owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, - - owner @{PROC}/@{pid}/mountinfo r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists - } - - profile pkexec { - include - include - include - - ptrace read peer=aa-notify, - - @{sbin}/apparmor_parser Px, - @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, - - /usr/share/apparmor/** r, - /usr/share/terminfo/** r, - - @{etc_ro}/inputrc r, - @{etc_ro}/inputrc.keys r, - - /etc/apparmor.d/ r, - /etc/apparmor.d/** rw, - /etc/apparmor/* r, - - @{PROC}/@{pid}/mounts r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 8581fe724..369dd3bbd 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,12 +7,13 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include + include include include include @@ -36,21 +37,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, - unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), #aa:dbus own bus=system name=org.debian.apt - #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.PackageKit), - dbus send bus=system path=/org/freedesktop/PackageKit - interface=org.freedesktop.PackageKit - member=StateHasChanged - peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/org/freedesktop/DBus/Bus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system interface=org.freedesktop.DBus.Introspectable @@ -58,16 +53,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { peer=(name="{:*,org.freedesktop.DBus}"), @{exec_path} mr, - @{python_path} mr, @{bin}/ r, @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, + @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,15 +74,14 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, - @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPUx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, - @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, @@ -137,9 +130,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/lib/update-notifier/dpkg-run-stamp rw, /var/log/apt/{,**} rw, - /var/log/ubuntu-advantage-apt-hook.log w, - - @{efi}/ r, # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, @@ -147,7 +137,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, - /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -174,7 +163,18 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include + include + + capability dac_read_search, + + @{bin}/ r, + @{sh_path} rix, + @{pager_path} rmix, + @{bin}/which{,.debianutils} rix, + + /root/ r, # For shell pwd + + owner @{HOME}/.less* rw, owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, @@ -188,10 +188,10 @@ profile apt @{exec_path} flags=(attach_disconnected) { include @{bin}/dpkg-source mr, + @{bin}/perl r, @{bin}/bunzip2 rix, @{bin}/chmod rix, - @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -199,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index afd34f7e5..1251fe449 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index 0ce146261..a99b964c7 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 834bcbd8c..505a4b037 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index 6fbfad65b..2e41b10bf 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -7,11 +7,11 @@ abi , include -@{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates +@{exec_path} = @{bin}/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include - include include + include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index 6551f21a7..7ee51cfed 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, + @{bin}/perl r, @{bin}/fgrep rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 3eec09d60..2fbb5d95b 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 18b6d7241..5a2d7dd55 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, @@ -25,8 +25,6 @@ profile apt-helper @{exec_path} { capability net_admin, - ptrace read peer=@{p_systemd}, - include if exists } diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index a60457ec8..403573a9d 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -23,7 +23,7 @@ profile apt-listbugs @{exec_path} { network netlink raw, @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, @{sh_path} rix, @{bin}/logname rix, @@ -34,7 +34,7 @@ profile apt-listbugs @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - /usr/local/lib/site_ruby/@{d}.@{d}.@{d}/**.rb r, + /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins index d7089b76a..6a261aab9 100644 --- a/apparmor.d/groups/apt/apt-listbugs-migratepins +++ b/apparmor.d/groups/apt/apt-listbugs-migratepins @@ -14,7 +14,7 @@ profile apt-listbugs-migratepins @{exec_path} { include @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, /usr/share/rubygems-integration/*/specifications/ r, /usr/share/rubygems-integration/*/specifications/*.gemspec rwk, diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean index 7dc4ea09e..4e0fea86f 100644 --- a/apparmor.d/groups/apt/apt-listbugs-prefclean +++ b/apparmor.d/groups/apt/apt-listbugs-prefclean @@ -14,7 +14,7 @@ profile apt-listbugs-prefclean @{exec_path} { include @{exec_path} r, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/ruby[0-9].@{int} rix, @{bin}/date rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 0ee42f5a4..89cf63067 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,10 +14,10 @@ profile apt-listchanges @{exec_path} { include include - capability dac_read_search, + #capability sys_tty_config, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb px, - - @{pager_path} Cx -> pager, - @{bin}/dpkg Px -> child-dpkg, - @{sbin}/exim4 Px, # Send results using email + @{bin}/dpkg-deb rpx, + # + @{pager_path} rCx -> pager, + # Send results using email + @{bin}/exim4 rPx, /usr/share/apt-listchanges/{,**} r, @@ -50,17 +50,51 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - /tmp/ r, - owner @{tmp}/@{word8} rw, - owner @{tmp}/apt-listchanges@{word8}/ rw, - owner @{tmp}/apt-listchanges@{word8}/** rw, - owner @{PROC}/@{pid}/fd/ r, + /tmp/ r, + owner @{tmp}/* rw, + owner @{tmp}/apt-listchanges*/ rw, + owner @{tmp}/apt-listchanges*/**/ rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, + owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, + + # The following is needed when apt-listchanges uses debcconf GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + profile pager { include - include + include + capability dac_read_search, + #capability sys_tty_config, + + @{pager_path} mrix, + + @{bin}/ r, + @{sh_path} rix, + @{bin}/which{,.debianutils} rix, + + owner @{HOME}/.less* rw, + + # For shell pwd + /root/ r, + + /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index c174267f5..4af469c30 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 96ce36a72..9cf47e758 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index e2878e108..6d906bf80 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 781f9714e..3c2489a32 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index e753b4cf8..47c679ea1 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index 5f3654f6e..4b2a15773 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,12 +20,11 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=role_*, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, @@ -85,7 +84,6 @@ profile apt-methods-gpgv @{exec_path} { owner @{tmp}/apt-key-gpghome.*/ rw, owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**, owner @{tmp}/apt.{conf,sig,data}.* rw, - owner @{tmp}/apt.@{rand6}.gpg rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 77a418b07..0638120ba 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} flags=(attach_disconnected) { +profile apt-methods-http @{exec_path} { include include include @@ -23,16 +23,14 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal receive peer=@{p_apt_news}, - signal receive peer=@{p_packagekitd}, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=role_*, - signal receive peer=synaptic, - signal receive peer=ubuntu-advantage, - signal receive peer=unattended-upgrade, - signal receive peer=update-manager, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, + signal (receive) peer=ubuntu-advantage, + signal (receive) peer=unattended-upgrade, + signal (receive) peer=update-manager, ptrace (read), @@ -71,10 +69,7 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, - owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, - - @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/ubuntu-advantage/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 025a1c01b..d8e3adce3 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 1aadac2ec..85da35efc 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, - signal receive set=(int) peer=@{p_packagekitd}, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, + signal (receive) set=(int) peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 1b76551b9..95d70b31f 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt, - signal receive peer=apt-get, - signal receive peer=aptitude, - signal receive peer=synaptic, + signal (receive) peer=apt, + signal (receive) peer=apt-get, + signal (receive) peer=aptitude, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv deleted file mode 100644 index 0dcd7da0d..000000000 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/apt/methods/sqv -profile apt-methods-sqv @{exec_path} { - include - include - include - - # To handle the _apt user - capability setgid, - capability setuid, - - signal receive set=int peer=apt, - signal receive set=int peer=packagekitd, - - @{exec_path} mr, - - @{bin}/sqv ix, - - /usr/share/apt/default-sequoia.config r, - /usr/share/keyrings/debian-archive-keyring.gpg r, - /usr/share/keyrings/debian-archive-keyring.pgp r, - - owner /var/lib/apt/lists/{,**} r, - - owner /tmp/apt.data.@{rand6} rw, - owner /tmp/apt.sig.@{rand6} rw, - owner /tmp/apt.sqverr.@{rand6} rw, - owner /tmp/apt.sqvout.@{rand6} rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index a6875a432..4c414f07c 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,12 +20,11 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal receive peer=apt-get, - signal receive peer=apt, - signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, - signal receive peer=role_*, - signal receive peer=synaptic, + signal (receive) peer=apt-get, + signal (receive) peer=apt, + signal (receive) peer=aptitude, + signal (receive) peer=packagekitd, + signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 7f59635eb..4ba9e57d7 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,6 +30,7 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, + owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 514b952ff..7885afca4 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,11 +10,12 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include include include + include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 4f0d4e36b..04907876e 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index b3f411c84..972123a06 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include - include include include + include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{sbin}/dpkg-preconfigure rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, @@ -112,8 +112,8 @@ profile aptitude @{exec_path} flags=(complain) { owner @{tmp}/aptitudebug.*/** rwk, /var/lib/apt-xapian-index/index r, - /var/cache/apt-xapian-index/index.@{int}/*.glass r, - /var/cache/apt-xapian-index/index.@{int}/iamglass r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, /var/lib/dpkg/** r, /var/lib/dpkg/lock{,-frontend} rwk, @@ -169,10 +169,20 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include + @{bin}/ r, + @{editor_path} mrix, + @{sh_path} rix, + + @{bin}/which{,.debianutils} rix, + + owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, + # For shell pwd + /root/ r, + include if exists } diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser index cde501bd5..91a47110a 100644 --- a/apparmor.d/groups/apt/aptitude-changelog-parser +++ b/apparmor.d/groups/apt/aptitude-changelog-parser @@ -13,6 +13,7 @@ profile aptitude-changelog-parser @{exec_path} { include @{exec_path} r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index a2f5e2050..c700e325f 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 6d09e34c0..e6c0fdee6 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,21 +12,20 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include - capability dac_read_search, - @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/lsb_release rPx, - @{bin}/snap rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/snap rPUx, + + @{lib}/python3/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/ r, - @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int}@{int} w, /usr/share/command-not-found/{,**} r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper deleted file mode 100644 index d6e89f9a0..000000000 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/deb-systemd-helper -profile deb-systemd-helper @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{bin}/systemctl rCx -> systemctl, - - /etc/systemd/system/{,**} rw, - /etc/systemd/user/{,**} rw, - - /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, - /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, - /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, - - profile systemctl { - include - include - - capability net_admin, - - /etc/ r, - /etc/systemd/ r, - /etc/systemd/system/ r, - /etc/systemd/system/* rw, - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - /etc/systemd/user/ r, - /etc/systemd/user/*.wants/ rw, - /etc/systemd/user/*.wants/* rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke deleted file mode 100644 index 824d3b4dd..000000000 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/deb-systemd-invoke -profile deb-systemd-invoke @{exec_path} { - include - include - include - - capability net_admin, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/systemctl rix, #aa:lint ignore=transition - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index 1d88c829b..4ddcca5ca 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,12 +10,45 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, + @{bin}/perl r, @{bin}/apt-get rPx, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, + + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/debconf-apt-progress rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape deleted file mode 100644 index c64401bb0..000000000 --- a/apparmor.d/groups/apt/debconf-escape +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/debconf-escape -profile debconf-escape @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend deleted file mode 100644 index 0a7706fe1..000000000 --- a/apparmor.d/groups/apt/debconf-frontend +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile debconf-frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - - @{bin}/hostname ix, - @{bin}/lsb_release Px, - @{bin}/stty ix, - @{sbin}/update-secureboot-policy Px, - - # Debconf apps - @{bin}/adequate Px, - @{bin}/debconf-apt-progress Px, - @{bin}/linux-check-removal Px, - @{bin}/ucf Px, - @{sbin}/aspell-autobuildhash Px, - @{sbin}/pam-auth-update Px, - @{lib}/tasksel/tasksel-debconf Px -> tasksel, - /usr/share/debian-security-support/check-support-status.hook Px, - - # Grub - @{lib}/grub/grub-multi-install Px, - /usr/share/grub/grub-check-signatures Px, - - # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, - /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, - - # DKMS scipts - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /etc/libpaper.d/texlive-base rPUx, - - /usr/share/debconf/{,**} r, - - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show index ed9cf9094..b00cecd1b 100644 --- a/apparmor.d/groups/apt/debconf-show +++ b/apparmor.d/groups/apt/debconf-show @@ -14,6 +14,7 @@ profile debconf-show @{exec_path} { include @{exec_path} r, + @{bin}/perl r, @{bin}/locale rix, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c67b1dfb5..ee29b4923 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -21,13 +21,13 @@ profile debsecan @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, # Send results using email - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign index 635076069..68d0d4184 100644 --- a/apparmor.d/groups/apt/debsign +++ b/apparmor.d/groups/apt/debsign @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/debsign profile debsign @{exec_path} { include - include @{exec_path} r, @@ -28,6 +27,7 @@ profile debsign @{exec_path} { @{bin}/md5sum rix, @{bin}/mktemp rix, @{bin}/mv rix, + @{bin}/perl rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/sha{1,256,512}sum rix, diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 8c0087770..01e9ac152 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,20 +12,28 @@ profile debsums @{exec_path} { include include + # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk ix, + @{bin}/{m,g,}awk rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query px, + @{bin}/dpkg-query rpx, # - @{bin}/dpkg Px -> child-dpkg, - @{bin}/dpkg-divert Px -> child-dpkg-divert, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + /etc/locale.nopurge r, + + /var/lib/dpkg/info/* r, # For shell pwd / r, @@ -37,7 +45,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - @{efi}/{,**} r, + /boot/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 53e5964bd..8bda4efff 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include - include include + include include #capability sys_tty_config, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 986c6f188..dd87414bf 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,39 +18,46 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, - capability sys_ptrace, - - ptrace read peer=apt, @{exec_path} mr, - @{sh_path} rix, - @{bin}/cat ix, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/rm ix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/rm rix, - @{bin}/dpkg-deb px, - @{bin}/dpkg-query px, - @{bin}/dpkg-split px, - @{bin}/systemctl Cx -> systemctl, - @{lib}/needrestart/dpkg-status Px, - @{pager_path} Px -> child-pager, - /usr/share/debian-security-support/check-support-status.hook Px, + @{bin}/deb-systemd-helper rix, + @{bin}/deb-systemd-invoke rix, + @{bin}/dpkg-deb rpx, + @{bin}/dpkg-query rpx, + @{bin}/dpkg-split rPx, + @{bin}/systemctl rCx -> systemctl, + @{lib}/needrestart/dpkg-status rPx, + /usr/share/debian-security-support/check-support-status.hook rPx, + + @{pager_path} rPx -> child-pager, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, - /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + # Move it to a child profile once more transitions will be available + /var/lib/dpkg/info/*.{config,templates} rPUx, + /var/lib/dpkg/info/*.{preinst,postinst} rPUx, + /var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/{config,templates} rPUx, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, # For shell pwd /root/ r, - #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index b1a23f222..a58257271 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,9 +16,10 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, + /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, - @{lib}/llvm-[0-9]*/bin/clang ix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -27,7 +28,9 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - audit owner @{tmp}/* rw, + # file_inherit + owner @{tmp}/* rw, + profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 1a4055f77..e7558acdf 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -13,14 +13,12 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { include @{exec_path} r, + @{bin}/perl r, - /usr/share/lto-disabled-list/lto-disabled-list r, + /etc/dpkg/origins/debian r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, - /usr/share/dpkg/abitable r, - - /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 297a45f84..e7542aadd 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,22 +10,18 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include - include include @{exec_path} r, + @{bin}/perl r, - @{bin}/dpkg rPx, - @{bin}/@{multiarch}gcc-@{int} mrix, - - /usr/share/dpkg/ostable r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /etc/dpkg/origins/* r, + /etc/dpkg/origins/debian r, /var/lib/dpkg/status r, + /usr/share/dpkg/cputable r, + /usr/share/dpkg/tupletable r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup deleted file mode 100644 index 8e99e70c5..000000000 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/dpkg/dpkg-db-backup -profile dpkg-db-backup @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/cmp rix, - @{bin}/cp rix, - @{bin}/date rix, - @{bin}/dirname rix, - @{bin}/gzip rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/savelog rix, - @{bin}/tar rix, - @{bin}/touch rix, - - /usr/share/dpkg/{,**} r, - - /var/lib/dpkg/ r, - /var/lib/dpkg/alternatives/{,*} r, - /var/lib/dpkg/diversions r, - /var/lib/dpkg/statoverride r, - - /var/backups/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index e2d386804..6712b8b7c 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,7 +22,6 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index b9853ca32..4e22ecf19 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -17,6 +17,7 @@ profile dpkg-genbuildinfo @{exec_path} { @{exec_path} r, + @{bin}/perl r, /usr/local/bin/ r, /usr/local/etc/ r, /usr/local/include/ r, diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 7c7ad1681..73be1b913 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -14,6 +14,7 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { include @{exec_path} r, + @{bin}/perl r, /etc/dpkg/origins/debian r, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper deleted file mode 100644 index aa9232c73..000000000 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dpkg-maintscript-helper -profile dpkg-maintscript-helper @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, - - /usr/share/dpkg/sh/* r, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - @{bin}/dpkg-query rpx, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 2e32af979..cf957ab4f 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,60 +7,43 @@ abi , include -@{exec_path} = @{sbin}/dpkg-preconfigure +@{exec_path} = @{bin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include - include include - include + include - capability dac_read_search, + #capability sys_tty_config, @{exec_path} r, + @{bin}/perl r, - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{,g,m}awk ix, - @{bin}/cat ix, - @{bin}/debconf-escape Px, - @{bin}/dialog ix, - @{bin}/expr ix, - @{bin}/find ix, - @{bin}/head ix, - @{bin}/locale ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/sed ix, - @{bin}/sort ix, - @{bin}/stty ix, - @{bin}/tr ix, - @{bin}/uniq ix, - @{bin}/which{,.debianutils} rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/cat rix, + @{bin}/dialog rix, + @{bin}/expr rix, + @{bin}/locale rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/stty rix, + @{bin}/tr rix, - @{bin}/apt-extracttemplates Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/findmnt Px, - @{bin}/whiptail Px, - @{lib}/apt/apt-extracttemplates Px, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/apt-extracttemplates rPx, + @{bin}/whiptail rPx, /usr/share/debconf/confmodule r, - /usr/share/dictionaries-common/{,*} r, - /etc/cloud/cloud.cfg.d/90_dpkg.cfg r, /etc/debconf.conf r, /etc/default/grub r, - /etc/default/mdadm r, /etc/inputrc r, - /etc/locale.gen r, - /etc/mdadm/mdadm.conf r, /etc/shadow r, - /etc/ssh/sshd_config r, - /etc/X11/Xwrapper.config r, - /var/lib/locales/supported.d/{,*} r, - - /var/cache/debconf/tmp.ci/ w, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, @@ -70,17 +53,24 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w, owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w, - owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, + # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + @{HOME}/.Xauthority r, + owner @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts deleted file mode 100644 index 2434c9db9..000000000 --- a/apparmor.d/groups/apt/dpkg-scripts +++ /dev/null @@ -1,188 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/** -profile dpkg-scripts @{exec_path} { - include - include - include - include - - capability chown, - capability dac_read_search, - capability fowner, - capability fsetid, - capability setgid, - capability setuid, - - @{exec_path} mrix, - - # Common program found in maintainer scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{python_path} rix, - @{bin}/run-parts rix, - - @{bin}/envsubst ix, - @{bin}/file ix, - @{bin}/getent ix, - @{bin}/gzip ix, - @{bin}/helpztags ix, - @{bin}/setpriv ix, - @{bin}/tput ix, - @{bin}/zcat ix, - @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, - @{lib}/ubuntu-advantage/postinst-migrations.sh ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/kmod Cx -> kmod, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/invoke-rc.d Cx -> rc, - @{sbin}/ldconfig Cx -> ldconfig, - @{sbin}/ldconfig.real Cx -> ldconfig, - @{sbin}/update-rc.d Cx -> rc, - - #aa:lint ignore=too-wide - # Maintainer scripts can legitimately start/restart anything - # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - @{lib}/** PUx, - /etc/** PUx, - /usr/share/** PUx, - - #aa:lint ignore=too-wide - # Maintainer's scripts can update a lot of files - / r, - /*/ r, - @{bin}/ r, - @{bin}/* w, - @{sbin}/ r, - @{sbin}/* w, - @{lib}/ r, - @{lib}/** wl -> @{lib}/**, - /opt/*/** rw, - - #aa:lint ignore=too-wide - /etc/ r, - /etc/** rw, - /usr/share/*/{,**} rw, - /usr/local/share/*/{,**} rw, - /var/** rw, - @{run}/** rw, - @{efi}/grub/* rw, - - /tmp/fmtutil.@{rand8} rw, - /tmp/grub.@{rand10} rw, - /tmp/sed@{rand6} rw, - /tmp/tmp.@{rand10} rw, - /tmp/updateppds.@{rand6} rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - - profile bus { - include - include - include - - capability dac_read_search, - - dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - include if exists - } - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - ptrace read peer=@{p_systemd}, - - @{bin}/systemd-tty-ask-password-agent Px, - @{pager_path} Px -> child-pager, - - /etc/machine-id r, - - /var/lib/systemd/catalog/database r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - - @{run}/utmp rk, - - include if exists - } - - profile rc { - include - include - include - - @{sbin}/update-rc.d mr, - @{sbin}/invoke-rc.d mr, - - @{coreutils_path} rix, - @{sh_path} rix, - @{bin}/systemctl rPx -> dpkg-scripts//systemctl, - - /etc/ r, - /etc/init.d/* r, - /etc/rc@{c}.d/ r, - /etc/rc@{c}.d/* rw, - /etc/rc@{int}.d/ r, - /etc/rc@{int}.d/* rw, - - include if exists - } - - profile ldconfig { - include - include - - @{sh_path} rix, - @{sbin}/ldconfig mrix, - @{sbin}/ldconfig.real rix, - - @{lib}/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /var/cache/ldconfig/ rw, - owner /var/cache/ldconfig/aux-cache* rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride deleted file mode 100644 index 804e1675b..000000000 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/dpkg-statoverride -profile dpkg-statoverride @{exec_path} flags=(complain) { - include - include - include - - @{exec_path} mr, - - /var/lib/dpkg/statoverride r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index 70d2199f2..aee717257 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,6 +13,7 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, + /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 87967d164..5c46246a2 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, @@ -26,12 +26,12 @@ profile querybts @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a6584a23d..8681e46d8 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include @@ -28,9 +28,9 @@ profile reportbug @{exec_path} { @{exec_path} r, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, @@ -40,14 +40,14 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open @@ -57,12 +57,12 @@ profile reportbug @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{open_path} rPx -> child-open, - @{lib}/@{python_name}/dist-packages/pylocales/locales.db rk, + @{lib}/python3/dist-packages/pylocales/locales.db rk, /usr/share/bug/*/{control,presubj} r, - #aa:lint ignore=too-wide /etc/** r, + /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index c48286299..4189c7170 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include @@ -45,9 +45,9 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, + @{bin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, @@ -77,8 +77,8 @@ profile synaptic @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - /var/cache/apt-xapian-index/index.@{int}/*.glass r, - /var/cache/apt-xapian-index/index.@{int}/iamglass r, + /var/cache/apt-xapian-index/index.[0-9]/*.glass r, + /var/cache/apt-xapian-index/index.[0-9]/iamglass r, /var/lib/apt-xapian-index/index r, /var/lib/dpkg/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d2da77bc3..d0fdad4b7 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,14 +10,13 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include include - include include capability chown, @@ -30,57 +29,43 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, - network inet dgram, - network inet6 dgram, network netlink raw, - signal send peer=apt-methods-http, + signal (send) peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, - #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade - @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{python_path} rix, - @{bin}/echo ix, - @{bin}/gdbus ix, - @{bin}/md5sum ix, - @{bin}/tar ix, - @{bin}/test ix, - @{bin}/touch ix, - @{bin}/uname ix, + @{bin}/echo rix, + @{bin}/gdbus rix, + @{bin}/ischroot rix, + @{bin}/python3.@{int} rix, + @{bin}/test rix, + @{bin}/touch rix, + @{bin}/uname rix, - @{bin}/apt-listchanges Px, - @{bin}/df Px, - @{bin}/dmesg Px, - @{bin}/dpkg Px, - @{bin}/dpkg-deb px, - @{bin}/dpkg-divert Px, - @{bin}/etckeeper Px, - @{bin}/ischroot Px, - @{bin}/lsb_release Px, - @{sbin}/dpkg-preconfigure Px, - @{sbin}/on_ac_power Px, - @{sbin}/sendmail Px, - @{lib}/apt/methods/http{,s} Px, - @{lib}/needrestart/apt-pinvoke Px, - @{lib}/update-notifier/update-motd-updates-available Px, - @{lib}/zsys-system-autosnapshot Px, + @{bin}/apt-listchanges rPx, + @{bin}/dpkg rPx, + @{bin}/dpkg-preconfigure rPx, + @{bin}/etckeeper rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/on_ac_power rPx, + @{bin}/sendmail rPUx, + @{lib}/apt/methods/http{,s} rPx, + @{lib}/needrestart/apt-pinvoke rPx, + @{lib}/update-notifier/update-motd-updates-available rPx, + @{lib}/zsys-system-autosnapshot rPx, /usr/share/distro-info/* r, - /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, - @{etc_ro}/login.defs r, - @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/{,**} r, + /etc/default/grub.d/* r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -94,20 +79,14 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, - /etc/ssh/moduli r, - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - /etc/ufw/{,**} r, + /etc/security/capability.conf r, /etc/update-manager/{,**} r, - /etc/update-motd.d/{,**} r, - /etc/vim/{,**} r, - /etc/vmware-tools/{,**} r, + /etc/update-motd.d/* r, + /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, @@ -118,7 +97,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/*.log* rw, + /var/log/apt/{term,history}.log w, + /var/log/apt/eipp.log.xz w, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, @@ -127,10 +107,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { owner @{tmp}/apt-dpkg-install-*/{,*} rw, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f7b94d68d..cd35bb5ae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,7 +9,6 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -18,13 +17,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ischroot Px, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{bin}/ischroot rix, /usr/share/unattended-upgrades/{,*} r, + /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 6ea4f19fb..15af33d88 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,21 +10,17 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include - include - include + include include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg rPx -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -34,9 +30,15 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, + owner @{PROC}/@{pid}/fd/ r, + /var/lib/debtags/package-tags r, - owner @{PROC}/@{pid}/fd/ r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # file_inherit + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 805d54b2b..47c22d72d 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,10 +11,14 @@ include profile avahi-browse @{exec_path} { include include - include - include + include include + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member={ItemNew,AllForNow,CacheExhausted} + peer=(name=:*, label=avahi-daemon), + @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index d45cffca3..ff2cae183 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,11 +11,19 @@ include profile avahi-resolve @{exec_path} { include include - include - include - include + include include + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Free,HostNameResolverNew} + peer=(name=:*, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member={Failure,Found} + peer=(name=:*, label=avahi-daemon), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index 45df7ce93..dd9eaba6c 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken -# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,8 +9,6 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 4c38e0ce5..cc3d18b58 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,13 +14,11 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} flags=(attach_disconnected) { +profile brave @{exec_path} { include include - # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), - - signal receive peer=brave//&brave-crashpad-handler, + unix (send, receive) type=stream peer=(label=brave-crashpad-handler), #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index d29dcc630..dea35ae1a 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,7 +45,6 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 45a32868e..98f21f472 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,7 +12,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -20,7 +19,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_override, @@ -30,28 +28,39 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + @{exec_path} mr, @{open_path} rPx -> child-open, @{bin}/bwrap rix, + @{bin}/xdg-dbus-proxy rix, + @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, /usr/share/enchant*/{,**} r, - owner @{HOME}/.ephy-download-@{rand6} rw, - owner @{HOME}/.ephy-web-app-icon-@{rand6} rw, + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, - owner @{user_share_dirs}/org.gnome.Epiphany.WebApp_@{hex}/{,**} rw, - owner @{tmp}/ContentRuleList@{rand6} rw, owner @{tmp}/epiphany-*-@{rand6}/{,**} rw, owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, @@ -62,6 +71,8 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, + /dev/video@{int} rw, + include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f9ba190a3..27eb0d54d 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,-esr,-bin} -@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ @@ -21,17 +21,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, - unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, - unix type=seqpacket peer=(label=firefox-crashhelper), - #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @{exec_path} mrix, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -42,17 +38,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-software rPx, @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, - @{bin}/speech-dispatcher rPx, @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, # Common extensions - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, - @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, @@ -65,9 +59,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) - owner @{tmp}/@{uuid}.zip{,.tmp} rw, + owner @{tmp}/@{rand6}.tmp r, + owner @{tmp}/@{rand8}.txt w, + owner @{tmp}/* w, # file downloads (to anywhere) owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper deleted file mode 100644 index 8ffdccb67..000000000 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} -@{config_dirs} = @{HOME}/.mozilla/ -@{cache_dirs} = @{user_cache_dirs}/mozilla/ - -@{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { - include - - unix type=seqpacket peer=(label=firefox), - - @{exec_path} mr, - - owner "@{config_dirs}/firefox/Crash Reports/" rw, - owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, - - # file_inherit - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 8feccaa93..1c418eef4 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,23 +28,22 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mrix, + @{exec_path} mr, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, + @{bin}/mv rix, + owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, - owner @{config_dirs}/firefox/*.*/prefs.js r, - owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, - owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -55,14 +54,10 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, - /dev/nvidia@{int} r, - /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index f9470a59b..97e5645b9 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,13 +16,11 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, - / r, - owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index ade169f25..efcad72f8 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,11 +27,16 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, @@ -39,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index eb67ede59..01661215a 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 2d8697259..4939edfbf 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,13 +17,11 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, - / r, - owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 4969a14c3..0f6273107 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/{,e}grep ix, + @{bin}/grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index ce6a3678c..58bb31ac8 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/{,e}grep ix, + @{bin}/grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fec6d7897..9838ba40b 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,10 +10,10 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include + include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c9b9a1538..e8f0328a2 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,13 +9,12 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include + include + include include - include include network inet dgram, @@ -24,11 +23,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal receive set=(term hup kill) peer=dbus-session, - signal receive set=(term hup kill) peer=gdm{,-session-worker}, - signal receive set=(term hup kill) peer=gnome-session-binary, - - unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), + signal (receive) set=(term hup kill) peer=dbus-session, + signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us @@ -40,7 +36,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mrix, @@ -54,6 +50,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -72,12 +69,11 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 27e228e2c..014f7afd4 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -30,11 +30,11 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=dconf-service, signal (send) set=(term hup kill) peer=xdg-*, - #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session + #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + dbus receive bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, @@ -74,9 +74,8 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/mounts r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 1b62a1086..0296a262f 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -16,7 +16,7 @@ include profile dbus-system flags=(attach_disconnected) { include include - include + include include include @@ -31,23 +31,17 @@ profile dbus-system flags=(attach_disconnected) { network bluetooth stream, network bluetooth seqpacket, - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name="{@{busname},org.freedesktop.DBus}"), - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Activator - member=ActivationFailure - peer=(name=@{busname}, label="@{p_systemd}"), + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, @{bin}/** PUx, - @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, @@ -69,7 +63,6 @@ profile dbus-system flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, - @{run}/systemd/notify w, @{run}/systemd/users/@{int} r, @@ -77,22 +70,19 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/oom_score_adj r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, + @{PROC}/@{pid}/oom_score_adj r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, - @{att}/dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b326138d6..dca91e5f2 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include @@ -55,7 +55,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/fd/ r, - owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index bac225ebc..8746e3795 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,12 +11,13 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include include include - signal receive set=kill peer=@{p_systemd_user}, - signal receive set=term peer=ibus-daemon, + signal (receive) set=term peer=ibus-daemon, + + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), + unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8bdc3c79c..f9f9870f8 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table index abe0d22c0..5182b0dca 100644 --- a/apparmor.d/groups/bus/ibus-engine-table +++ b/apparmor.d/groups/bus/ibus-engine-table @@ -14,7 +14,7 @@ profile ibus-engine-table @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, /usr/share/ibus-table/engine/{,**} r, /usr/share/ibus-table/tables/ r, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2fa49e50f..34d881a8a 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b1f1445b3..803f28a4a 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,8 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include - include + include include include @@ -28,6 +27,8 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, + owner /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6ea4891a7..5d96f359e 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,12 +15,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus - #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @@ -28,7 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{att}/dev/tty@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index ce1c2b108..39d5ecccb 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,8 +9,11 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include - include + include + include include + include + include include include include diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg index 0a97bacd2..24df581f9 100644 --- a/apparmor.d/groups/children/child-dpkg +++ b/apparmor.d/groups/children/child-dpkg @@ -14,7 +14,7 @@ abi , include @{exec_path} = @{bin}/dpkg -profile child-dpkg flags=(attach_disconnected) { +profile child-dpkg { include include include diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert index ddfff5fc2..6ea41a9e8 100644 --- a/apparmor.d/groups/children/child-dpkg-divert +++ b/apparmor.d/groups/children/child-dpkg-divert @@ -22,7 +22,6 @@ profile child-dpkg-divert { /var/lib/dpkg/arch r, /var/lib/dpkg/status r, /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, /var/lib/dpkg/diversions r, diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8e991cee7..8681e91f4 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,6 +19,7 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include + include include capability chown, @@ -34,6 +35,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, + @{PROC}/sys/kernel/modprobe r, + @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -41,7 +44,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{u8} w, # Nvidia graphics devices + owner /dev/char/195:@{int} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open index 84b1d1ea1..6804326aa 100644 --- a/apparmor.d/groups/children/child-open +++ b/apparmor.d/groups/children/child-open @@ -19,7 +19,7 @@ abi , include -profile child-open flags=(attach_disconnected,mediate_deleted) { +profile child-open flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 446627e85..ea21f8487 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -11,10 +11,13 @@ abi , include -profile child-open-any flags=(attach_disconnected,mediate_deleted) { +profile child-open-any flags=(attach_disconnected) { include - include - include + include + + @{open_path} mr, + + @{sh_path} r, @{bin}/** PUx, @{lib}/** PUx, @@ -23,6 +26,14 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/share/** PUx, + @{bin}/ r, + @{user_bin_dirs}/ r, + / r, + /usr/ r, + /usr/local/bin/ r, + + /dev/tty rw, + include if exists include if exists } diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 473276bff..6873ea2fc 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -15,7 +15,7 @@ abi , include -profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { +profile child-open-browsers flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor deleted file mode 100644 index 16d3dc868..000000000 --- a/apparmor.d/groups/children/child-open-editor +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is designed to be used in a child profile to limit what -# confined application can invoke via open helper. - -# This version of child-open only allow to open text editor. - -# Note: This profile does not specify an attachment path because it is -# intended to be used only via "Px -> child-open-browsers" exec transitions -# from other profiles. - -abi , - -include - -profile child-open-editor flags=(attach_disconnected,mediate_deleted) { - include - include - - @{editor_ui_path} PUx, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index 1150d16d3..d70cd920a 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -6,7 +6,7 @@ abi , include -profile child-open-help flags=(attach_disconnected,mediate_deleted) { +profile child-open-help { include include diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 4296f03af..98bbdcdb9 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -11,15 +11,13 @@ abi , include -profile child-open-strict flags=(attach_disconnected,mediate_deleted) { +profile child-open-strict { include include @{browsers_path} Px, @{file_explorers_path} Px, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, - include if exists include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index 8e60bce47..e904f96dd 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,7 +15,30 @@ include profile child-pager flags=(attach_disconnected) { include - include + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mr, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined new file mode 100644 index 000000000..c4d3c9fed --- /dev/null +++ b/apparmor.d/groups/children/user_confined @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow confined users to read, write, lock and link to their own files +# anywhere, and execute from some places. + +abi , + +include + +profile user_confined flags=(complain) { + include + include + include + include + + deny capability sys_ptrace, + + @{bin}/** Pixmr, + + owner /** rwkl, + owner @{HOMEDIRS}/bin/** ixmr, + owner @{user_bin_dirs}/** ixmr, + + @{PROC}/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default new file mode 100644 index 000000000..2853a8deb --- /dev/null +++ b/apparmor.d/groups/children/user_default @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# By default, allow users to read, lock and link to their own files anywhere, +# but only write to files in their home directory. Only allow limited execution +# of files. + +abi , + +include + +profile user_default flags=(complain) { + include + include + include + include + + deny capability sys_ptrace, + + @{bin}/** Pixmr, + + owner /** rkl, + owner @{HOMEDIRS}/ w, + owner @{HOMEDIRS}/** w, + + @{PROC}/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined new file mode 100644 index 000000000..db410d6a2 --- /dev/null +++ b/apparmor.d/groups/children/user_unconfined @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile user_unconfined flags=(attach_disconnected,mediate_deleted) { + capability, + network, + mount, + remount, + umount, + pivot_root, + ptrace, + signal, + dbus, + unix, + file, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index e91f9b419..4ce618ef7 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron +@{exec_path} = @{bin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include @@ -25,14 +25,20 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, + ptrace (read) peer=unconfined, + @{exec_path} mr, - @{sh_path} rix, - @{sbin}/exim4 rPx, - @{bin}/ionice rix, - @{bin}/nice rix, - @{bin}/run-parts rCx -> run-parts, - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/nice rix, + @{bin}/ionice rix, + @{bin}/exim4 rPx, + @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not + # using the run-parts profile we are good + + @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, + @{lib}/sysstat/debian-sa1 rPUx, + /usr/share/rsync/scripts/rrsync rPUx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 91c531618..15d1b9737 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{sbin}/anacron rPx, + @{bin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 0d5d5a081..29294fa53 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index fcf5e4430..2aaa6b142 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 15f93efec..2c3f90a9a 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,14 +14,15 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, + @{bin}/nice rix, @{bin}/ionice rix, @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 82b33e8ab..76657dc94 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index 9399b6ed4..ede030682 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{sbin}/update-cracklib rPx, + @{bin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index ea9086948..3e6c182a7 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - @{bin}/debtags rPx, + + /usr/bin/debtags rPx, include if exists } diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 784dfae19..42f2f0823 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,13 +34,13 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{sbin}/eximstats rix, + @{bin}/eximstats rix, - @{sbin}/exim4 rPx, - @{sbin}/exim_tidydb rix, + @{bin}/exim4 rPx, + @{bin}/exim_tidydb rix, - @{sbin}/start-stop-daemon rix, - @{sbin}/runuser rix, + @{bin}/start-stop-daemon rix, + @{bin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 8b5891eed..601368446 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/ipset rix, + @{bin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index 36044b2f3..abe3542f6 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/logrotate rPx, + @{bin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 709f843e8..8629f7be2 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{sbin}/start-stop-daemon rix, + @{bin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index f91956bcd..852e85141 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 7221cc6e1..17ab7f745 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7f52d1a14..7080658c3 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 44d3a546f..dd50a7494 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{sbin}/getcap rix, + @{bin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{sbin}/runuser rCx -> runuser, + @{bin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{sbin}/runuser mr, + @{bin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, @@ -141,6 +141,7 @@ profile cron-popularity-contest @{exec_path} { network inet6 stream, network netlink raw, + @{bin}/perl r, @{bin}/gzip rix, /usr/share/popularity-contest/popcon-upload r, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5..ccc948b01 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -28,10 +28,10 @@ profile crontab @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - @{etc_ro}/environment r, - @{etc_ro}/security/*.conf r, /etc/cron.{allow,deny} r, + /etc/environment r, /etc/pam.d/* r, + /etc/security/*.conf r, /var/spool/cron/ r, /var/spool/cron/** rw, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind deleted file mode 100644 index fe4347237..000000000 --- a/apparmor.d/groups/cups/ippfind +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ippfind -profile ippfind @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{bin}/echo rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups deleted file mode 100644 index 6ab6007cb..000000000 --- a/apparmor.d/groups/cups/print-backends-cups +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/@{multiarch}/print-backends/cups -profile print-backends-cups @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm index e0e0bd794..04accbbf0 100644 --- a/apparmor.d/groups/display-manager/lightdm +++ b/apparmor.d/groups/display-manager/lightdm @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lightdm profile lightdm @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -37,21 +36,15 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=xfce-session, signal (send) set=(term) peer=xorg, - #aa:dbus own bus=system name=org.freedesktop.DisplayManager - @{exec_path} mrix, - @{sh_path} rix, - @{bin}/{,e,f}grep rix, - @{bin}/df rix, - @{bin}/rm rix, + @{bin}/rm rix, @{bin}/lightdm-*-greeter rPUx, @{bin}/startx rPx, @{bin}/Xorg rPx, @{bin}/plymouth rPx, @{bin}/gnome-keyring-daemon rPx, - @{bin}/lightdm-session rPx, @{lib}/security-misc/* rPx, #aa:only whonix @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx, @@ -63,11 +56,11 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xgreeters/{,**} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*} r, /etc/default/locale r, + /etc/environment r, /etc/lightdm/{,**} r, /etc/machine-id r, + /etc/security/limits.d/{,*} r, /etc/shells r, /var/cache/lightdm/dmrc/*.dmrc* rw, @@ -88,7 +81,6 @@ profile lightdm @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, - owner @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} r, diff --git a/apparmor.d/groups/display-manager/lightdm-session b/apparmor.d/groups/display-manager/lightdm-session deleted file mode 100644 index ea7d62be2..000000000 --- a/apparmor.d/groups/display-manager/lightdm-session +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lightdm-session -profile lightdm-session @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/im-launch rPx, - - @{sh_path} rix, - @{bin}/mktemp rix, - @{bin}/expr rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 361a30b26..445531691 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index df17e0d9f..cfdaeed3f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,7 +10,6 @@ include profile xdm-xsession @{exec_path} { include include - include include include include @@ -21,12 +20,12 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, + @{bin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, @@ -59,6 +58,7 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init deleted file mode 100644 index fcb9d8b6c..000000000 --- a/apparmor.d/groups/firewall/ufw-init +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ufw/ufw-init -profile ufw-init @{exec_path} { - include - include - - capability dac_override, - capability dac_read_search, - capability net_admin, - capability net_raw, - - network inet dgram, - network inet raw, - network inet6 dgram, - network inet6 raw, - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/echo rix, - @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/kmod rCx -> kmod, - - /etc/default/ufw r, - /etc/ufw/* r, - - @{run}/xtables.lock rwk, - - @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/kernel/modprobe r, - - profile kmod { - include - include - - capability sys_module, - - @{run}/xtables.lock r, - - @{sys}/module/compression r, - @{sys}/module/x_tables/initstate r, - - include if exists - } - - profile sysctl { - include - include - - capability net_admin, - - @{sbin}/sysctl mr, - - /etc/ufw/sysctl.conf r, - - @{PROC}/sys/net/ipv{4,6}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 85e277198..42758585f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -25,15 +25,20 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.Accounts + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, - @{sbin}/adduser rPx, + @{bin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{sbin}/chpasswd rPx, - @{sbin}/userdel rPx, - @{sbin}/usermod rPx, + @{bin}/chpasswd rPx, + @{bin}/userdel rPx, + @{bin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c069b7afd..26a07d8aa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,11 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include + include include - include - include include - include include network inet dgram, @@ -24,8 +22,12 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mrix, - @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -33,8 +35,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, + @{system_share_dirs}/mime/mime.cache r, + owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, @@ -44,8 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, + @{att}/@{user_share_dirs}/icc/edid-*.icc r, @{run}/systemd/sessions/* r, @@ -58,9 +63,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index 20b453df4..be4972f04 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include - include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service index da950506a..790f03be3 100644 --- a/apparmor.d/groups/freedesktop/dconf-service +++ b/apparmor.d/groups/freedesktop/dconf-service @@ -10,7 +10,7 @@ include @{exec_path} = @{lib}/{,dconf/}dconf-service profile dconf-service @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 04eeba521..383360ad4 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,12 +11,9 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include + include include include - include - include - include - include include include include @@ -29,8 +26,15 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.GeoClue2 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index 1201e1277..d7122bdbb 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/pacat b/apparmor.d/groups/freedesktop/pacat deleted file mode 100644 index 8329b7924..000000000 --- a/apparmor.d/groups/freedesktop/pacat +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pacat -profile pacat @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_music_dirs}/{,**} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 04b08ecc4..e2b1b22d9 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,9 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include - include - include include + include capability sys_ptrace, @@ -26,6 +25,11 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.pulseaudio.Server + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,14 +45,13 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - /att/**/ r, + @{att}/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, owner @{tmp}/librnnoise-@{int}.so rm, - @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -64,9 +67,10 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, - owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 83ee32baa..fa1e44d00 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,15 +14,20 @@ profile pipewire-media-session @{exec_path} { include include include - include include include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixProcessID + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index e6e6e59c5..530fa97db 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,21 +11,15 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include - include - include - include include capability sys_ptrace, - ptrace read, - - #aa:dbus own bus=session name=org.pulseaudio.Server + ptrace (read), @{exec_path} mr, @{bin}/pactl rix, - @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -44,9 +38,6 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/module/apparmor/parameters/enabled r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pkla-admin-identities b/apparmor.d/groups/freedesktop/pkla-admin-identities deleted file mode 100644 index 778dd131c..000000000 --- a/apparmor.d/groups/freedesktop/pkla-admin-identities +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkla-admin-identities -profile pkla-admin-identities @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/polkit-1/localauthority.conf.d/{,**} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization deleted file mode 100644 index ff5b72f71..000000000 --- a/apparmor.d/groups/freedesktop/pkla-check-authorization +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pkla-check-authorization -profile pkla-check-authorization @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index da13572e5..bd5a34dcd 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/plymouth-set-default-theme +@{exec_path} = @{bin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0a2390661..8e5933073 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,13 +6,12 @@ abi , include -@{exec_path} = @{sbin}/plymouthd +@{exec_path} = @{bin}/plymouthd profile plymouthd @{exec_path} { include include include include - include capability checkpoint_restore, capability dac_override, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper similarity index 73% rename from apparmor.d/groups/polkit/polkit-agent-helper rename to apparmor.d/groups/freedesktop/polkit-agent-helper index f761ecf29..bb6e457ff 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { +profile polkit-agent-helper @{exec_path} { include include include @@ -25,22 +25,20 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal receive set=(term kill) peer=gnome-shell, - signal receive set=(term kill) peer=pkexec, - signal receive set=(term kill) peer=pkttyagent, - signal receive set=(term kill) peer=polkit-*-authentication-agent, - - unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, + signal (receive) set=(term, kill) peer=gnome-shell, + signal (receive) set=(term, kill) peer=pkexec, + signal (receive) set=(term, kill) peer=pkttyagent, + signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label="@{p_polkitd}"), + peer=(name=:*, label=polkitd), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=@{busname}, label="@{p_polkitd}"), + peer=(name=:*, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index bb48d0c5b..94bc7ece6 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -12,19 +12,11 @@ include @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1 profile polkit-gnome-authentication-agent @{exec_path} { include - include - include - include include include - signal (send) set=(term) peer=polkit-agent-helper, - @{exec_path} mr, - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, - @{PROC}/@{pid}/cgroup r, include if exists diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..f53f4d164 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,6 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include - include include include include @@ -28,9 +26,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, - #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd - @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/freedesktop/polkitd similarity index 73% rename from apparmor.d/groups/polkit/polkitd rename to apparmor.d/groups/freedesktop/polkitd index fa00311cd..5e3d3ee78 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -7,11 +7,10 @@ abi , include -@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd +@{exec_path} = @{lib}/{,polkit-1/}polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include - include include capability setgid, @@ -20,19 +19,18 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace read, + ptrace (read), #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 - dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=@{busname}, label=polkit-kde-authentication-agent), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, - @{bin}/pkla-check-authorization rPx, - @{bin}/pkla-admin-identities rPx, + @{bin}/pkla-check-authorization rPUx, /etc/machine-id r, @@ -55,9 +53,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, - @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @@ -65,9 +61,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, @@ -75,6 +70,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, + # Silencer + deny /.cache/ rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 206958062..804020b7b 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,21 +14,17 @@ profile pulseaudio @{exec_path} { include include include + include + include include include - include - include - include - include - include include include - include include include + include include include - include include ptrace (trace) peer=@{profile_name}, @@ -51,11 +47,26 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=:*, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=ItemRemove + peer=(name=:*, label=avahi-daemon), + dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member={Found,Free} + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, @@ -71,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, @@ -94,6 +105,7 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, + @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -101,6 +113,9 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database index 90be74ecf..ebf0ad6a3 100644 --- a/apparmor.d/groups/freedesktop/update-desktop-database +++ b/apparmor.d/groups/freedesktop/update-desktop-database @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/update-desktop-database profile update-desktop-database @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -25,8 +25,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) { @{system_share_dirs}/applications/.mimeinfo.cache.* rw, @{system_share_dirs}/applications/mimeinfo.cache w, - /usr/share/byobu/desktop/* r, - /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw, /var/lib/snapd/desktop/applications/mimeinfo.cache w, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 83652914f..931b47509 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 201e49f3c..f832d285e 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,9 +11,8 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include - include include network netlink raw, @@ -28,15 +27,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, # Lists all udev data files - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/ r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+power_supply* r, @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -57,7 +56,6 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname deleted file mode 100644 index 1d2c7aa23..000000000 --- a/apparmor.d/groups/freedesktop/wmname +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/wmname -profile wmname @{exec_path} { - include - include - - @{exec_path} mr, - owner @{HOME}/.Xauthority r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index 031f03ac4..e51f21e1e 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,20 +9,18 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include - include - include + include + include include include - include + include + include include include include network unix stream, - #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal - #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* @@ -30,9 +28,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - owner @{att}/@{HOME}/.var/app/** r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon index a6200a2b2..ba699bdbd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon @@ -39,7 +39,6 @@ profile xdg-desktop-icon @{exec_path} { include include include - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ec2cc86be..57b17b655 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,6 +10,7 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -17,10 +18,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include - include - include include - include include include include @@ -40,23 +38,17 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.host.portal.Registry - member=Register - peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.NetworkMonitor - member=GetStatus - peer=(name=@{busname}, label=snap.*), + peer=(name=:*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk - #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -69,11 +61,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} mrPx -> child-open, + @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner /att/**/ r, + / r, + @{att}/.flatpak-info r, + owner @{att}/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, @@ -85,14 +77,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, - # The portal can receive any user file as it is a file chooser for UI app. - owner @{HOME}/** r, @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, - owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, - owner @{tmp}/icon@{rand6} rw, + owner @{tmp}/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, @@ -102,7 +91,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, - @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 30b415204..17d26e3b1 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,47 +9,31 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include + include include include + include include include include - include - include + include include include include include include include - include include network unix stream, - signal receive set=term peer=gdm, - signal receive set=(hup term) peer=gdm-session-worker, + signal (receive) set=term peer=gdm, + signal (receive) set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Background - member=RunningApplicationsChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-shell), - dbus receive bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @@ -60,13 +44,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, @@ -76,18 +58,12 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/gtkprint_ppd_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} r, - owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b7906c5e2..ff398f25e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,48 +9,60 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include + include + include include include + include include include include - include + include + include include - include + include include include include include include - include - include include include signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.impl.portal.Settings + member=SettingChanged + peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, - / r, - owner /att/**/ r, + / r, owner /var/lib/xkb/server-@{int}.xkm rw, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, - owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index bd5981dcf..309248e18 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,13 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include - include - include include include include include - include network inet dgram, network inet6 dgram, @@ -24,43 +21,18 @@ profile xdg-desktop-portal-kde @{exec_path} { network inet6 stream, network netlink raw, - signal send set=term peer=kioworker, - @{exec_path} mr, #aa:exec kioworker - /usr/share/plasma/look-and-feel/** r, - /usr/share/thumbnailers/{,**} r, - - /etc/fstab r, - /etc/xdg/dolphinrc r, - - / r, - - owner @{HOME}/ r, - owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, - owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, - owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, - - owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, - owner @{PROC}/@{pid}/mountinfo r, - - /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 2fa8cc01f..62adb343b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon deleted file mode 100644 index 2c6c37538..000000000 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/xdg-desktop-portal-validate-icon -profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability dac_override, - - @{exec_path} mrix, - - @{bin}/bwrap ix, - - owner @{tmp}/icon@{rand6} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 84c0fce42..3c60c1cf6 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include + include include include - include include - include include capability sys_admin, @@ -30,8 +29,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -40,12 +38,11 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPx, + @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, - @{bin}/snap rPx, / r, - owner /att/**/ r, + owner @{att}/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, @@ -66,12 +63,10 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include - include - include + include + capability sys_admin, capability dac_read_search, - capability dac_override, - capability setuid, mount options=(rw, rprivate) -> /, mount options=(rw, rbind) @{run}/user/@{uid}/ -> /, @@ -81,8 +76,17 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), + @{bin}/fusermount{,3} mr, + + /etc/fuse{,3}.conf r, + owner @{run}/user/@{uid}/doc/ rw, + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + @{att}/dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 9e6dbc2e0..15b73a2d1 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,12 +59,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, - # file_inherit - deny /opt/*/** r, - deny owner @{user_config_dirs}/*/** rw, - deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3b15d9688..08cfc840c 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-permission-store profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -43,11 +43,10 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, - owner @{user_share_dirs}/flatpak/db/desktop-used-apps rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, - owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index dd7d17118..c142d137d 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -12,7 +12,6 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include include include - include @{exec_path} r, @@ -28,6 +27,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { @{bin}/lockfile ix, @{bin}/mktemp ix, @{bin}/mv ix, + @{bin}/perl ix, @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index fd05bcee9..870d4cfe4 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,14 +8,14 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} flags=(attach_disconnected) { +profile xdg-settings @{exec_path} { include include include @{exec_path} r, - @{sh_path} mr, + @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index feb1b9bd6..8892bd1ce 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,20 +9,14 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include - include - include - include + include @{exec_path} mr, - @{bin}/xdg-user-dirs-update Px, - owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, + owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, - owner @{tmp}/dirs-@{rand6} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 09c66d6ac..7177703a9 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,11 +9,13 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include - include include @{exec_path} mr, + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index a99e12b7a..dde1fe8c1 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -10,14 +10,13 @@ include @{exec_path} = @{bin}/xkbcomp profile xkbcomp @{exec_path} flags=(attach_disconnected) { include - include + include include include include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bfec4405c..0f23d583c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -45,11 +45,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { network netlink raw, - dbus send bus=system path=/org/freedesktop/login1/session/* - interface=org.freedesktop.login1.Session - member=ReleaseControl - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - @{exec_path} mrix, @{sh_path} rix, @@ -92,17 +87,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @@ -121,7 +116,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, @{sys}/devices/@{pci}/backlight/**/brightness rw, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/resource@{int} rw, @{sys}/devices/**/{uevent,name,id,config} r, @{sys}/devices/**/hid r, @{sys}/devices/**/power_supply/**/{type,online} r, @@ -133,9 +127,8 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, - /dev/ r, /dev/fb@{int} rw, - @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index ed9e7a030..fc1935c4b 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,12 +12,8 @@ profile xrandr @{exec_path} { include include - capability dac_read_search, - @{exec_path} mr, - @{run}/sddm/xauth_@{rand6} r, - owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index c0ddcb359..bc1291ef4 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include - include include capability dac_read_search, @@ -19,6 +18,10 @@ profile xsetroot @{exec_path} { @{exec_path} mr, + /usr/share/icons/{,**} r, + + owner @{HOME}/.icons/** r, + owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index a8950dbc6..05fb5a6fa 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -6,10 +6,9 @@ abi , include -@{exec_path} = @{bin}/Xwayland +@{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,8 +19,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream peer=(label=gnome-shell), - unix type=stream peer=(label=kwin_wayland), + unix type=stream addr=none peer=(label=gnome-shell, addr=none), @{exec_path} mrix, @@ -31,11 +29,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, - / r, - - owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, - owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, - owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, @@ -43,6 +36,9 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, + @{att}/dev/tty@{int} rw, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl deleted file mode 100644 index 4b1f7a138..000000000 --- a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}} -@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}} -profile batteryhealthchargingctl @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/env rix, - @{bin}/cmp rix, - @{bin}/cut rix, - @{bin}/pkaction rix, - @{bin}/sed rix, - @{bin}/sort rix, - - /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r, - - @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r, - - @{sys}/class/power_supply/ r, - @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w, - @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w, - @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 944d5e1d5..8c6372ba5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,7 +10,6 @@ include profile chrome-gnome-shell @{exec_path} { include include - include include include include @@ -24,6 +23,8 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels deleted file mode 100644 index 2bb38dfd5..000000000 --- a/apparmor.d/groups/gnome/decibels +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels -profile decibels @{exec_path} { - include - include - include - include - include - - @{exec_path} mr, - - @{bin}/gjs-console rix, - - @{open_path} rPx -> child-open-help, - - /usr/share/org.gnome.Decibels/{,**} r, - - owner @{user_music_dirs}/{,**} r, - owner @{user_pictures_dirs}/{,**} r, - owner @{user_torrents_dirs}/{,**} r, - owner @{user_videos_dirs}/{,**} r, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 59b3c5d40..b7fc6a5b0 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,54 +13,27 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include include - include - include - include network netlink raw, #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor - #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup - - dbus send bus=session path=/org/gnome/DejaDup - interface=org.gtk.Actions - member=Activate - peer=(name=org.gnome.DejaDup), + #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=:*, label=NetworkManager), - dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=power-profiles-daemon), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{bin}/chrt rix, - @{bin}/ionice rix, - @{bin}/deja-dup Px, - - /usr/share/gvfs/remote-volume-monitors/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, /tmp/ r, - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - include if exists } diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index 2168382e0..88ec63ea7 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,12 +29,10 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, - owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, - owner @{tmp}/ContentRuleList-@{rand6} rw, owner @{tmp}/ContentRuleList@{rand6} rw, - owner @{tmp}/SerializedNFA-@{rand6} rw, + owner @{tmp}/Serialized* rw, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 1b9051a4a..9f18395f2 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,11 +11,10 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include - include + include include - include include include include @@ -27,13 +26,10 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory - #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=@{busname}), + peer=(name=:*), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -41,12 +37,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=@{busname}, label=evolution-*), + peer=(name=:*, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=evolution-source-registry), + peer=(name=:*, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -56,16 +52,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - dbus receive bus=session path=/org/gnome/evolution/dataserver/** - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=obexd), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 501685b22..ce8f799bb 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include + include include + include + include include include include @@ -34,8 +37,6 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, - owner @{user_share_dirs}/evolution/datetime-formats.ini r, - include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 87cce8fbc..f856a06d2 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,10 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include include - include include include include @@ -59,6 +57,11 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=Move + peer=(name=:*, label=gvfsd-metadata), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -67,12 +70,14 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/memos/system/{,**} rw, - owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/ w, + owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 0732646b5..379ea5bef 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,10 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include - include include include - include include network inet stream, @@ -48,6 +46,8 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter index 6bcbd1cc0..a1e323c87 100644 --- a/apparmor.d/groups/gnome/gcr-prompter +++ b/apparmor.d/groups/gnome/gcr-prompter @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gcr-prompter profile gcr-prompter @{exec_path} { include - include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3f958cb7e..6bafb132b 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 +@{exec_path} = @{bin}/gdm{3,} profile gdm @{exec_path} flags=(attach_disconnected) { include include @@ -17,11 +17,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, - capability fowner, capability fsetid, capability kill, capability net_admin, - capability sys_admin, capability sys_nice, capability sys_tty_config, @@ -36,8 +34,13 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -47,7 +50,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{bin}/plymouth rPx, @{bin}/prime-switch rPUx, @{bin}/sleep rix, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{lib}/{,gdm/}gdm-session-worker rPx, /etc/gdm{3,}/PrimeOff/Default rix, @@ -55,7 +58,6 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, - /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -68,17 +70,18 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - @{GDM_HOME}/ rw, - @{GDM_HOME}/** rw, + owner @{GDM_HOME}/block-initial-setup rw, - @{run}/gdm{,3}/ rw, - owner @{run}/gdm{,3}.pid rw, - owner @{run}/gdm{,3}/dbus/ rw, - owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, - - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, + @{run}/gdm{3,}/greeter/ rw, + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, + owner @{run}/gdm{3,}.pid rw, + owner @{run}/gdm{3,}/ rw, + owner @{run}/gdm{3,}/custom.conf r, + owner @{run}/gdm{3,}/dbus/ w, + owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, + owner @{run}/gdm{3,}/gdm.pid rw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @@ -89,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index c5e6d4cd5..dc11e8169 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,15 +18,13 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - # ptrace read, - @{exec_path} mr, @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> &pgrep, - @{bin}/pkill rCx -> &pgrep, + @{bin}/pgrep rix, + @{bin}/pkill rix, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -34,7 +32,8 @@ profile gdm-generate-config @{exec_path} { /usr/share/gdm{3,}/{,**} r, /var/lib/ r, - @{GDM_HOME}/ rw, + @{GDM_HOME}/ r, + owner @{GDM_HOME}/ rw, owner @{GDM_HOME}/greeter-dconf-defaults rw, owner @{GDM_HOME}/greeter-dconf-defaults.@{rand6} rw, @@ -42,22 +41,11 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, - @{PROC}/tty/drivers r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, @{PROC}/uptime r, - profile pgrep { - include - include - - @{bin}/pkill mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut index eea0ee3b3..189e166f2 100644 --- a/apparmor.d/groups/gnome/gdm-prime-defaut +++ b/apparmor.d/groups/gnome/gdm-prime-defaut @@ -12,9 +12,6 @@ profile gdm-prime-defaut @{exec_path} flags=(complain) { @{exec_path} mr, - @{sh_path} r, - @{bin}/prime-offload ix, - include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 5d2e3e21e..4e3440656 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,15 +11,14 @@ profile gdm-session @{exec_path} { include include include - include - include + include + include - signal receive set=(hup term) peer=gdm-session-worker, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=dbus-session, - signal send set=(term) peer=gnome-session-binary, - signal send set=(term) peer=xorg, - signal send set=term peer=gnome-session, + signal (receive) set=(hup term) peer=gdm-session-worker, + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=dbus-session, + signal (send) set=(term) peer=gnome-session-binary, + signal (send) set=(term) peer=xorg, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3bab1b134..59e6df788 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -31,31 +31,30 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { network netlink raw, network unix stream, - signal receive set=term peer=gdm, - signal send set=(hup term) peer=gdm-session, - signal send set=hup peer=at-spi*, - signal send set=hup peer=dbus-accessibility, - signal send set=hup peer=dbus-session, - signal send set=hup peer=dconf-service, - signal send set=hup peer=gjs-console, - signal send set=hup peer=gnome-*, - signal send set=hup peer=gsd-*, - signal send set=hup peer=ibus-*, - signal send set=hup peer=mutter-x11-frames, - signal send set=hup peer=tracker-miner, - signal send set=hup peer=xdg-*, - signal send set=hup peer=xorg, - signal send set=hup peer=xwayland, + signal (receive) set=term peer=gdm, + signal (send) set=(hup term) peer=gdm-session, + signal (send) set=hup peer=at-spi*, + signal (send) set=hup peer=dbus-accessibility, + signal (send) set=hup peer=dbus-session, + signal (send) set=hup peer=dconf-service, + signal (send) set=hup peer=gjs-console, + signal (send) set=hup peer=gnome-*, + signal (send) set=hup peer=gsd-*, + signal (send) set=hup peer=ibus-*, + signal (send) set=hup peer=mutter-x11-frames, + signal (send) set=hup peer=tracker-miner, + signal (send) set=hup peer=xdg-*, + signal (send) set=hup peer=xorg, + signal (send) set=hup peer=xwayland, - unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, @@ -99,7 +98,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, - #aa:lint ignore=tunables /home/ r, /home/.fscrypt/policies/ r, owner /home/.fscrypt/policies/@{hex32} r, @@ -109,7 +107,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/ w, - @{run}/cockpit/active.issue r, @{run}/cockpit/inactive.motd r, owner @{run}/systemd/seats/seat@{int} r, owner @{run}/user/@{uid}/keyring/control rw, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 2882c3d9e..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,7 +11,6 @@ profile gdm-xsession @{exec_path} { include include include - include include include @@ -52,6 +51,7 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 3652dd6e9..5e013012e 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,8 +18,6 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include - include - include include include include @@ -32,8 +30,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, - @{lib}/*/** rPx, - @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs deleted file mode 100644 index de9d25a14..000000000 --- a/apparmor.d/groups/gnome/gjs +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. -# -# Therefore, by default, some extension are confined under this profile. To fix -# this, the various programs using gjs must never run gjs as module, they need -# to run it as executable with a specific script. -# -# This currently concerns: -# - gnome-extension-ding (used to not be started as a module) -# - org.gnome.ScreenSaver (simple dbus service) -# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) -# - org.gnome.Shell.Notifications (simple dbus service) -# - org.gnome.Shell.Screencast (simple dbus service) - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - # Only needed by org.gnome.Shell.Extensions - include - include - - # Only needed by gnome-extension-ding - include - include - include - include - include - include - include - include - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm, - - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - - @{exec_path} mrix, - - # gnome-extension-ding - @{sh_path} rix, - @{bin}/env rix, - @{bin}/gnome-control-center rPx, - @{bin}/nautilus rPx, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, - /usr/share/thumbnailers/{,**} r, - - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/dri/ r, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - profile gstreamer { - include - include - include - include - include - - network (bind create getattr setopt getopt) netlink raw, - - @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, - @{lib}/gstreamer-1.0/gst-plugin-scanner mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console new file mode 100644 index 000000000..20d5e48d5 --- /dev/null +++ b/apparmor.d/groups/gnome/gjs-console @@ -0,0 +1,93 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. Therefore, by default, some extension are +# confined under this profile. The resulting profile is quite broad. +# This architecture needs to be rethinked. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs-console @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + signal (receive) set=(term hup) peer=gdm*, + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.gnome.Shell.Extensions + member=ListExtensions + peer=(name=:*, label=gnome-shell), + + @{exec_path} mr, + + @{bin}/ r, + @{bin}/* PUx, + @{lib}/** PUx, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /etc/openni2/OpenNI.ini r, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + + /tmp/ r, + /var/tmp/ r, + + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, + owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{HOME}/ r, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/ r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index cd46dd069..41ebab653 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,12 +13,10 @@ profile gnome-boxes @{exec_path} { include include include - include include include include include - include include include include @@ -34,11 +32,9 @@ profile gnome-boxes @{exec_path} { @{open_path} rPx -> child-open, - @{bin}/qemu-img rix, - @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + @{bin}/virsh rCx -> virsh, - /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -58,9 +54,6 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, - owner @{user_share_dirs}/gnome-boxes/ rw, - owner @{user_share_dirs}/gnome-boxes/** rwk, - owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, @@ -70,9 +63,6 @@ profile gnome-boxes @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, @@ -80,7 +70,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index e95762b6a..d31811152 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,14 +11,15 @@ profile gnome-browser-connector-host @{exec_path} { include include include - include @{exec_path} mr, @{bin}/env rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + @{lib}/python3.@{int}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4ab9b165f..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,10 +7,9 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} flags=(attach_disconnected) { +profile gnome-calculator @{exec_path} { include include - include include # Needed to get currency exchange rates @@ -20,8 +19,6 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Calculator - @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index 8400f03c1..2eaacdefb 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -17,14 +17,12 @@ profile gnome-calculator-search-provider @{exec_path} { signal (send) set=kill peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2 @{exec_path} mrix, @{bin}/* rPUx, - owner @{user_cache_dirs}/gnome-calculator/* r, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 2173e3d62..97309c1a7 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,19 +23,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + + dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index b5ae5672a..9ae8a7b8a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,12 +11,11 @@ profile gnome-characters @{exec_path} { include include include - include include include include - #aa:dbus own bus=session name=org.gnome.Characters + #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @@ -28,6 +27,8 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 92886c887..fd6ded04f 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -10,16 +10,16 @@ include profile gnome-clocks @{exec_path} { include include - include + include include + include include include include network netlink raw, - #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions - #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.clocks @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9f78fb4fd..00bc15f19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,17 +10,17 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include - include + include include include + include include - include + include include include include include include - include include include include @@ -32,59 +32,39 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=unconfined, - signal send set=kill peer=passwd, + signal (send) set=(kill) peer=unconfined, + signal (send) set=(kill) peer=passwd, + + unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), #aa:dbus own bus=session name=org.gnome.Settings - #aa:dbus own bus=session name=org.bluez.obex.Agent1 - #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd - #aa:dbus talk bus=session name=org.bluez.obex label=obexd - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell - #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences - #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} - - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rPx, + @{bin}/tecla rix, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{sbin}/openvpn rPx, + @{bin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{sbin}/usermod rPx, + @{bin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, @@ -94,6 +74,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, + /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, @@ -109,10 +90,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { /usr/share/wallpapers/{,**} r, /usr/share/xml/iso-codes/{,**} r, - @{etc_ro}/security/pwquality.conf r, - @{etc_ro}/security/pwquality.conf.d/{,**} r, /etc/machine-info r, /etc/rygel.conf r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -130,14 +111,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_cache_dirs}/gnome-control-center/{,**} rw, - owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw, owner @{user_config_dirs}/background rw, owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list w, - owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, + owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, @@ -164,7 +143,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/bus/ r, @{sys}/class/ r, @@ -197,6 +176,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, + /dev/media@{int} r, + /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, @@ -212,7 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile pkexec { include include - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 8b813d260..1fa7d7050 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include - include + include include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index cbd1f1a75..59679deb8 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,7 +9,9 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include + include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 6d24e72c1..3dfd1bf03 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,12 +10,11 @@ include profile gnome-control-center-search-provider @{exec_path} { include include - include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 8c637920b..436d82443 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,9 +27,6 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index d9959691b..379a887b3 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,15 +9,10 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include - include - include include include include - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension deleted file mode 100644 index e13eca832..000000000 --- a/apparmor.d/groups/gnome/gnome-extension +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# gjs started from gnome-shell should (in theory) only run gnome extensions. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gnome-extension { - include - include - include - include - include - include - - @{exec_path} mr, - - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 9f848be8e..068469606 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,28 +9,31 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js +@{exec_path} = @{share_dirs}/{,app/}ding.js profile gnome-extension-ding @{exec_path} { include include + include include include include + include include - include - include - include - include - include + include + include + include + include + include + include + include include include include - include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), - #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions - #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + #aa:dbus own bus=session name=com.rastersoft.ding interface=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface=org.gtk.Actions dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable @@ -44,6 +47,11 @@ profile gnome-extension-ding @{exec_path} { interface=org.freedesktop.DBus* peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member=Set + peer=(name=:*, label=gvfsd-metadata), + @{exec_path} mr, @{sh_path} rix, @@ -55,8 +63,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, + owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, + owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2592eb77e..4c4b00c5d 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -9,27 +9,18 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io -@{exec_path} = @{share_dirs}/service/daemon.js @{share_dirs}/gsconnect-preferences +@{exec_path} = @{share_dirs}/service/daemon.js profile gnome-extension-gsconnect @{exec_path} { include include + include include include - include - include - include - include - include - include - include - include include include include - include include include - include network inet dgram, network inet6 dgram, @@ -37,10 +28,6 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} - - dbus eavesdrop bus=session, - @{exec_path} mr, @{sh_path} rix, @@ -49,9 +36,8 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/dconf rPx, - @{bin}/ssh-keygen rPx, - @{bin}/xdg-screensaver rPx, + @{bin}/ssh-keygen rPx, + @{bin}/xdg-screensaver rPx, @{lib}/gio/modules/*.so* rm, @{lib}/girepository-1.0/* r, @@ -67,22 +53,15 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{user_config_dirs}/mimeapps.list w, owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, - owner @{HOME}/.mozilla/firefox/firefox-mpris/@{word}.png r, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} r, - - owner @{run}/user/@{uid}/gsconnect/{,**} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/keyring/ssh rw, + owner @{run}/user/@{uid}/gsconnect/ w, @{sys}/devices/virtual/dmi/id/chassis_type r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - deny @{user_share_dirs}/gvfs-metadata/* r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index 0a65c95f2..f1e229b59 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,6 +22,7 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index 706c16e87..af44afbec 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7439e0fb6..d27ccb8bb 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,13 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include + include include include + include include include + include include include include @@ -26,12 +29,7 @@ profile gnome-initial-setup @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions - - dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=com.canonical.UbuntuAdvantage), + #aa:dbus own bus=session name=org.gnome.InitialSetup interface=org.gtk.Actions @{exec_path} mr, @@ -43,14 +41,13 @@ profile gnome-initial-setup @{exec_path} { @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, - @{lib}/@{multiarch}/ld-linux-*.so* rix, /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, - @{etc_ro}/security/pwquality.conf r, - @{etc_ro}/security/pwquality.conf.d/{,**} r, + /etc/security/pwquality.conf r, + /etc/security/pwquality.conf.d/{,**} r, /etc/timezone r, /etc/gdm{,3}/custom.conf r, @@ -76,10 +73,6 @@ profile gnome-initial-setup @{exec_path} { @{run}/systemd/sessions/@{int} r, @{run}/systemd/users/@{uid} r, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index e39ef0dc0..d0b84c1be 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,24 +10,20 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include + include include include include include - include + include capability ipc_lock, - signal receive set=(term) peer=gdm, - signal send set=(term) peer=ssh-agent, - - unix type=stream peer=(label=snap.*), + signal (receive) set=(term) peer=gdm, + signal (send) set=(term) peer=ssh-agent, #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -37,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 705857391..294d6229a 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,6 +45,7 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 2f9795ceb..82be211fc 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,7 +17,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include - include include network inet stream, @@ -34,8 +33,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, - @{python_path} rix, - @{lib}/@{python_name}/site-packages/gnomemusic/__pycache__/{,**} rw, + @{bin}/python3.@{int} rix, + @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw, /usr/share/grilo-plugins/grl-lua-factory/{,*} r, /usr/share/org.gnome.Music/{,**} r, @@ -52,6 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 31d9b7987..0182e9dad 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,11 +9,12 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include - include include @{exec_path} mr, + /usr/share/mime/mime.cache r, + owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon index c3631ddb7..19e448b1b 100644 --- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon +++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon @@ -15,15 +15,11 @@ profile gnome-remote-desktop-daemon @{exec_path} { include include include - include - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, - network netlink raw, - #aa:dbus own bus=system name=org.gnome.RemoteDesktop + #aa:dbus own bus=session name=org.gnome.RemoteDesktop #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 257e91c0a..798868271 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,21 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include - include include - include - include include include - signal receive set=term peer=gdm, - signal receive set=term peer=gdm-session, - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mrix, @{shells_path} rix, @@ -31,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, @@ -39,12 +28,11 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, - @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/tput rix, @{bin}/tr rix, @{bin}/tty rix, - @{bin}/uname rix, + @{bin}/uname rPx, @{bin}/xargs rix, @{bin}/dpkg-query rpx, @@ -70,10 +58,6 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, - owner @{HOME}/ r, - - owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5359a70df..babd12c3d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,16 +9,18 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include + include include include + include include + include include - include + include include include include include - include network inet stream, network inet6 stream, @@ -26,15 +28,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal receive set=(term, hup) peer=gdm*, - signal send set=(term) peer=gsd-*, + signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=UpdateActivationEnvironment + member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 @@ -58,18 +60,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, - /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, - owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, - owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, @@ -103,7 +102,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include - include + include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check deleted file mode 100644 index 44755aef2..000000000 --- a/apparmor.d/groups/gnome/gnome-session-check +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/gnome-session-check-* -profile gnome-session-check @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{lib}/gnome-session-check-accelerated-gl-helper ix, - @{lib}/gnome-session-check-accelerated-gles-helper ix, - - /usr/share/gnome-session/hardware-compatibility r, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 24c069e72..f52340d41 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,39 +10,40 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include - include include include include + include include include include include - include + include + include + include + include include + include include include + include include - include - include - include - include + include + include include include include include include include - include include - include include - include include include - include + include capability sys_nice, capability sys_ptrace, @@ -54,14 +55,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace read, + ptrace (read), + ptrace (readby) peer=pipewire, - signal receive set=(term, hup) peer=gdm*, - signal send, + signal (receive) set=(term, hup) peer=gdm*, + signal (send), unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell @@ -70,57 +73,60 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity - #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem - #aa:dbus own bus=session name=org.freedesktop.a11y.Manager - #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications - #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - # Talk with gnome-shell - # The strategy with dbus rules in this profile is first to declare all communications - # needed on buses and to limit them only to their profiles in apparmor.d. As such, - # only dbus directive is used for this. Later, some communications could be - # restricted. - - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding - #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs - #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy - #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* - #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + # System bus + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=RegisterAuthenticationAgent + peer=(name=:*, label=polkitd), + dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=:*, label=polkitd), + + dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager + interface=org.freedesktop.NetworkManager.AgentManager + member={RegisterWithCapabilities,Unregister} + peer=(name=:*, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + # Session bus - dbus send bus=session path=/org/gnome/** - peer=(name=org.gnome.*), - + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus - member={GetNameOwner,ListNames} + member={GetConnectionUnixProcessID,GetNameOwner,ListNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root @@ -151,40 +157,38 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}), + peer=(name=:*), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/gnome/*/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + peer=(name=@{busname}), + @{exec_path} mr, @{bin}/unzip rix, - @{bin}/flatpak rPx, - @{bin}/gjs-console rPx -> gnome-extension, + @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, - @{bin}/sensors rPx, - @{bin}/tecla rPx, @{bin}/Xwayland rPx, - @{bin}/nvidia-smi rPx, # FIXME; for extension only - @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @{sh_path} rCx -> shell, - @{bin}/pkexec rCx -> pkexec, - @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{lib}/gio-launch-desktop rCx -> open, - @{python_path} rCx -> python, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /snap/*/@{uid}/**.@{image_ext} r, - /usr/share/**.@{image_ext} r, + /opt/**/share/icons/{,**} r, + /snap/*/@{uid}/**.png r, + /usr/share/**.{png,jpg,svg} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -224,8 +228,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, - owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, - owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -233,38 +235,30 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, - owner @{gdm_local_dirs}/ w, - owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.@{image_ext} r, + owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.@{image_ext} r, - owner @{user_music_dirs}/**.@{image_ext} r, + owner @{user_games_dirs}/**.{png,jpg,svg} r, + owner @{user_music_dirs}/**.{png,jpg,svg} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, - owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, - owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, - owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -272,25 +266,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, - owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, + owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @@ -299,8 +290,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @@ -314,18 +303,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/**/uevent r, @{sys}/bus/ r, @@ -334,9 +324,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, - @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -350,8 +338,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -380,6 +366,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, @@ -389,14 +376,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, - ptrace read, + ptrace (read), @{sh_path} mr, - @{bin}/cat rix, - @{bin}/{,e}grep rix, - @{bin}/kmod rPx -> gnome-shell//lsmod, - @{bin}/pmap rix, + @{bin}/pmap rix, + @{bin}/grep rix, @{sys}/devices/system/node/ r, @@ -409,38 +394,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile lsmod flags=(attach_disconnected,mediate_deleted) { - include - include - - @{sys}/module/{,**} r, - - include if exists - } - - profile pkexec { - include - include - - ptrace read peer=gnome-shell, - - @{bin}/pkexec mr, - - /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx, - @{bin}/batteryhealthchargingctl{,-@{user}} rPx, - - include if exists - } - - profile python { - include - include - - # /usr/share/gnome-shell/extensions/{,**} - - include if exists - } - profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 37bb7b374..2f3e51670 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,7 +11,6 @@ profile gnome-shell-calendar-server @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer @@ -36,6 +35,8 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 56e448fd8..51d5b43cf 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,10 +10,11 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, + @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0b1602fbb..a75cfee63 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,14 +9,11 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include - include - include - include - include + include include + include + include include - include include include @@ -29,22 +26,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, - #aa:dbus own bus=session name=org.freedesktop.PackageKit - #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" - - dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=Changed - peer=(name=@{busname}, label=polkitd), - @{exec_path} mr, @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, - @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @@ -53,8 +39,6 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, - /usr/share/byobu/desktop/{,**} r, - /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -86,11 +70,15 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, + / r, + owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, + owner @{user_cache_dirs}/gnome-software/ rw, + owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -105,6 +93,7 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -133,7 +122,10 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -171,13 +163,21 @@ profile gnome-software @{exec_path} { profile fusermount { include - include + include - capability setuid, + capability sys_admin, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 152b28ff7..92cbd369e 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include + include + include + include include capability sys_ptrace, @@ -21,9 +21,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace read, + ptrace (read), - signal send set=(kill term cont stop), + signal (send) set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -35,8 +35,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/byobu/desktop/{,**} r, - /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, + /usr/share/gnome-system-monitor/{,**} r, + /usr/share/firefox-esr/browser/chrome/icons/default/*.png r, / r, @@ -74,11 +74,12 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index fe380dadd..d96c20c36 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,19 +10,22 @@ include profile gnome-terminal-server @{exec_path} { include include + include include + include include + include include include include - signal send set=(hup) peer=htop, - signal send set=(term hup kill) peer=unconfined, + signal (send) set=(hup) peer=htop, + signal (send) set=(term hup kill) peer=unconfined, - ptrace read peer=htop, - ptrace read peer=unconfined, + ptrace (read) peer=htop, + ptrace (read) peer=unconfined, - #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions dbus receive bus=session path=/org/gnome/Terminal/SearchProvider interface=org.gnome.Shell.SearchProvider2 @@ -35,17 +38,15 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, - @{lib}/gnome-terminal-preferences ix, - # The shell is not confined on purpose. - @{bin}/@{shells} Ux, + @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, - @{open_path} Px -> child-open, + @{open_path} rPx -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 8aa950e2c..22823753b 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,14 +10,11 @@ include profile gnome-text-editor @{exec_path} { include include - include include include - include include include - #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 7f93b7864..d104e75c6 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -21,21 +21,22 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/env r, @{bin}/ps rPx, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{open_path} rPx -> child-open-help, - @{lib}/@{python_name}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, + @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w, /etc/xdg/autostart/{,**} r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop rw, + owner @{user_config_dirs}/autostart/*.desktop r, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, + owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index fe2bf69b2..c73ff0a19 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,6 +31,7 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index b7c138285..8176d6c7c 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4509a6159..3992811c2 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 22aaba164..cfbaa6269 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include + include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -28,6 +27,7 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1a52321b1..6ff47dcd1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include + include + include include include + include include - include + include + include include include include @@ -25,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties @@ -42,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{gdm_share_dirs}/icc/edid-*.icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icc/edid-*.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0364f3f2b..984f7c189 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include + include include - include - include + include include - include include network inet dgram, @@ -35,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 00ca93f19..6e8ae0d90 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,7 +14,6 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 497462a03..288c29af8 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,13 +10,12 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include + include include - include - include - include + include + include include include - include include signal (receive) set=(term, hup) peer=gdm*, @@ -24,10 +23,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=Subscribe - peer=(name=org.freedesktop.systemd1), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index be27a873e..87560b6f9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include + include + include include include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b299ab7ff..d9b0e5e27 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,20 +9,22 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include + include include + include include include + include include include + include include - include - include - include + include + include include include include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -36,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=@{busname}, label="@{p_systemd_logind}"), + peer=(name=:*, label=systemd-logind), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -46,12 +48,17 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=@{busname}, label=gsd-power), + peer=(name=:*, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=gsd-power), + peer=(name=:*, label=gsd-power), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*), @{exec_path} mr, @@ -64,13 +71,15 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, + owner @{user_share_dirs}/recently-used.xbel{,.*} rw, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/devices/**/usb[0-9]/{,**} r, @{sys}/devices/@{pci}/sound/**/uevent r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/virtual/**/uevent r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d3ac6b456..97b31d6c5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,25 +9,26 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include + include include + include include include include + include include include include include - include + include include - include - include + include + include + include include include include include - include - include - include network inet stream, network netlink raw, @@ -37,22 +38,16 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=@{busname}, label="@{p_upowerd}"), + peer=(name=:*, label=upowerd), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member=Suspend - peer=(name=@{busname}, label="@{p_systemd_logind}"), + peer=(name=:*, label=gsd-xsettings), @{exec_path} mr, @@ -62,9 +57,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+backlight:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 22ec520cb..2c8319bd8 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,36 +9,29 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include - include - include + include + include include include network inet stream, network inet6 stream, - signal receive set=(term, hup) peer=gdm*, - signal send set=(hup) peer=gsd-printer, + signal (receive) set=(term, hup) peer=gdm*, + signal (send) set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} - peer=(name=@{busname}, label=cups-notifier-dbus), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index a768c8d1e..9e67c8c72 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,11 +9,10 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include + include include include - include - include - include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 7283c5c00..1fd4157ec 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index ac2f9229d..1ac54d0fe 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9d432ae13..871e10abc 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,13 +9,12 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include + include include include include - include - include + include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,15 +30,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 - interface=org.freedesktop.NetworkManager.VPN.Connection - member=VpnStateChanged - peer=(name=@{busname}, label=NetworkManager), - @{exec_path} mr, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 5143b9984..f93f0313b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,14 +9,12 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include + include include - include - include + include include - include include include - include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +29,9 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ff2d30766..8c5e7891a 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,15 +9,14 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include + include include include - include - include + include + include include - include - signal receive set=(term, hup) peer=gdm*, + signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound @@ -30,6 +29,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index bcdb353a8..2359c9f39 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,22 +10,14 @@ include profile gsd-usb-protection @{exec_path} { include include - include - include - include include - include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 3d4f2cb05..f9c4ffb33 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include + include + include include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 3a5ee53df..ab2b2b089 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,17 +10,10 @@ include profile gsd-wwan @{exec_path} { include include - include include - include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 20151eec0..c7478292c 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,13 +9,15 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include + include include include + include include include - include + include include - include + include include include include @@ -31,25 +33,17 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings - #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} + interface=org.freedesktop.Accounts.User + member=SetInputSources + peer=(name=:*, label=accounts-daemon), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus receive bus=system path=/org/freedesktop/Accounts - interface=org.freedesktop.Accounts - member={UserAdded,UserDeleted} - peer=(name=@{busname}, label="@{p_accounts_daemon}"), - - dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} - interface=org.freedesktop.Accounts.User - member=SetInputSources - peer=(name=@{busname}, label="@{p_accounts_daemon}"), - @{exec_path} mr, - @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index f843d6c14..c9177de5c 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -25,21 +25,20 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop PUx, - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, - @{bin}/nvtop Px, - @{bin}/vim Ux, + @{bin}/btop rPUx, + @{bin}/htop rPx, + @{bin}/micro rPUx, + @{bin}/nvtop rPx, + @{bin}/nvtop rPx, + @{bin}/vim rUx, - @{open_path} Px -> child-open-help, + @{open_path} rPx -> child-open-help, owner @{tmp}/#@{int} rw, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch deleted file mode 100644 index ea1566757..000000000 --- a/apparmor.d/groups/gnome/localsearch +++ /dev/null @@ -1,80 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/localsearch @{lib}/localsearch-3 -profile localsearch @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files - #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 - - dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=@{busname}, label=nautilus), - dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint - interface=org.freedesktop.Tracker3.Endpoint - member=Query - peer=(name=@{busname}, label=nautilus), - - @{exec_path} mr, - - @{lib}/localsearch-extractor-3 ix, # nnp - - /usr/share/localsearch3/{,**} r, - /usr/share/osinfo/{,**} r, - /usr/share/poppler/{,**} r, - - /etc/fstab r, - - # Allow to search user files - owner @{HOME}/ r, - owner @{HOME}/{,**} r, - owner @{MOUNTS}/{,**} r, - owner @{tmp}/*/{,**} r, - - owner @{user_cache_dirs}/tracker3/ rw, - owner @{user_cache_dirs}/tracker3/files/ rw, - owner @{user_cache_dirs}/tracker3/files/** rwk, - - owner @{GDM_HOME}/ r, - owner @{GDM_HOME}/*/ r, - owner @{gdm_cache_dirs}/tracker3/{,**} rwk, - owner @{gdm_config_dirs}/user-dirs.dirs r, - - @{run}/mount/utab r, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{PROC}/sys/fs/fanotify/max_user_marks r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-control b/apparmor.d/groups/gnome/localsearch-control deleted file mode 100644 index 354f85009..000000000 --- a/apparmor.d/groups/gnome/localsearch-control +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/localsearch-control-3 -profile localsearch-control @{exec_path} { - include - include - - #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files.Control - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/localsearch-writeback b/apparmor.d/groups/gnome/localsearch-writeback deleted file mode 100644 index 7d50726c0..000000000 --- a/apparmor.d/groups/gnome/localsearch-writeback +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/localsearch-writeback-3 -profile localsearch-writeback @{exec_path} { - include - include - - #aa:dbus own bus=session name=org.freedesktop.LocalSearch3.Writeback - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ea55ee902..75835395a 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,31 +9,18 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include - include - include include include include include - include include include include - unix type=stream peer=(label=loupe//bwrap), - signal send set=kill peer=loupe//bwrap, - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=@{p_systemd_hostnamed}), - @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, @@ -45,8 +32,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,7 +42,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -65,9 +50,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=loupe), - - signal receive set=kill peer=loupe, + signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index d5c83a31b..8a48b97a2 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -9,9 +9,11 @@ include @{exec_path} = @{lib}/mutter-x11-frames profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include - include + include + include include - include + include + include include include include @@ -26,8 +28,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}//fontconfig/ rw, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, + owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c405a3bf8..890e5b34e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,14 +9,16 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include + include include include include + include include include include - include - include + include + include include include include @@ -26,33 +28,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - unix type=stream peer=(label=gnome-shell), - + #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} - #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 - #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome - #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - dbus send bus=session path=/org/gnome/Mutter/ServiceChannel - interface=org.gnome.Mutter.ServiceChannel - member=OpenWaylandServiceConnection - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine member=Print - peer=(name=@{busname}, label=nautilus), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label=nautilus), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus @@ -64,15 +50,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session - interface=org.freedesktop.Application - member=Open, - - dbus send bus=session path=/org/gnome/Nautilus - interface=org.gtk.Application - member={CommandLine,DescribeAll} - peer=(name=org.gnome.Nautilus, label=nautilus), - @{exec_path} mr, @{sh_path} rix, @@ -80,9 +57,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - - @{bin}/* r, - @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, + @{bin}/tracker3 rPUx, @{open_path} rPx -> child-open, @@ -97,7 +72,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, - #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -114,7 +88,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -134,7 +108,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index e1bde2238..cdc563e07 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,15 +10,14 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include - include include include include include include - include include include + include network netlink raw, @@ -40,11 +39,12 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, + @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, @{PROC}/1/cgroup r, + @{PROC}/devices r, @{PROC}/zoneinfo r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, @@ -53,6 +53,9 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/media@{int} r, + /dev/nvidia-uvm rw, + include if exists } diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers deleted file mode 100644 index 6c4fe6f12..000000000 --- a/apparmor.d/groups/gnome/papers +++ /dev/null @@ -1,67 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/papers -profile papers @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - - #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application - - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - - dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 - interface=org.freedesktop.portal.Session - member=Close - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - - @{exec_path} mr, - - @{open_path} Cx -> open, - - /usr/share/poppler/{,**} r, - - /etc/passwd r, - - owner @{user_share_dirs}/gvfs-metadata/{,*} r, - - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, - owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, - - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.goutputstream-@{rand6} rw, - owner @{tmp}/papers-@{int}/{,**} rw, - owner @{tmp}/gtkprint_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} rw, - - @{run}/mount/utab r, - - owner @{PROC}/@{pid}/mountinfo r, - - profile open { - include - include - - @{browsers_path} Px, - @{help_path} Px, - @{bin}/papers Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis deleted file mode 100644 index 3195d7f03..000000000 --- a/apparmor.d/groups/gnome/ptyxis +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ptyxis -profile ptyxis @{exec_path} { - include - include - include - include - - unix type=stream peer=(label=ptyxis-agent), - - #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application - - @{exec_path} mr, - - @{lib}/ptyxis-agent Px, - @{open_path} Px -> child-open-help, - - /etc/shells r, - - owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, - - owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, - owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, - - owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, - owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - - owner /tmp/#@{int} rw, - - /dev/ptmx rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent deleted file mode 100644 index 6418193a6..000000000 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ /dev/null @@ -1,64 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ptyxis-agent -profile ptyxis-agent @{exec_path} { - include - include - include - include - include - include - include - - signal send set=hup peer=@{p_systemd}, - - ptrace read, - - unix type=stream peer=(label=ptyxis), - - @{exec_path} mr, - - @{bin}/podman Px, - @{bin}/systemd-run Cx -> shell, - - owner @{user_share_dirs}/containers/ w, - owner @{user_share_dirs}/containers/storage/ w, - owner @{user_share_dirs}/containers/storage/overlay-containers/ w, - - @{PROC}/@{pid}/cmdline r, - - /dev/ptmx rw, - - profile shell { - include - include - - signal send, - - unix bind type=stream addr=@@{udbus}/bus/systemd-run/, - - @{bin}/systemd-run mr, - - # The shell is not confined on purpose. - @{bin}/@{shells} Ux, - - # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop Px, - @{bin}/micro PUx, - @{bin}/nvtop Px, - - owner @{run}/user/@{uid}/systemd/private rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index c34526ee1..921f6aa30 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,18 +9,19 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include - include + include include include + include + include include + include include include include - include - include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.seahorse.Application @{exec_path} mr, @@ -32,6 +33,7 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, + /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b31532cae..d519dca6e 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,22 +9,15 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include - include - include - include @{exec_path} mr, - @{sh_path} rix, - @{python_path} rix, - @{bin}/dconf rPx, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/* rix, + @{sh_path} rix, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/*.sh rix, /usr/share/session-migration/{,**} r, - owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla deleted file mode 100644 index 082c6c925..000000000 --- a/apparmor.d/groups/gnome/tecla +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/tecla -profile tecla @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e200ecb42..02237d932 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,9 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include + include include include include @@ -20,7 +20,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, @@ -29,7 +28,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Extract - #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer + #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface=org.freedesktop.DBus.Peer + + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.gtk.vfs.Metadata + member={GetTreeFromDevice,Remove} + peer=(name=:*, label=gvfsd-metadata), @{exec_path} mr, @@ -71,9 +75,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} r, + /dev/video@{int} rw, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 85b7b0d53..e10d81bb2 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,18 +11,16 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include + include + include include include include include include - include include - include - include network netlink raw, @@ -65,6 +63,11 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, @@ -87,6 +90,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/media@{int} rw, + /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 1f2fc39d3..f0dd3b46c 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,16 +7,14 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} flags=(attach_disconnected) { +profile yelp @{exec_path} { include include - include include network netlink raw, - #aa:dbus own bus=accessibility name=org.gnome.Yelp - #aa:dbus own bus=session name=org.gnome.Yelp interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -30,9 +28,7 @@ profile yelp @{exec_path} flags=(attach_disconnected) { /etc/xml/{,**} r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 40c23b660..247c6e4ac 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,17 +29,15 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt - /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/gpg.conf r, + /etc/pacman.d/gnupg/pubring.gpg r, + /etc/pacman.d/gnupg/trustdb.gpg r, #aa:only apt - /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, @@ -71,7 +69,6 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index 2ef1a9d4a..bfa71cf53 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny /usr/bin/.gnupg/ w, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - deny @{bin}/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, include if exists } diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 729455f7f..5d2cafd95 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index f09ba540d..1a1110091 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,17 +9,20 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, - @{bin}/{m,g,}awk ix, - @{bin}/mktemp ix, - @{bin}/od ix, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}//mktemp rix, + @{bin}//od rix, - owner @{tmp}/tmp.@{rand10}/ rw, + /usr/share/debconf/frontend rPx, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + /usr/share/debconf/confmodule r, + + owner @{tmp}/tmp.*/ rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 29f9bf8f7..6bdc7362a 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - @{efi}/grub/grubenv rw, + /boot/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index e3ed75334..83e30cbf6 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-install +@{exec_path} = @{bin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include @@ -19,34 +19,26 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/efibootmgr rix, + @{bin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, - /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - @{efi}/ r, - @{efi}/EFI/ r, - @{efi}/EFI/*/grubx*.efi rw, - @{efi}/EFI/BOOT/{,**} rw, - @{efi}/EFI/ubuntu/* w, - @{efi}/grub/{,**} rw, + /boot/efi/EFI/ubuntu/* w, + /boot/efi/EFI/BOOT/{,**} rw, + /boot/EFI/*/grubx*.efi rw, + /boot/grub/{,**} rw, - @{sys}/devices/**/hid r, - @{sys}/devices/**/path r, - @{sys}/devices/**/uid r, - @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, - @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index 17e71a25c..c2571ea73 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-macbless +@{exec_path} = @{bin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 5b62fa30c..2a60d69c5 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig +@{exec_path} = @{bin}/grub-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -21,25 +21,25 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{sbin}/btrfs rPx, + @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPx, + @{bin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{sbin}/grub-probe rPx, + @{bin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{.debianutils,} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, @@ -65,7 +65,6 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{lib}/grub/grub-sort-version rPx, @{lib}/libostree/grub[0-9]-@{int}_ostree rix, - /usr/share/desktop-base/*/grub/* r, /usr/share/grub/{,**} r, /usr/share/terminfo/** r, @@ -81,8 +80,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - @{efi}/{,**} r, - @{efi}/grub/{,**} rw, + /boot/{,**} r, + /boot/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index ca9f3ad3c..533f9780b 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,20 +6,13 @@ abi , include -@{exec_path} = @{sbin}/grub-mkdevicemap +@{exec_path} = @{bin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include - include - - capability sys_admin, @{exec_path} mr, - @{PROC}/devices r, - - /dev/mapper/control rw, - include if exists } diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index d4508b4c5..a60a6aaba 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,12 +21,12 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - @{efi}/ r, - @{efi}/grub/themes/{,**} r, + /boot/ r, + /boot/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_*/boot/ r, + /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d900ec2f6..94c4c7e2b 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{sbin}/grub-install rPx, + @{bin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @@ -24,12 +24,12 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rPx, - @{lib}/terminfo/x/xterm-256color r, + /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - @{efi}/grub/grub.cfg rw, + /boot/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index c767d2f02..80d517deb 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-probe +@{exec_path} = @{bin}/grub-probe profile grub-probe @{exec_path} { include include @@ -19,24 +19,39 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx, - @{sbin}/lvm rPx, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, / r, - @{efi}/ r, - @{efi}/grub/ r, - @{efi}/grub/themes/{,**} r, + /boot/ r, + /boot/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, - /dev/**/ r, - /dev/mapper/control w, - - deny mqueue (read, getattr) type=posix /, + /dev/*vg*/ r, + /dev/bsg/ r, + /dev/bus/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/char/ r, + /dev/cpu/ r, + /dev/cpu/@{int}/ r, + /dev/dma_heap/ r, + /dev/dri/ r, + /dev/dri/by-path/ r, + /dev/hugepages/ r, + /dev/input/ r, + /dev/input/by-id/ r, + /dev/input/by-path/ r, + /dev/mapper/control rw, + /dev/mqueue/ r, + /dev/shm/ r, + /dev/snd/ r, + /dev/snd/by-path/ r, include if exists } diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 310b416bf..7d94a22af 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-reboot +@{exec_path} = @{bin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 9961a778e..93b344cf8 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - @{efi}/grub/grub* rw, + /boot/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 9e3c96464..11c78024b 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-set-default +@{exec_path} = @{bin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 6ece8a60b..5e65fe835 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index d4460a3cf..03df05295 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub +@{exec_path} = @{bin}/update-grub{2,} profile update-grub @{exec_path} { include include @@ -14,9 +14,8 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + @{sh_path} rix, + @{bin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 32136d710..c1058c158 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -12,12 +12,12 @@ profile gvfs-afc-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.AfcVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 017a66e84..1b5f74ae3 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -12,17 +12,17 @@ profile gvfs-goa-volume-monitor @{exec_path} { include include - #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GoaVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=goa-daemon), + peer=(name=:*, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index ece97e688..f2b534635 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -16,12 +16,12 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.GPhoto2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index fd3b38012..d71b71523 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -15,12 +15,12 @@ profile gvfs-mtp-volume-monitor @{exec_path} { network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.MTPVolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 80f7f86a9..ccbe15fd1 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -29,13 +29,13 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface+=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor + #aa:dbus own bus=session name=org.gtk.vfs.UDisks2VolumeMonitor interface=org.gtk.Private.RemoteVolumeMonitor path=/org/gtk/Private/RemoteVolumeMonitor #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index e3e3edfae..c5c4dc3c1 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,28 +18,25 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker - # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), - # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=@{busname}, label=gvfsd-*), + peer=(name=:*, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, - @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -48,17 +45,6 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - profile pkexec { - include - include - - ptrace read peer=gvfsd, - - @{lib}/{,gvfs/}gvfsd-admin rPx, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 5a1fd1c82..7a1584d48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,38 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include - include - include - include - include - include - include - - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability setuid, - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, - #aa:lint ignore=too-wide - # Full access to system's data, but no write access to sensitive system directories - / r, - /*/ r, - /*/** rw, - deny @{sys}/** w, - deny @{PROC}/** w, - deny @{efi}/** w, - deny /dev/** w, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index da231f469..68d4b689e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index db6fe5a48..eeaaec059 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index a39e25785..48680f12f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 68b1e7765..918841320 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,20 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include - include - include - include - include include include - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 09062241a..b70fa7110 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 356f8dcd3..0648f5dc0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 667b448c4..e756c8440 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -10,19 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer profile gvfsd-computer @{exec_path} { include - include - include - include - include - - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index b335724cb..77e1a2f6f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include - include - include - include - include include include include @@ -28,13 +24,6 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index aad9de3a0..2f3b8d8f2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,19 +12,26 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include - include - include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-network), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 3b36fc4f1..5b7c833a5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include - include - include - include - include include include include @@ -24,13 +20,6 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index f67068f49..375040ec3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,9 +11,7 @@ include profile gvfsd-fuse @{exec_path} { include include - include - include - include + include include capability sys_admin, @@ -22,35 +20,45 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterFuse + peer=(name=:*, label=gvfsd), - dbus receive bus=session + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, - owner @{run}/user/@{uid}/gvfsd-fuse/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, - @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, profile fusermount { include - include + include - capability setuid, + capability dac_read_search, + capability sys_admin, # To mount anything mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/, umount @{run}/user/@{uid}/**/, unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), + @{bin}/fusermount{,3} mr, + + /etc/fuse{,3}.conf r, + /etc/machine-id r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 819e84c39..eb80f3a7a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 0544000c0..688f03c27 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,17 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include - include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2678bde40..2fe0a1e2b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,11 +11,8 @@ include profile gvfsd-http @{exec_path} { include include - include - include - include include - # include + include include include include @@ -26,16 +23,20 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, - unix type=stream peer=(label=gnome-shell), - unix type=stream peer=(label=gnome-extension-gsconnect), - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index d1af3c60c..5ffbabb40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,9 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include - include - include - include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 8565856d9..f6f3820bb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,9 +11,6 @@ include profile gvfsd-metadata @{exec_path} { include include - include - include - include include network netlink raw, @@ -21,12 +18,11 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 8d5ad78c5..3c747b8b3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include - include - include - include - include include include include @@ -23,18 +19,10 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - owner @{HOME}/ r, - owner @{HOME}/** rw, - owner @{MOUNTS}/** rw, + owner @{HOME}/{,**} rw, # FIXME: ? + owner @{MOUNTS}/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 7874686bc..87851fc16 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,22 +11,39 @@ include profile gvfsd-network @{exec_path} { include include - include - include - include include - include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gvfsd-dnssd), + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label=gnome-control-center), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index aae859d73..575d9de39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,23 +10,12 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include - include - include - include - include include network inet stream, network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ca59d75cd..03586b291 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,33 @@ include profile gvfsd-recent @{exec_path} { include include - include - include - include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), @{exec_path} mr, # Full access to user's data - owner @{HOME}/{,**} r, - owner @{MOUNTS}/{,**} r, + owner @{HOME}/{,**} rw, # FIXME: ? + owner @{MOUNTS}/{,**} rw, owner @{HOME}/.zshenv r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 862ef88aa..cabee57c2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,29 +10,15 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include - include - include - include - include include include include - include - - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{bin}/ssh rPx, owner @{run}/user/@{uid}/gvfsd-sftp/ rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 9d99a43af..24891e9c3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,10 +10,6 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include - include - include - include - include include include @@ -23,13 +19,6 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 66099563e..f285a3c15 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,11 +11,8 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include - include - include + include include - include include network netlink raw, @@ -25,15 +22,21 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, + /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 070c41a84..683d271a8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,9 +11,6 @@ include profile gvfsd-trash @{exec_path} { include include - include - include - include include include include @@ -23,12 +20,31 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=:*, label="{gnome-shell,nautilus}"), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4ea39c7d0..f971b5f6a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -9,33 +9,16 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd profile gvfsd-wsdd @{exec_path} { include - include - include - include - include - include - include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, - #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{bin}/env mr, + @{bin}/env r, @{bin}/wsdd rPx, - @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index cd3270e49..68356741d 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,7 +14,6 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_ptrace, @@ -32,25 +31,24 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, - owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb* r, # for USB mouse and keyboard @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @@ -62,9 +60,6 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, - @{att}/dev/dri/card@{int} rw, - @{att}/dev/input/event@{int} rw, - /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock index fab1c2a2e..b17c0c66a 100644 --- a/apparmor.d/groups/hyprland/hyprlock +++ b/apparmor.d/groups/hyprland/hyprlock @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/hyprlock -profile hyprlock @{exec_path} flags=(attach_disconnected) { +profile hyprlock @{exec_path} { include include include @@ -19,7 +19,7 @@ profile hyprlock @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_ro}/security/faillock.conf r, + /etc/security/faillock.conf r, /etc/shells r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 6d0674d9f..3cb8dca92 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,11 +9,12 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include - include include @{exec_path} mr, + /usr/share/icons/** r, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 7becc5fb6..78375c8b2 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,14 +9,14 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include - include @{exec_path} mr, @{bin}/wl-copy Px, + /usr/share/icons/** r, + owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, - owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 149128b1e..3a5878808 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,6 +11,7 @@ profile hyprpm @{exec_path} { include include include + include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index b5e1b4ae8..197f90f88 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,8 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include - include include include include @@ -25,20 +23,14 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, - #aa:dbus own bus=session name=org.kde.discover.notifier - - #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd - @{exec_path} mr, @{bin}/apt-config rPx, - @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, @@ -49,7 +41,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ rw, + owner @{user_cache_dirs}/appstream/ r, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 29447e22a..9a2f4c961 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -42,10 +42,29 @@ profile baloo @{exec_path} { owner @{user_share_dirs}/baloo/{,**} rwk, - @{run}/mount/utab r, + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:* r, # For motherboard info + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 33660a776..e3fca1f8f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include include include @@ -29,8 +28,33 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi* r, # for motherboard info + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # for sound card + + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices + @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 022c0beec..8465da560 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -21,23 +21,15 @@ profile dolphin @{exec_path} { include include include - include network netlink raw, - signal send set=hup peer=@{p_systemd}, - signal send set=term peer=kioworker, - - ptrace read peer=@{p_systemd}, - ptrace read peer=okular, + signal (send) set=(term) peer=kioworker, @{exec_path} mr, - @{lib}/libheif/ r, - @{lib}/libheif/*.so* mr, - @{bin}/ldd rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, @@ -48,13 +40,13 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, - /usr/share/thumbnailers/{,**} r, /etc/fstab r, - /etc/exports r, /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -70,7 +62,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, @@ -78,46 +70,39 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, + owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, - owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, - owner @{user_config_dirs}/knfsshare.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, - @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - @{sys}/bus/ r, @{sys}/bus/*/devices/ r, - @{sys}/class/*/ r, - @{sys}/devices/**/uevent r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty rw, + /dev/tty r, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index e04180ff4..961c18cfe 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -23,36 +23,18 @@ profile drkonqi @{exec_path} { @{exec_path} mr, - @{bin}/plasmashell r, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/drkonqi/{,**} r, - /etc/machine-id r, - - / r, - owner @{user_cache_dirs}/drkonqi/ rw, owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**, owner @{user_cache_dirs}/kcrash-metadata/* w, - owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/drkonqirc r, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/remote/ r, - /dev/tty r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index 199dd9c8f..c74276b95 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,8 +14,7 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, - owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, include if exists } diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor index 359352383..e07a6c1d4 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-processor +++ b/apparmor.d/groups/kde/drkonqi-coredump-processor @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi-coredump-processor profile drkonqi-coredump-processor @{exec_path} { include - include include capability dac_override, @@ -25,9 +24,9 @@ profile drkonqi-coredump-processor @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal r, - /{run,var}/log/journal/@{hex32}/system@*.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/@{hex32}/user-@{uid}.journal r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@*.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/remote/ r, include if exists diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index dbca9fcf5..d9879941b 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,8 +9,8 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include + include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 1fdb4b920..42c1400ef 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,23 +10,23 @@ include profile kaccess @{exec_path} { include include - include include include include - #aa:dbus own bus=session name=org.kde.kaccess - #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld - @{exec_path} mr, @{bin}/gsettings rPx, + /usr/share/icons/{,**} r, + /etc/machine-id r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, + owner @{user_share_dirs}/mime/generic-icons r, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..fdc0730c4 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include - include include include include @@ -19,9 +18,6 @@ profile kactivitymanagerd @{exec_path} { include include - #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager - #aa:dbus own bus=session name=org.kde.runners.activities - @{exec_path} mr, /etc/xdg/menus/{,*/} r, @@ -42,6 +38,7 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, + owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index e9ae78457..661090bc1 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,7 +25,6 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, - owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, @@ -34,11 +33,6 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, - owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/kalendaracstaterc rw, - owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, - owner @{user_state_dirs}/kalendaracstaterc.lock rwk, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index cc844ce17..61308e83b 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,8 +16,6 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, - #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper - @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 119b5508d..44a6d0239 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,18 +9,14 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include - include include - include - - #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper - #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, @{sys}/class/power_supply/ r, + @{sys}/devices/@{pci}/power_supply/** r, @{sys}/devices/**/power_supply/** r, include if exists diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index 8fcec5a2c..f03dfb007 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,12 +9,8 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include - include - include include - #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper - @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 2e60e6a0a..6483fe39f 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,18 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart - dbus receive bus=system path=/ - interface=org.kde.kf5auth - member=performAction - peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded), + peer=(name=org.freedesktop.DBus, label=kded5), @{exec_path} mr, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index afecd8d53..5ae1f5f12 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 59f60c285..93378bf76 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,11 +10,9 @@ include profile kcminit @{exec_path} { include include - include + include include - #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit - @{exec_path} mr, @{bin}/xrdb rPx, @@ -28,8 +26,6 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, - owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, - owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 6a01748fd..e152325ed 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,6 +12,7 @@ profile kconf_update @{exec_path} { include include include + include include include include @@ -24,22 +25,21 @@ profile kconf_update @{exec_path} { @{sh_path} rix, @{bin}/{,p}grep rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/qtpaths rix, @{bin}/sed rix, @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, - @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/*rc r, - /etc/xdg/ui/*rc r, + /etc/xdg/konsolerc r, + /etc/xdg/ui/ui_standards.rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 7d6daeda6..d37b53ddd 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,37 +11,22 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include - include - include - include include include include include - include capability wake_alarm, network netlink raw, - #aa:dbus own bus=system name=org.freedesktop.Policy.Power - #aa:dbus own bus=system name=org.kde.kf5auth path=/ - - #aa:dbus own bus=session name=local.org_kde_powerdevil - #aa:dbus own bus=session name=org.freedesktop.PowerManagement - #aa:dbus own bus=session name=org.kde.Solid.PowerManagement - - #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" - @{exec_path} mrix, @{sh_path} rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, - @{bin}/uname rPx, @{bin}/xargs rix, @{lib}/drkonqi rPx, @@ -60,13 +45,10 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk, owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - - @{run}/mount/utab r, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** owner @{run}/user/@{uid}kcrash_@{int} rw, - @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{sys}/bus/ r, @{sys}/bus/i2c/devices/ r, @{sys}/class/ r, @@ -77,22 +59,19 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r, @{sys}/devices/@{pci}/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r, - @{sys}/devices/@{pci}/drm/card@{int}/**/*_id r, @{sys}/devices/@{pci}/drm/card@{int}/**/dev r, - @{sys}/devices/@{pci}/drm/card@{int}/**/name r, @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r, @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/devices/@{pci}/i2c-*/**/dev r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-*/name r, - @{sys}/devices/platform/**/i2c-*/**/name r, - @{sys}/devices/platform/*/i2c-*/name r, + @{sys}/devices/i2c-@{int}/name r, + @{sys}/devices/platform/**/i2c-@{int}/**/name r, + @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 678c64e71..0ff08d02f 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,84 +9,52 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include - include #aa:only apt include - include include - include + include include - include - include include include include include + include include include include - include include capability sys_ptrace, network inet dgram, - network inet stream, network inet6 dgram, - network inet6 stream, - network netlink dgram, network netlink raw, + network netlink dgram, - ptrace read, + ptrace (read), signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, - # Owned by KDE - #aa:dbus own bus=system name=com.redhat.NewPrinterNotification - - #aa:dbus own bus=session name=org.gtk.Settings - #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier - #aa:dbus own bus=session name=org.kde.GtkConfig - #aa:dbus own bus=session name=org.kde.kappmenu - #aa:dbus own bus=session name=org.kde.kcookiejar5 - #aa:dbus own bus=session name=org.kde.kded5 - #aa:dbus own bus=session name=org.kde.keyboard - #aa:dbus own bus=session name=org.kde.KeyboardLayouts - #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement - #aa:dbus own bus=session name=org.kde.plasmashell.accentColor - #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher - #aa:dbus own bus=session name=org.kde.Wacom - #aa:dbus own bus=session name=org.kubuntu.NotificationHelper - #aa:dbus own bus=session name=org.kubuntu.restrictedInstall - - # Talk with KDE - #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" - dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=@{busname}, label=kauth-kded-smart-helper), + peer=(name=:*, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, - @{python_path} rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/flatpak rPx, @{bin}/kcminit rPx, - @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, + @{bin}/python3.@{int} rix, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -98,44 +66,30 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, - /usr/share/distro-info/{,**} r, - /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, - /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, - /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, / r, - @{efi}/ r, - - owner /var/lib/update-manager/meta-release-lts rw, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, - owner @{HOME}/.var/ w, - owner @{HOME}/.var/app/ w, - owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, - owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, - owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, - @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, - owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, @@ -166,7 +120,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @@ -180,9 +134,6 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, - @{run}/udev/data/b8:@{int} r, # for /dev/sd* - @{run}/udev/data/b259:@{int} r, # Block Extended Major - @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, @@ -201,6 +152,8 @@ profile kded @{exec_path} { include include + @{PROC}/tty/drivers r, + include if exists } diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..9da19046d 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,11 +9,8 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel - @{exec_path} mr, @{bin}/kstart rPx, @@ -21,11 +18,15 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 571581059..f6a7ba95a 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include - include include include include @@ -20,6 +19,9 @@ profile kiod @{exec_path} { @{exec_path} mr, + /usr/share/icons/breeze/index.theme r, + /usr/share/mime/{,**} r, + owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 0fc81a764..37dd3eeae 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,7 +10,6 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include - include include include include @@ -27,13 +26,10 @@ profile kioworker @{exec_path} { network netlink raw, network netlink dgram, - signal receive set=term peer=dolphin, - signal receive set=term peer=firefox-kmozillahelper, - signal receive set=term peer=plasma-discover, - signal receive set=term peer=plasmashell, - signal receive set=term peer=xdg-desktop-portal-kde, - - #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + signal (receive) set=term peer=dolphin, + signal (receive) set=term peer=firefox-kmozillahelper, + signal (receive) set=term peer=plasma-discover, + signal (receive) set=term peer=plasmashell, @{exec_path} mr, @@ -41,15 +37,13 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/{,**} r, + /usr/share/kio_desktop/directory.desktop r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, - /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, @@ -60,8 +54,6 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, - @{sbin}/ r, - @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @@ -71,7 +63,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, @@ -99,7 +91,6 @@ profile kioworker @{exec_path} { owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int}, owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 446d8a08d..17ed13f27 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,6 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + include include include include @@ -21,8 +22,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), - #aa:dbus own bus=session name=org.kde.konsole-@{int} - @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, @@ -54,9 +53,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc rwl, - owner @{user_config_dirs}/konsolerc.@{rand6} rwl, - owner @{user_config_dirs}/konsolerc.lock rwk, + owner @{user_config_dirs}/konsolerc{,*} rwlk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, @@ -77,11 +74,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/#@{int} rw, owner @{tmp}/konsole.@{rand6} rw, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-org.kde.konsole-@{int}.scope/** rw, - - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/stat r, /dev/ptmx rw, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index e44ee1f83..d4b547c7c 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,13 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include - include + include include - #aa:dbus own bus=session name=org.kde.KScreen - #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil - @{exec_path} mr, /dev/tty r, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 192d3f957..79e2b4c59 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,24 +13,24 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include + include + include include include include include include include - include network netlink raw, - ptrace read peer=ksmserver, - signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, + unix (send,receive) type=stream peer=(label="ksmserver",addr=none), + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -41,7 +41,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{sbin}/unix_chkpwd rPx, + @{bin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, @@ -51,13 +51,12 @@ profile kscreenlocker_greet @{exec_path} { /usr/share/xsessions/{,*.desktop} r, /usr/share/hunspell/* r, - @{etc_ro}/environment r, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, - @{etc_ro}/security/*.conf r, + /{usr/,}etc/environment r, + /{usr/,}etc/login.defs r, + /{usr/,}etc/login.defs.d/ r, + /{usr/,}etc/security/*.conf r, /etc/fstab r, /etc/machine-id r, - /etc/os-release r, /etc/pam.d/* r, /etc/shells r, /etc/xdg/kscreenlockerrc r, @@ -101,11 +100,9 @@ profile kscreenlocker_greet @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 09a228e29..61cd67246 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,8 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include - include include include include @@ -22,13 +20,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, - #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer - #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer - #aa:dbus own bus=session name=org.kde.screensaver - - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld - #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none), @{exec_path} mr, @@ -59,6 +51,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 711da6e9d..01fe51783 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { include - include - include include include include @@ -20,11 +18,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate include include - #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt - - #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown - #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland - @{exec_path} mr, @{lib}/os-release r, @@ -60,6 +53,7 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, + owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 770625988..be59fe842 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,22 +9,16 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include include include include - ptrace read peer=startplasma, - - #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash - @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index 04d084d0c..fa0f88f75 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 0a685d8e5..c4e25e9ff 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,17 +11,14 @@ include profile kwalletd @{exec_path} { include include - include include include include + include include include include - #aa:dbus own bus=session name=org.freedesktop.secrets - #aa:dbus own bus=session name=org.kde.kwalletd5 - @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, @@ -42,8 +39,6 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, - owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index 5ffcafd4f..dc64cbb9e 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,6 +36,9 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, + owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2..24d86bec6 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,11 +7,9 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include - include include include include @@ -21,30 +19,17 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_nice, capability sys_ptrace, + ptrace (read), + + signal (receive) set=term peer=sddm, + signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, + signal (send) set=(kill, term) peer=xwayland, + network netlink raw, - ptrace read, - - signal receive set=term peer=sddm, - signal receive set=(kill, term) peer=kwin_wayland_wrapper, - signal send set=(kill, term) peer=xwayland, - - unix type=stream peer=(label=xkbcomp), - unix type=stream peer=(label=xwayland), - - #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel - #aa:dbus own bus=session name=org.kde.KWin - #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect - #aa:dbus own bus=session name=org.kde.screensaver - - #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd - @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, - /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, - /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -52,7 +37,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, - /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -60,7 +44,11 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/plasma/desktoptheme/** r, /etc/pipewire/client.conf.d/ r, - /etc/xdg/** r, + /etc/xdg/kscreenlockerrc r, + /etc/xdg/menus/{,applications.menu} r, + /etc/xdg/menus/applications-merged/ r, + /etc/xdg/plasmarc r, + /etc/xdg/Xwayland-session.d/{,*} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -104,7 +92,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, - owner @{user_config_dirs}/menus/** r, + owner @{user_config_dirs}/menus/{,applications-merged/} r, owner @{user_config_dirs}/plasmarc r, owner @{user_config_dirs}/session/* r, @@ -125,15 +113,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for ACPI @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID subsystem @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+serio:* r, # for touchpad + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+usb:* r, @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @@ -150,7 +137,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile at-spi { include - include @{sh_path} r, @{bin}/busctl rix, @@ -165,35 +151,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } - profile pulseaudio { - include - include - - @{sh_path} rix, - @{bin}/pactl Px, - - /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 r, - - owner @{HOME}/ r, - - include if exists - } - - profile ibus { - include - include - - @{sh_path} r, - @{lib}/{,ibus/}ibus-x11 rPx, - - /etc/xdg/Xwayland-session.d/10-ibus-x11 r, - - /home/ r, - owner @{HOME}/ r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index a7ce4c2fe..1a7573d77 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,14 +9,11 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include - include include include signal (send) set=(term, kill) peer=kwin_wayland, - #aa:dbus own bus=session name=org.kde.KWinWrapper - @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8cc233ff2..e05e443ff 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include @@ -23,24 +22,15 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.kde.KWin - #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect - - #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld - @{exec_path} mrix, @{sh_path} rix, - @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi - /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, - /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, @@ -57,7 +47,6 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -65,6 +54,8 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index a2ffad26f..fe1c5d8da 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,8 +23,6 @@ profile okular @{exec_path} { network netlink raw, - ptrace read peer=@{p_systemd}, - signal send set=term peer=kioworker, @{exec_path} mr, @@ -44,6 +42,8 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,27 +51,31 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, + owner @{user_config_dirs}/okular-generator-popplerrc r, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, + owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -84,14 +88,13 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, profile gpg { include include @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, + @{bin}/gpgcon mr, @{bin}/gpgsm mr, owner @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index e17d4c5f1..dce3545f7 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,10 +21,16 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, + /etc/xdg/menus/applications-merged/ r, + /usr/share/kservices{5,6}/{,**} r, + /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 5d3812594..1fbeda384 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,6 +36,7 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, + /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index d32122a8a..a509135af 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include - include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 600d1be48..0d8a5d8cb 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -13,9 +13,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include - include + include include include include @@ -28,7 +27,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include userns, @@ -41,26 +39,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { network netlink dgram, network netlink raw, - ptrace read, + ptrace (read), - signal send, - - #aa:dbus own bus=session name=com.canonical.Unity - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.kde.JobViewServer - #aa:dbus own bus=session name=org.kde.klipper - #aa:dbus own bus=session name=org.kde.kuiserver - #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell - #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} - - #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd - #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded - #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" - #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml - #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" - #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" - #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil - #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + signal (send), @{exec_path} mr, @@ -68,14 +49,16 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rPUx, + @{bin}/ksysguardd rix, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, #aa:exec kioworker - /snap/*/@{uid}/**.@{image_ext} r, + /opt/**/share/icons/{,**} r, + /opt/*/**/*.desktop r, + /opt/*/**/*.png r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, @@ -89,7 +72,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /usr/share/metainfo/{,**} r, /usr/share/plasma/{,**} r, /usr/share/plasma5support/** r, - /usr/share/qalculate/{,**} r, /usr/share/rider/{,**} r, /usr/share/solid/actions/{,**} r, /usr/share/swcatalog/{,**} r, @@ -99,6 +81,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, + /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -110,7 +93,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{MOUNTS}/ r, @{HOME}/ r, - owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, owner @{HOME}/.var/app/**.{png,jpg,svg} r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, @@ -155,12 +137,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/kcookiejarrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kdiff3fileitemactionrc r, - owner @{user_config_dirs}/kiorc r, owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, - owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -176,7 +156,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk, owner @{user_share_dirs}/kactivitymanagerd/resources/database-wal rw, owner @{user_share_dirs}/kio/servicemenus/{,**} r, - owner @{user_share_dirs}/klipper/{,**} rwlk, + owner @{user_share_dirs}/klipper/{,*} rwl, owner @{user_share_dirs}/konsole/ r, owner @{user_share_dirs}/kpeople/persondb rwk, owner @{user_share_dirs}/kpeoplevcard/ r, @@ -190,15 +170,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/plasma_icons/*.desktop r, owner @{user_share_dirs}/plasma/{,**} r, owner @{user_share_dirs}/plasmashell/** rwkl -> @{user_share_dirs}/plasmashell/**, - owner @{user_share_dirs}/qalculate/{,**} r, owner @{user_share_dirs}/user-places.xbel{,*} rwl, owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, owner @{user_state_dirs}/plasmashellstaterc.lock rwk, + owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 1b8930f06..d8adff564 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include - include include capability audit_write, @@ -40,7 +40,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, - signal (send) set=(kill, term) peer=labwc, signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, @@ -48,65 +47,61 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, - signal (send) set=(term) peer=startlxqtwayland, - unix type=stream addr=@@{udbus}/bus/sddm-helper/system, + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=kscreenlocker-greet), - #aa:dbus own bus=system name=org.freedesktop.DisplayManager + dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=:*, label=systemd-logind), - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" - #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" + dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), @{exec_path} mr, @{lib}/@{multiarch}/sddm/sddm-helper rix, @{lib}/plasma-dbus-run-session-if-needed rix, @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{lib}/{,sddm/}sddm-helper rix, - @{lib}/{,sddm/}sddm-helper-start-wayland rix, - @{lib}/{,sddm/}sddm-helper-start-x11user rix, + @{lib}/sddm/sddm-helper rix, + @{lib}/sddm/sddm-helper-start-wayland rix, + @{lib}/sddm/sddm-helper-start-x11user rix, @{shells_path} rix, - @{bin}/{,e}grep rix, - @{bin}/basename rix, @{bin}/cat rix, - @{bin}/date rix, - @{bin}/dirname rix, + @{bin}/checkproc rix, @{bin}/disable-paste rix, - @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, - @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, - @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, - @{bin}/Hyprland rPx, - @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, - @{bin}/labwc rPx, @{bin}/sddm-greeter{,-qt6} rPx, @{bin}/startlxqt rPx, - @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, - @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, @@ -114,7 +109,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - @{etc_ro}/X11/xdm/Xsetup rix, + /usr/etc/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, @@ -129,9 +124,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/X11/xinit/xinitrc.d/{,*} r, - @{etc_ro}/environment r, - @{etc_ro}/security/limits.d/{,*.conf} r, - @{etc_ro}/X11/Xmodmap r, + /{usr/,}etc/environment r, + /{usr/,}etc/security/limits.d/{,*.conf} r, + /{usr/,}etc/X11/Xmodmap r, /etc/debuginfod/{,*} r, /etc/manpath.config r, /etc/default/locale r, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 47383bb75..f2c133cec 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,21 +13,16 @@ profile sddm-greeter @{exec_path} { include include include + include include include include include include include - include network netlink raw, - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0e9290d53..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,11 +25,9 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, - @{bin}/dpkg-query rpx, @{bin}/fish rix, - @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -42,13 +40,12 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.*} rix, + @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, - @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -63,9 +60,7 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, - @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, - /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -76,7 +71,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - owner @{tmp}/tmp.@{rand10} rw, + audit owner @{tmp}/tmp.* rw, owner @{PROC}/@{pid}/loginuid r, @@ -95,16 +90,6 @@ profile sddm-xsession @{exec_path} { profile dbus { include - include - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=SetEnvironment - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, @@ -138,8 +123,6 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{HOME}/.xsession-errors w, - /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 64e332dc5..773122f57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,22 +11,17 @@ profile startplasma @{exec_path} { include include include - include - include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, - #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml - @{exec_path} mr, @{sh_path} rix, @{bin}/env rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, @@ -36,7 +31,6 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, - /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, @@ -46,7 +40,8 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, - /etc/xdg/plasmarc r, + + /var/lib/flatpak/exports/share/mime/ r, @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 9558a6528..e68d248b6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -23,9 +23,6 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, - #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement - #aa:dbus own bus=session name=org.kde.systemsettings - @{exec_path} mr, @{sh_path} rix, @@ -60,6 +57,7 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, + /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -78,7 +76,6 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, - owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, @@ -93,6 +90,8 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index c07b06815..124cf2fda 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,37 +9,23 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include - include include @{exec_path} mr, - @{shells_path} rix, - @{bin}/cat ix, - @{bin}/dpkg-query px, - @{bin}/gettext ix, - @{bin}/gettext.sh r, - @{bin}/id ix, - @{bin}/locale ix, - @{bin}/locale-check ix, - @{bin}/sed ix, - @{bin}/tr ix, + @{shells_path} rix, + @{bin}/id rix, - @{bin}/startplasma-wayland Px, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, - @{lib}/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed rix, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, + @{bin}/startplasma-wayland rPx, - /usr/share/im-config/{,**} r, - /usr/share/libdebuginfod-common/debuginfod.sh r, - - /etc/debuginfod/{,**} r, - /etc/default/im-config r, /etc/machine-id r, - /etc/X11/xinit/xinputrc r, - /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, + /dev/tty rw, + include if exists } diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 5c36f579e..969a82f6c 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,12 +9,10 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include include include include - include @{exec_path} mr, @@ -23,8 +21,6 @@ profile xembedsniproxy @{exec_path} { owner @{tmp}/xauth_@{rand6} r, - owner @{run}/user/@{uid}/iceauth_@{rand6} r, - @{run}/user/@{uid}/xauth_@{rand6} rl, include if exists diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 1adbf1d9f..7cebbb43c 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include - include signal (receive) set=hup peer=kded, diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about deleted file mode 100644 index 8f5830453..000000000 --- a/apparmor.d/groups/lxqt/lxqt-about +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-about -profile lxqt-about @{exec_path} { - include - include - - @{exec_path} mr, - - /usr/share/desktop-directories/{,**} r, - - /etc/xdg/menus/lxqt-applications.menu r, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations deleted file mode 100644 index 4232f1c70..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-file-associations +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-file-associations -profile lxqt-config-file-associations @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/ r, - owner @{user_config_dirs}/mimeapps* rwk, - owner @{user_config_dirs}/lxqt-* rwk, - owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/#@{int} rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/#@{int} rwk, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale deleted file mode 100644 index c7c868c18..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-locale +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-locale -profile lxqt-config-locale @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/lxqt/* r, - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.lock rwk, - owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd deleted file mode 100644 index 63b2eb673..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-notificationd +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-notificationd -profile lxqt-config-notificationd @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - /var/lib/dbus/machine-id r, - - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, - owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/#@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement deleted file mode 100644 index 4b96ccb36..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-powermanagement +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-powermanagement -profile lxqt-config-powermanagement @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - /etc/machine-id r, - - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - @{sys}/class/leds/ r, - @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/backlight/**/brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, - @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, - @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer deleted file mode 100644 index f4c38e94d..000000000 --- a/apparmor.d/groups/lxqt/lxqt-config-printer +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-config-printer -profile lxqt-config-printer @{exec_path} { - include - include - - @{exec_path} mr, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd deleted file mode 100644 index a9a75aa90..000000000 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ /dev/null @@ -1,39 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-globalkeysd -profile lxqt-globalkeysd @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - @{bin}/screengrab rPx, - @{bin}/lxqt-config-brightness rPx, - - /usr/share/lxqt/globalkeyshortcuts.conf rw, - - /var/lib/dbus/machine-id r, - - owner @{user_config_dirs}/lxqt/ r, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, - owner @{user_config_dirs}/lxqt/#@{int} wr, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, - owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave deleted file mode 100644 index e76d81f54..000000000 --- a/apparmor.d/groups/lxqt/lxqt-leave +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-leave -profile lxqt-leave @{exec_path} { - include - include - - @{exec_path} mr, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index f817be69d..650a7e402 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,8 +63,7 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner deleted file mode 100644 index 5783c1fa0..000000000 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2024 Besanon -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lxqt-runner -profile lxqt-runner @{exec_path} { - include - include - - @{exec_path} mr, - - /usr/share/desktop-directories/ r, - /usr/share/desktop-directories/{,**} r, - - /etc/xdg/menus/lxqt-applications.menu r, - - owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, - owner @{user_config_dirs}/lxqt/#@{int} rw, - owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, - - owner /tmp/@{int} r, - - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 910ea7c5f..3a4a6cd61 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,6 +11,7 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include + include include include include @@ -46,6 +47,7 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, + /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 3ae907116..06967e694 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,6 +31,7 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, + /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, @@ -53,6 +54,8 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, + owner @{PROC}/@{pid}/maps r, + /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 22b94effd..b92ad8e68 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/ModemManager +@{exec_path} = @{bin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include @@ -14,10 +14,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, - capability sys_admin, network qipcrtr dgram, network netlink raw, @@ -26,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) - @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+pnp:* r, + @{run}/udev/data/+serial*:* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -48,6 +47,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, + @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fca80465d..de3a180bb 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,12 +6,12 @@ abi , include -@{exec_path} = @{sbin}/NetworkManager +@{exec_path} = @{bin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -43,58 +43,48 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.NetworkManager - #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=gnome-control-center), - - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=nm-online), + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action2 peer=(name=org.freedesktop.nm_dispatcher), - dbus send bus=system path=/uk/org/thekelleys/dnsmasq - interface=org.freedesktop.NetworkManager.dnsmasq - member=SetServersEx - peer=(name=@{busname}, label=dnsmasq), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*), + + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=:*, label=bluetoothd), + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=bluetoothd), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name=org.freedesktop.DBus), + member=InterfacesAdded + peer=(name=org.freedesktop.DBus, label=nm-online), - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=cockpit-bridge), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @{sh_path} rix, - @{sbin}/nft rix, + @{bin}/nft rix, - @{sbin}/dnsmasq rPx, + @{bin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{sbin}/resolvconf rPx, - @{bin}/resolvectl rPx, + @{bin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, @@ -106,14 +96,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, - @{lib}/netplan/@{int2}-network-manager-all.yaml w, - /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, - /etc/netplan/ r, - /etc/netplan/90-NM-@{uuid}.yaml r, - @{att}/ r, /etc/ r, @@ -123,7 +108,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { /etc/network/interfaces.d/{,*} r, /etc/NetworkManager/{,**} r, /etc/NetworkManager/system-connections/{,**} w, - @{etc_rw}/netplan/90-NM-@{uuid}.yaml w, @{etc_rw}/resolv.conf rw, @{etc_rw}/resolv.conf.[0-9A-Z]* rw, @@ -137,18 +121,16 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/resolve/io.systemd.Resolve rw, - @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/n@{int} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, @@ -164,7 +146,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7bcd9efba..c1b5d04c5 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/dhcpcd +@{exec_path} = @{bin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,13 +35,11 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{sbin}/resolvconf rPx, + @{bin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, - /usr/share/dhcpcd/{,**} r, - /etc/dhcpcd.conf r, /etc/resolv.conf rw, @@ -49,7 +47,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index 13edaaf16..50827e77e 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -21,27 +21,21 @@ profile iwd @{exec_path} { network netlink raw, network netlink dgram, network alg seqpacket, - network packet dgram, @{exec_path} mr, - @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, - @{sys}/devices/@{pci}/ieee80211/phy@{int}/* r, + @{sys}/devices/@{pci}/ieee80211/phy[0-9]/* r, @{sys}/devices/@{pci}/modalias r, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw, @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw, - @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw, /dev/rfkill rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index d5c93fc5c..ee98720b6 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,7 +10,6 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include - include include capability dac_override, @@ -30,7 +29,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, + mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, @{exec_path} mr, @@ -40,8 +39,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/ rw, - /etc/mullvad-vpn/* r, + /etc/mullvad-vpn/{,*} r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -51,21 +49,16 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, - @{sys}/fs/cgroup/system.slice/cpu.max r, - @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 133e4bc00..6075f14b2 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,7 +7,6 @@ abi , include @{name} = Mullvad?VPN -@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -24,14 +23,16 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rPx, + @{bin}/gsettings rix, @{open_path} rPx -> child-open-browsers, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{user_cache_dirs}/dconf/user rw, - @{run}/mullvad-vpn rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, /dev/tty rw, diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan deleted file mode 100644 index a0fad0a93..000000000 --- a/apparmor.d/groups/network/netplan +++ /dev/null @@ -1,60 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/netplan/netplan.script -profile netplan @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - #aa;dbus owb bus=system name=io.netplan.Netplan - - @{exec_path} mr, - - @{lib}/netplan/generate rPx, - @{bin}/udevadm rCx -> udevadm, - @{bin}/systemctl rCx -> systemctl, - - /usr/share/netplan/{,**} r, - - /etc/netplan/{,*} r, - - @{run}/netplan/ r, - - profile udevadm { - include - include - - capability net_admin, - - @{att}/@{run}/udev/control rw, - - @{run}/udev/rules.d/90-netplan.rules rw, - @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - - ptrace read peer=@{p_systemd}, - - @{run}/udev/control rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan.script similarity index 52% rename from apparmor.d/groups/network/netplan-generate rename to apparmor.d/groups/network/netplan.script index cea17b81c..989f2ee09 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan.script @@ -1,60 +1,63 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{lib}/netplan/generate -profile netplan-generate @{exec_path} flags=(attach_disconnected) { +@{exec_path} = /usr/share/netplan/netplan.script +profile netplan.script @{exec_path} flags=(attach_disconnected) { include - include include - - capability chown, + include network netlink raw, @{exec_path} mr, + @{lib}/netplan/generate rix, + @{bin}/udevadm rCx -> udevadm, @{bin}/systemctl rCx -> systemctl, + /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, - @{run}/NetworkManager/ rw, - @{run}/NetworkManager/conf.d/ rw, - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, - @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, - @{run}/NetworkManager/conf.d/netplan.conf rw, - @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, - @{run}/NetworkManager/system-connections/ rw, - @{run}/NetworkManager/system-connections/* rw, + @{run}/netplan/ r, - @{run}/systemd/generator/multi-user.target.wants/ w, - @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w, - @{run}/systemd/generator/netplan.stamp w, - @{run}/systemd/generator/network-online.target.wants/ w, - @{run}/systemd/generator/network-online.target.wants/systemd-networkd-wait-online.service w, - @{run}/systemd/network/ rw, + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/NetworkManager/system-connections/ rw, + @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + + @{run}/systemd/network/ r, @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, - @{run}/systemd/system/systemd-networkd-wait-online.service.d/ rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, - @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - - @{run}/netplan/ r, - @{run}/udev/rules.d/ r, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, @{sys}/devices/**/net/*/address r, + profile udevadm { + include + include + + capability net_admin, + + @{att}/@{run}/udev/control rw, + + @{run}/udev/rules.d/90-netplan.rules rw, + @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, + + include if exists + } + profile systemctl { include include @@ -63,10 +66,10 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/private rw, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 8b4d53b1c..632910933 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,14 +16,13 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_networkd}"), + peer=(name=:*, label=systemd-networkd), @{exec_path} mr, @{bin}/ r, - @{bin}/chronyc rPUx, - @{bin}/ls rix, @{bin}/networkctl rPx, + @{bin}/ls rix, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 3e232154e..5e93bdbf5 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 029a5e39a..40984f7fa 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,12 +26,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), - - dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} - interface=org.freedesktop.NetworkManager.Settings.Connection - member=GetSettings - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, @@ -41,22 +36,22 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/gawk rix, + @{bin}/grep rix, @{bin}/id rix, - @{sbin}/invoke-rc.d rCx -> invoke-rc, + @{bin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/netconfig rPUx, @{bin}/nmcli rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{bin}/tr rix, /usr/share/tlp/tlp-readconfs rPUx, @@ -106,7 +101,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{sbin}/invoke-rc.d rm, + @{bin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 710d3115b..189afd74d 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 943386f61..675c14679 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{sbin}/openvpn rPx, + @{bin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index b4da14960..43a9d0dca 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,30 +16,16 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=NetworkManager), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=@{busname}, label=NetworkManager), - dbus send bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, - /etc/netplan/* r, - owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 2a513b84e..532c65f78 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,17 +22,22 @@ abi , include -@{exec_path} = @{sbin}/openvpn +@{exec_path} = @{bin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include - capability dac_override, - capability dac_read_search, - capability net_admin, # create tun - capability setgid, # when user/group are set in a OpenVPN config file + # Needed to remove the following errors: + # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) + # Exiting due to fatal error + capability net_admin, + + # These are needed when user/group are set in a OpenVPN config file capability setuid, - capability sys_module, + capability setgid, + + capability dac_read_search, + capability dac_override, network inet dgram, network inet6 dgram, @@ -66,8 +71,6 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, - /dev/net/tun rw, - profile update-resolv { include include @@ -82,10 +85,10 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/ip rix, @{bin}/which{,.debianutils} rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, - /etc/iproute2/rt_tables.d/{,*} r, + /etc/iproute2/rt_tables.d/ r, include if exists } @@ -108,7 +111,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/env rix, @{bin}/ip rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 0650470ac..f9dcac8d1 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,27 +1,17 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken -# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{sbin}/rpcbind +@{exec_path} = @{bin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include - include - - capability setgid, - capability setuid, @{exec_path} rm, - /etc/netconfig r, - - @{run}/rpcbind.lock rwkl, - @{run}/rpcbind/*.xdr rwkl, - include if exists } diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index 8162dff1e..ac29b0b28 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,13 +31,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @{exec_path} mr, @{bin}/ip rix, @{bin}/resolvectl rPx, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg index 0b0315e33..781a52f7a 100644 --- a/apparmor.d/groups/network/wg +++ b/apparmor.d/groups/network/wg @@ -7,9 +7,8 @@ abi , include @{exec_path} = @{bin}/wg -profile wg @{exec_path} flags=(attach_disconnected) { +profile wg @{exec_path} { include - include capability net_admin, capability net_bind_service, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index 33de68147..c7ea6b1bd 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -7,11 +7,8 @@ abi , include @{exec_path} = @{bin}/wg-quick -profile wg-quick @{exec_path} flags=(attach_disconnected) { +profile wg-quick @{exec_path} { include - include - include - include capability dac_read_search, capability net_admin, @@ -23,39 +20,31 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, @{bin}/ip rPx, - @{bin}/mv rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/readlink rix, - @{sbin}/resolvconf rPx, - @{bin}/resolvectl rPx, - @{bin}/rm rix, + @{bin}/resolvconf rPx, + @{bin}/resolvectl rPUx, @{bin}/sort rix, @{bin}/stat rix, - @{bin}/sync rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/wg rPx, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, /usr/share/terminfo/** r, /etc/iproute2/group r, /etc/iproute2/rt_realms r, /etc/resolvconf/interface-order r, - /etc/wireguard/{,**} rw, + /etc/wireguard/*.conf r, @{sys}/module/wireguard r, - @{PROC}/@{pid}/net/ip_tables_names r, + @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, - profile sysctl flags=(attach_disconnected) { - include + /dev/tty rw, - @{sbin}/sysctl mr, - - @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, - - include if exists - } + # Force the use as root + deny @{bin}/sudo x, include if exists } diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index 38cd95d0a..fe83e168d 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/basename rix, + @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index df9af9fef..a7a7bf225 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 84136638c..d5abc07db 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,7 +11,6 @@ profile makepkg @{exec_path} { include include include - include include include include @@ -29,22 +28,14 @@ profile makepkg @{exec_path} { file, - @{pager_path} Px -> child-pager, - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, - @{bin}/lsb_release Px, - @{bin}/sudo Cx -> sudo, - - deny capability sys_ptrace, - deny ptrace read, + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + @{bin}/sudo Cx -> sudo, profile gpg { include include - include - - network netlink raw, @{bin}/gpg{,2} mr, @{bin}/gpgconf mr, @@ -75,8 +66,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } @@ -89,9 +80,8 @@ profile makepkg @{exec_path} { ptrace read, - signal send set=(term winch) peer=pacman, - signal send set=(term winch) peer=pacman//systemctl, - signal send set=(term winch) peer=systemd-tty-ask-password-agent, + signal send set=winch peer=pacman, + signal send set=winch peer=pacman//systemctl, @{bin}/pacman Px, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 165b42c02..ed91f6c9c 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{sbin}/fsck rix, + @{bin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -42,11 +42,13 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/kmod rPx, + @{bin}/{depmod,insmod} rPx, + @{bin}/{kmod,lsmod} rPx, + @{bin}/{modinfo,rmmod} rPx, + @{bin}/modprobe rPx, @{bin}/plymouth rPx, - @{sbin}/plymouth-set-default-theme rPx, + @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, - @{bin}/sync rPx, @{lib}/initcpio/busybox rix, @{lib}/initcpio/post/** rix, @@ -59,7 +61,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.conf r, /etc/mkinitcpio.conf.d/{,**} r, /etc/mkinitcpio.d/{,**} r, - /etc/modprobe.d/{,**} r, + /etc/modprobe.d/{,*} r, /etc/os-release r, /etc/plymouth/plymouthd.conf r, /etc/vconsole.conf r, @@ -81,11 +83,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - @{efi}/ r, - @{efi}/@{hex32}/{,**} rw, - @{efi}/EFI/{,**} rw, - @{efi}/initramfs-*.img* rw, - @{efi}/vmlinuz-* r, + /boot/ r, + /{boot,efi}/EFI/{,**} rw, + /boot/initramfs-*.img* rw, + /boot/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index d68c0b832..f537afdb3 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, @{bin}/{m,g,}awk rix, + @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, @@ -36,14 +36,10 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, - /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, - @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, - @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, - owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index eef992666..64a813bf4 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -19,22 +19,26 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk ix, - @{bin}/cat ix, - @{bin}/cmp ix, - @{bin}/find ix, - @{bin}/locate ix, - @{bin}/pacman ix, - @{bin}/pacman-conf Px, - @{bin}/pacsort ix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/tput ix, - @{editor_path} Cx -> editor, + @{bin}/{m,g,}awk rix, + @{bin}/cat rix, + @{bin}/cmp rix, + @{bin}/find rix, + @{bin}/locate rix, + @{bin}/pacman rix, + @{bin}/pacman-conf rPx, + @{bin}/pacsort rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/tput rix, + @{bin}/vim rix, + + owner @{HOME}/.viminfo{,.tmp} rw, + + owner @{user_cache_dirs}/vim/{,**} rw, # packages files / r, - @{efi}/{,**} r, + /boot/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, @@ -44,15 +48,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, - profile editor { - include - include - - /etc/** rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 41b45c9d0..8215e3f6a 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -12,7 +12,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include include include - include include capability audit_write, @@ -27,7 +26,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, - capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, @@ -42,62 +40,79 @@ profile pacman @{exec_path} flags=(attach_disconnected) { ptrace read, signal send, - signal receive set=(term winch) peer=makepkg//sudo, + signal receive set=winch peer=makepkg//sudo, @{exec_path} mrix, - # Pacman's keyring - @{bin}/gpg{,2} Cx -> gpg, - @{bin}/gpgconf Cx -> gpg, - @{bin}/gpgsm Cx -> gpg, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgsm rCx -> gpg, - # Common program found in hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/dot ix, - @{bin}/filecap ix, - @{bin}/getent ix, - @{bin}/gettext ix, - @{bin}/gzip ix, - @{bin}/rsync ix, - @{bin}/setfacl ix, - @{bin}/tput ix, - @{bin}/vercmp ix, - @{bin}/which{,.debianutils} ix, - @{bin}/xmlcatalog ix, - @{sbin}/iconvconfig ix, - @{sbin}/iscsi-iname ix, - @{sbin}/setcap ix, - - @{bin}/dbus-send Cx -> bus, - @{bin}/gdbus Cx -> bus, - @{bin}/killall Cx -> pkill, - @{bin}/kmod Cx -> kmod, - @{bin}/pkill Cx -> pkill, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/ldconfig Cx -> ldconfig, - - #aa:lint ignore=too-wide - # Hooks & install scripts can legitimately start/restart anything - # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - /opt/*/** PUx, - /etc/** PUx, - /usr/share/** PUx, - - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, - @{lib}/systemd/systemd-* Px, - @{lib}/vlc/vlc-cache-gen Px, - - # For shell pwd, keept as it can annoy users to see error in pacman output - /**/ r, + # Pacman hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/appstreamcli rPx, + @{bin}/arch-audit rPx, + @{bin}/archlinux-java rPx, + @{bin}/bootctl rPx, + @{bin}/cert-sync rPx, + @{bin}/checkrebuild rPUx, + @{bin}/dconf rPx, + @{bin}/dot rix, + @{bin}/fc-cache{,-32} rPx, + @{bin}/filecap rix, + @{bin}/gdbus rix, + @{bin}/gdk-pixbuf-query-loaders rPx, + @{bin}/getent rix, + @{bin}/gettext rix, + @{bin}/ghc-pkg-@{version} rix, + @{bin}/gio-querymodules rPx, + @{bin}/glib-compile-schemas rPx, + @{bin}/groupadd rPx, + @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk{,4}-update-icon-cache rPx, + @{bin}/iconvconfig rix, + @{bin}/install-catalog rPx, + @{bin}/install-info rPx, + @{bin}/iscsi-iname rix, + @{bin}/journalctl rPx, + @{bin}/killall rix, + @{bin}/ldconfig rix, + @{bin}/locale-gen rPx, + @{bin}/mkinitcpio rPx, + @{bin}/needrestart rPx, + @{bin}/pacdiff rPx, + @{bin}/pacman-key rPx, + @{bin}/perl rix, + @{bin}/pkgfile rPUx, + @{bin}/pkill rix, + @{bin}/rsync rix, + @{bin}/sbctl rPx, + @{bin}/setcap rix, + @{bin}/setfacl rix, + @{bin}/sysctl rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-* rPx, + @{bin}/tput rix, + @{bin}/update-ca-trust rPx, + @{bin}/update-desktop-database rPx, + @{bin}/update-grub rPx, + @{bin}/update-mime-database rPx, + @{bin}/vercmp rix, + @{bin}/xmlcatalog rix, + @{lib}/systemd/systemd-* rPx, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, + @{lib}/vlc/vlc-cache-gen rPx, + /opt/Mullvad*/resources/mullvad-setup rPx, + /usr/share/code-features/patch.py rPx, + /usr/share/code-marketplace/patch.py rPx, + /usr/share/libalpm/scripts/* rPUx, + /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, # Install/update packages - #aa:lint ignore=too-wide / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, @@ -119,8 +134,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, + @{PROC}/1/environ r, @{PROC}/sys/kernel/osrelease r, @{PROC}/tty/drivers r, @{PROC}/uptime r, @@ -130,6 +145,11 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, + # Silencer, + deny @{HOME}/ r, + deny @{HOME}/**/ r, + deny /tmp/ r, + profile gpg { include include @@ -166,7 +186,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl flags=(attach_disconnected) { + profile systemctl { include include @@ -174,79 +194,20 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, - ptrace read peer=@{p_systemd}, - signal send set=cont peer=child-pager, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - signal receive set=(term winch) peer=makepkg//sudo, + signal receive set=winch peer=makepkg//sudo, @{pager_path} rPx -> child-pager, - @{bin}/systemd-tty-ask-password-agent rPx, /etc/machine-id r, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/*.journal* r, include if exists } - profile bus { - include - include - include - - @{bin}/gdbus rix, - - include if exists - } - - profile pkill { - include - include - - @{bin}/killall mr, - @{bin}/pkill mr, - - include if exists - } - - profile kmod { - include - include - - include if exists - } - - profile ldconfig { - include - include - - @{sh_path} rix, - @{sbin}/ldconfig mrix, - - @{lib}/ r, - /usr/local/ r, - /usr/local/lib/ r, - - /opt/cuda/**/@{lib}/ r, - /opt/cuda/**/@{lib}/@{multiarch}/ r, - - /etc/ld.so.cache rw, - /etc/ld.so.cache~ rw, - - /var/cache/ldconfig/ rw, - owner /var/cache/ldconfig/aux-cache* rw, - - include if exists - } - include if exists include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 3e916efe3..3a6bbd7fe 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -16,13 +16,12 @@ profile pacman-hook-code @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{lib}/code/product.json rw, - @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, - /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, - /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, + /usr/share/code-{features,marketplace}/{,*} r, + /usr/share/code-{features,marketplace}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index c49eb08e9..b5a330d75 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 0dae14351..45336a100 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,13 +14,14 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/basename rix, + @{bin}/bash rix, + @{bin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - @{lib}/modules/*/{,**} rw, + /usr/lib/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a8a54c151..a039db414 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/dkms rPx, + @{bin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index 3b29e01ea..de0d33e16 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 17218158e..5aa612a3c 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - @{lib}/gio/modules/ rw, + /usr/lib/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index e6aa28627..ce7b931ca 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 48ce25ab2..a9bf40360 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - @{efi}/ r, - @{efi}/EFI/boot/boot*.efi rw, - @{efi}/initramfs-*-fallback.img rw, - @{efi}/initramfs-*.img rw, - @{efi}/vmlinuz-* rw, + /boot/ r, + /{boot,efi}/EFI/boot/boot*.efi rw, + /boot/initramfs-*-fallback.img rw, + /boot/initramfs-*.img rw, + /boot/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 6378ca991..7c0006153 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{bin}/bash rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - @{efi}/vmlinuz-* rw, - @{efi}/initramfs-*.img rw, - @{efi}/initramfs-*-fallback.img rw, + /boot/vmlinuz-* rw, + /boot/initramfs-*.img rw, + /boot/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index aa2be8b09..1254f97e2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -9,18 +9,19 @@ include @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh profile pacman-hook-perl @{exec_path} { include - include capability dac_read_search, capability mknod, @{exec_path} mr, - @{sh_path} rix, + @{bin}/perl rix, + @{bin}/bash rix, @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, - @{bin}/wc rix, + + @{lib}/perl@{int}/{,**} r, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 860fb34ea..2c32024a2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,13 +44,6 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - - signal send set=(cont, term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 1e1204c27..287bc026a 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,15 +16,15 @@ profile pacman-key @{exec_path} { @{exec_path} mr, - @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, + @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> &gpg, - @{bin}/{,e}grep rix, + @{bin}/gpg{,2} rCx -> gpg, + @{bin}/grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx -> &pacman-conf, + @{bin}/pacman-conf rPx, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, @@ -34,8 +34,7 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/* rw, /dev/tty rw, @@ -60,7 +59,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/.gnupg/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index 42932cc2e..52c2de345 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -25,7 +25,6 @@ profile yay @{exec_path} { @{bin}/git Cx -> git, @{bin}/gpg{,2} Cx -> gpg, @{bin}/makepkg Px, - @{bin}/pacman Px, @{bin}/pacman-conf Px, @{bin}/sudo Cx -> sudo, diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep deleted file mode 100644 index d10c1e772..000000000 --- a/apparmor.d/groups/procps/pgrep +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat deleted file mode 100644 index 1276222a2..000000000 --- a/apparmor.d/groups/procps/vmstat +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/vmstat -profile vmstat @{exec_path} { - include - include - - @{exec_path} mr, - - @{sys}/block/ r, - @{sys}/devices/system/node/ r, - - @{PROC}/diskstats r, - @{PROC}/slabinfo r, - @{PROC}/uptime r, - @{PROC}/vmstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server index a0fc3e2f8..3deddb092 100644 --- a/apparmor.d/groups/ssh/sftp-server +++ b/apparmor.d/groups/ssh/sftp-server @@ -6,7 +6,8 @@ abi , include -@{exec_path} = @{lib}/{openssh,ssh}/sftp-server +@{exec_path} = @{lib}/openssh/sftp-server +@{exec_path} += @{lib}/ssh/sftp-server profile sftp-server @{exec_path} { include include diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0d6826490..69f594f7a 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -11,25 +11,21 @@ include profile ssh @{exec_path} { include include - include - include include + signal (receive) set=(term) peer=gnome-keyring-daemon, + network inet stream, network inet6 stream, network inet dgram, network inet6 dgram, network netlink raw, - signal receive set=term peer=gnome-keyring-daemon, - signal send set=hup peer=unconfined, - @{exec_path} mrix, @{bin}/@{shells} rUx, - @{bin}/ssh.hmac r, - @{lib}/{,ssh/}ssh-sk-helper rix, + @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper, @{etc_ro}/ssh/ssh_config r, @{etc_ro}/ssh/ssh_config.d/{,*} r, @@ -37,32 +33,22 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/ r, + owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, + owner @{HOME}/@{XDG_SSH_DIR}/config r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, - owner @{tmp}/krb5cc_* rwk, + owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, - /dev/hidraw@{int} rwk, - include if exists } diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index 9fc2900b4..72d6618e6 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,14 +13,12 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, - signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, @{sh_path} rix, @{bin}/gpg-agent rPx, - @{bin}/im-launch rPx, owner @{HOME}/@{XDG_SSH_DIR}/ rw, owner @{HOME}/@{XDG_SSH_DIR}/* r, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 86bd0866f..c9f0c6373 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 738268b0a..14cbd3c87 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -8,6 +8,7 @@ abi , include @{exec_path} = @{bin}/ssh-keygen + profile ssh-keygen @{exec_path} { include include @@ -15,16 +16,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, - @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, - - /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ rw, - owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, + owner @{HOME}/@{XDG_SSH_DIR}/ w, + owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, - owner /tmp/snapd@{int}/*_*{,.pub} w, - owner /tmp/snapd@{int}/*.key{,.pub} w, + /tmp/snapd@{int}/*_*{,.pub} w, + /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index ff9de97c3..d913e2a2d 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -6,10 +6,9 @@ abi , include -@{exec_path} = @{lib}/{,ssh/}ssh-sk-helper +@{exec_path} = @{lib}/ssh/ssh-sk-helper profile ssh-sk-helper flags=(complain) { include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 633076ad6..b4ecc068e 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{sbin}/sshd +@{exec_path} = @{bin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -25,14 +25,12 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include - include #aa:only RBAC capability audit_write, capability chown, - capability dac_override, capability dac_read_search, + capability dac_override, capability fowner, - capability fsetid, capability kill, capability net_bind_service, capability setgid, @@ -51,33 +49,25 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - unix type=stream peer=(label=sshd-session), + signal (receive) set=(hup) peer=@{p_systemd}, - signal receive set=hup peer=@{p_systemd}, + ptrace (read,trace) peer=@{p_systemd}, - ptrace (read trace) peer=@{p_systemd}, + unix (bind) type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/home1 - interface=org.freedesktop.home1.Manager - member=GetUserRecordByName - peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, - @{sbin}/sshd.hmac r, - - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{bin}/false ix, - @{sbin}/nologin Px, - @{bin}/passwd Px, - @{lib}/{openssh,ssh}/sftp-server Px, - @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session Px, + @{bin}/@{shells} rUx, + @{bin}/false rix, + @{bin}/nologin rPx, + @{bin}/passwd rPx, + @{lib}/openssh/sftp-server rPx, + @{lib}/ssh/sshd-session rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -104,7 +94,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, @@ -117,7 +107,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth deleted file mode 100644 index c1601b813..000000000 --- a/apparmor.d/groups/ssh/sshd-auth +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth -profile sshd-auth @{exec_path} { - include - include - - capability setgid, - capability setuid, - capability sys_chroot, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - @{sbin}/sshd.hmac r, - - /etc/gss/mech.d/{,*} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session deleted file mode 100644 index ab86f3ad1..000000000 --- a/apparmor.d/groups/ssh/sshd-session +++ /dev/null @@ -1,92 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/{openssh,ssh}/sshd-session -profile sshd-session @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include #aa:only RBAC - - capability audit_write, - capability chown, - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - capability kill, - capability setgid, - capability setuid, - capability sys_chroot, - capability sys_resource, - - # sshd doesn't require net_admin. libpam-systemd tries to - # use it if available to set the send/receive buffers size, - # but will fall back to a non-privileged version if it fails. - deny capability net_admin, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - unix type=stream peer=(label=sshd), - - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.login1.Manager - member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/home1 - interface=org.freedesktop.home1.Manager - member=GetUserRecordByName - peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), - - @{exec_path} mr, - - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{bin}/userdbctl Px, - @{lib}/{openssh,ssh}/sshd-auth Px, - - @{etc_rw}/motd r, - @{etc_rw}/motd.d/{,**} r, - /etc/machine-id r, - /etc/motd r, - - /var/lib/lastlog/ r, - /var/lib/lastlog/lastlog2.db rwk, - /var/lib/lastlog/lastlog2.db-journal rw, - - /var/lib/wtmpdb/ w, - - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, - - owner @{user_cache_dirs}/{,motd*} rw, - - @{att}/@{run}/systemd/sessions/@{int}.ref w, - - @{run}/cockpit/active.issue r, - @{run}/motd.d/{,*} r, - @{run}/motd.dynamic rw, - @{run}/motd.dynamic.new rw, - - @{PROC}/1/limits r, - owner @{PROC}/@{pid}/loginuid rw, - owner @{PROC}/@{pid}/uid_map r, - - /dev/ptmx rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index ee6a2f903..a367b0f7a 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -13,12 +13,8 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{HOME}/*/, mount fstype=fuse.sshfs -> @{HOME}/*/*/, - mount fstype=fuse.sshfs -> @{MOUNTDIRS}/, - mount fstype=fuse.sshfs -> @{MOUNTS}/, - mount fstype=fuse.sshfs -> @{MOUNTS}/*/, - mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), @{exec_path} mr, @@ -31,24 +27,23 @@ profile sshfs @{exec_path} flags=(complain) { profile fusermount flags=(complain) { include - include + include + + capability sys_admin, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/, mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTDIRS}/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/, - mount fstype={fuse,fuse.sshfs} -> @{MOUNTS}/*/*/, - - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none), + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery deleted file mode 100644 index 1af9fe22f..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery -profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cat rix, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import deleted file mode 100644 index de3753aaf..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator -profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { - include - - capability sys_ptrace, - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - / r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn deleted file mode 100644 index 780c63d56..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator -profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/ls ix, - @{bin}/mkdir ix, - - /etc/default/openvpn r, - /etc/openvpn/ r, - - @{run}/systemd/generator/openvpn.service.wants/{,**} w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local deleted file mode 100644 index 3e8bec6c5..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-rc-local +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator -profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd deleted file mode 100644 index 8544a7938..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-snapd +++ /dev/null @@ -1,20 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/snapd-generator -profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - - @{PROC}/1/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh deleted file mode 100644 index 0f6aa11d9..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator -profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { - include - - capability net_admin, - - network vsock stream, - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{sbin}/sshd r, - - @{run}/ r, - @{run}/systemd/ r, - @{run}/systemd/generator/ r, - @{run}/systemd/generator/sockets.target.wants/ rw, - @{run}/systemd/generator/sockets.target.wants/*.socket w, - @{run}/systemd/generator/sshd-*.service w, - @{run}/systemd/generator/sshd-*.socket rw, - @{run}/systemd/system/ r, - @{run}/systemd/transient/ r, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/firmware/dmi/entries/*/raw r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - /dev/vsock r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket deleted file mode 100644 index f08df7d90..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator -profile systemd-generator-sshd-socket @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - - @{run}/systemd/generator/ssh.socket.d/{,*} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv deleted file mode 100644 index fc290fca4..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sysv +++ /dev/null @@ -1,32 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator -profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - /etc/init.d/{,**} r, - /etc/rc@{int}.d/{,**} r, - - @{run}/systemd/generator.late/** w, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 deleted file mode 100644 index ee5d924cc..000000000 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator -profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { - include - - ptrace read peer=@{p_systemd}, - - @{exec_path} mr, - - @{sys}/class/tpmrm/ r, - @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/1/cgroup r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - /dev/kmsg w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service deleted file mode 100644 index 1b585c0cc..000000000 --- a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /bin/bash -c 'read args <&3; echo "args=$args"; \ -# exec /usr/bin/cloud-init devel hotplug-hook $args; \ -# exit 0' - -abi , - -include - -profile cloud-init-hotplugd.service { - include - - @{sh_path} ix, - @{bin}/cloud-init Px, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service deleted file mode 100644 index 9f8e235cf..000000000 --- a/apparmor.d/groups/systemd-service/debug-shell.service +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=/usr/bin/bash - -abi , - -include - -profile debug-shell.service { - include - - all, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service deleted file mode 100644 index 0a46f6ed9..000000000 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg -# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname -# ExecStartPost=/bin/chgrp adm /var/log/dmesg -# ExecStartPost=/bin/chmod 0640 /var/log/dmesg - -abi , - -include - -profile dmesg.service flags=(attach_disconnected) { - include - include - - capability chown, - capability fsetid, - capability sys_admin, - - ptrace read peer=@{p_systemd}, - - @{sh_path} r, - @{bin}/basename ix, - @{bin}/chgrp rix, - @{bin}/chmod rix, - @{bin}/chown ix, - @{bin}/date ix, - @{bin}/dirname ix, - @{bin}/gzip ix, - @{bin}/gzip ix, - @{bin}/journalctl r, - @{bin}/ln ix, - @{bin}/mv ix, - @{bin}/rm ix, - @{bin}/savelog rix, - @{bin}/touch ix, - - /etc/machine-id r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, - - @{PROC}/1/environ r, - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/boot_id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service deleted file mode 100644 index fc4de5edc..000000000 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' -# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail -# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' - -abi , - -include - -profile grub-common.service { - include - - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/grub-editenv rix, - @{bin}/mkdir ix, - @{bin}/rm ix, - - @{efi}/grub/ w, - @{efi}/grub/grubenv rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service deleted file mode 100644 index f7d193e9e..000000000 --- a/apparmor.d/groups/systemd-service/ldconfig.service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /sbin/ldconfig -X - -abi , - -include - -profile ldconfig.service { - include - - @{lib}/ r, - @{sbin}/ldconfig r, - - /var/cache/ldconfig/aux-cache rw, - /var/cache/ldconfig/aux-cache~ rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service deleted file mode 100644 index c3bfa7c32..000000000 --- a/apparmor.d/groups/systemd-service/man-db.service +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man -# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete -# ExecStart=/usr/bin/mandb --quiet - -abi , - -include - -profile man-db.service flags=(attach_disconnected) { - include - include - - @{bin}/find ix, - @{bin}/install ix, - @{bin}/mandb r, - - /usr/{,local/}share/man/{,**} r, - - /etc/man_db.conf r, - /etc/manpath.config r, - - /usr/share/man/{,**} r, - /usr/local/man/{,**} r, - /usr/local/share/man/{,**} r, - - /usr/{,share/}man/{,**} r, - /usr/local/{,share/}man/{,**} r, - - /usr/share/**/man/man@{u8}/*.@{int}.gz r, - - owner /var/cache/man/ rw, - owner /var/cache/man/** rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service deleted file mode 100644 index a951747be..000000000 --- a/apparmor.d/groups/systemd-service/secureboot-db.service +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f -# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose - -abi , - -include - -profile secureboot-db.service flags=(complain) { - include - - @{bin}/chattr ix, - @{bin}/sbkeysync PUx, - - @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, - @{sys}/firmware/efi/efivars/db-@{uuid} rw, - @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service deleted file mode 100644 index 95f780b89..000000000 --- a/apparmor.d/groups/systemd-service/shadow.service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile shadow.service flags=(attach_disconnected) { - include - include - - @{sh_path} rix, - @{sbin}/grpck Px -> &grpck, - @{sbin}/pwck Px -> &pwck, - - /etc/machine-id r, - /etc/shadow r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service deleted file mode 100644 index ce819a791..000000000 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# /bin/mount /run -o remount,exec -# /bin/mkdir -p /run/initramfs -# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown - -abi , - -include - -profile snapd.system-shutdown.service { - include - - @{bin}/cp ix, - @{bin}/mkdir ix, - @{bin}/mount ix, - - @{lib}/snapd/system-shutdown r, - - @{run}/initramfs/ rw, - @{run}/initramfs/shutdown rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service deleted file mode 100644 index 4166cb76c..000000000 --- a/apparmor.d/groups/systemd-service/system-update-cleanup.service +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# ExecStart=rm -fv /system-update /etc/system-update - -abi , - -include - -profile system-update-cleanup.service { - include - - @{bin}/rm ix, - - /etc/system-update w, - /system-update w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service deleted file mode 100644 index 00a62c933..000000000 --- a/apparmor.d/groups/systemd-service/usb_modeswitch.service +++ /dev/null @@ -1,17 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile usb_modeswitch.service { - include - - @{sbin}/usb_modeswitch_dispatcher ix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 70a91197f..05655d308 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,34 +7,35 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile bootctl @{exec_path} { include include include include - capability linux_immutable, capability mknod, capability net_admin, - capability sys_rawio, - capability sys_resource, - signal send peer=child-pager, + signal (send) peer=child-pager, - ptrace read peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{efi}/ r, - @{efi}/@{hex32}/ rw, - @{efi}/EFI/{,**} rwl, - @{efi}/loader/ rw, - @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + /{boot,efi}/ r, + /{boot,efi}/EFI/{,**} r, + /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, + /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + /{boot,efi}/EFI/systemd/systemd-boot*.efi w, + /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, + /{boot,efi}/loader/.#entries.srel* w, + /{boot,efi}/loader/{,**} r, + /{boot,efi}/loader/entries.srel w, + /{boot,efi}/loader/random-seed w, - /etc/kernel/.#entry-token@{hex16} rw, - /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -42,15 +43,14 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/tpmrm/ r, - @{sys}/devices/pnp@{int}/**/tpm/tpm@{int}/tpm_version_major r, @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r, @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -60,8 +60,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index eed7080f8..6516a500c 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,10 +7,12 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} flags=(attach_disconnected) { +profile busctl @{exec_path} { include + include include include + include include include include @@ -18,11 +20,11 @@ profile busctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read, + ptrace (read), - unix bind type=stream addr=@@{udbus}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, - signal send set=cont peer=child-pager, + signal (send) set=(cont) peer=child-pager, dbus eavesdrop bus=accessibility, dbus eavesdrop bus=session, @@ -32,39 +34,18 @@ profile busctl @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionCredentials,ListNames,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus.Monitoring - member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={GetConnectionCredentials,ListNames,ListActivatableNames} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - - dbus send bus=system - interface=org.freedesktop.DBus.Introspectable - member=Introspect, - dbus send bus=system - interface=org.freedesktop.DBus.Properties - member={GetAll,Get}, @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/loginuid r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, + owner @{PROC}/@{pid}/loginuid r, + owner @{PROC}/@{pid}/sessionid r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index 06969ef47..d81933f5e 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -10,9 +10,6 @@ include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include - include - include - include include capability dac_read_search, @@ -34,7 +31,9 @@ profile coredumpctl @{exec_path} flags=(complain) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{tmp}/*.coredump w, owner @{tmp}/core.* w, @@ -68,7 +67,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3c962e309..aaae97d64 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} flags=(attach_disconnected) { +profile homectl @{exec_path} { include include include @@ -19,7 +19,7 @@ profile homectl @{exec_path} flags=(attach_disconnected) { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 6b29e260d..3107d2d8e 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,11 +15,9 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" - dbus send bus=system path=/org/freedesktop/hostname1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.hostname1), + unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system, + + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index c852b3756..3c5595345 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -20,27 +20,19 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - network netlink raw, - - signal receive set=kill peer=snapd, - signal receive set=term peer=cockpit-bridge, - signal send peer=child-pager, + signal (receive) set=(term) peer=cockpit-bridge, + signal (send) peer=child-pager, @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{bin}/* r, - @{sbin}/* r, - /var/lib/dbus/machine-id r, /etc/machine-id r, /var/lib/systemd/catalog/database rw, /var/lib/systemd/catalog/.#database* rw, - /var/log/dmesg w, - /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, @@ -55,7 +47,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, - @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 9792fb75f..2cac865a4 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,30 +7,18 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} flags=(attach_disconnected) { +profile localectl @{exec_path} { include include - include capability net_admin, - signal send set=cont peer=child-pager, - - #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" - dbus send bus=system path=/org/freedesktop/locale1 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=org.freedesktop.locale1), - @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{bin}/pkttyagent rPx, /usr/share/kbd/keymaps/{,**} r, - owner @{PROC}/@{pid}/cgroup r, - include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index f516d16db..5386662c0 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -7,46 +7,26 @@ abi , include @{exec_path} = @{bin}/loginctl -profile loginctl @{exec_path} flags=(attach_disconnected) { +profile loginctl @{exec_path} { include - include - include - include include - include + include + include capability net_admin, capability sys_resource, signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, @{pager_path} rPx -> child-pager, - @{bin}/ssh rPx, - - /etc/machine-id r, - - @{run}/log/journal/ r, - - /var/lib/systemd/catalog/database r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, - /dev/rfkill r, - include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a0d1471f9..a4bab2be3 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,7 +11,6 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include - include capability net_admin, capability sys_module, @@ -27,11 +26,12 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" - dbus send bus=system path=/org/freedesktop/network1{,/**} + #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + # No label available + dbus send bus=system path=/org/freedesktop/network@{int} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network1), + peer=(name=org.freedesktop.network@{int}), @{exec_path} mr, @@ -51,21 +51,17 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, - @{att}/@{run}/systemd/netif/io.systemd.Network rw, - - @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/devices/**/net/**/uevent r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, - @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl deleted file mode 100644 index 3013d8ae6..000000000 --- a/apparmor.d/groups/systemd/resolvectl +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability net_admin, - - network inet raw, - network inet6 raw, - network netlink raw, - - signal send set=cont peer=child-pager, - - unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, - - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" - dbus send bus=system path=/org/freedesktop/network1 - interface=org.freedesktop.network1.Manager - member=SetLinkDNSEx - peer=(name=org.freedesktop.network1), - - @{exec_path} mr, - - @{pager_path} rPx -> child-pager, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 3ae0a7143..039f8dc64 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,8 +47,7 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, @@ -62,7 +61,6 @@ profile systemd-analyze @{exec_path} { @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r, @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index b5a966f37..f67cb301c 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} flags=(attach_disconnected) { +profile systemd-backlight @{exec_path} { include include @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index 5e3406ea9..d34bbe4cb 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,12 +16,11 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, - @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - @{lib}/binfmt.d/{,*.conf} r, + /usr/lib/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 061b93ffd..2e841dc51 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,26 +33,13 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, - @{sbin}/* r, /opt/** r, - /usr/share/*/** r, - @{user_lib_dirs}/** r, - /snap/*/@{int}/opt/** r, - /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so* r, - /var/lib/systemd/coredump/{,**} rwl, - owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, - - @{att}/@{run}/systemd/coredump rw, - @{run}/systemd/coredump rw, - - @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -60,11 +47,9 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, - @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index fdddebe03..f8950c1fe 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { +profile systemd-cryptsetup @{exec_path} { include include include @@ -31,8 +31,6 @@ profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/bdi/*/read_ahead_kb r, @{sys}/fs/ r, - @{run}/systemd/ask-password/ r, - @{PROC}/devices r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 311636d95..7cf546a56 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal send peer=child-pager, + signal (send) peer=child-pager, @{exec_path} mr, - @{pager_path} rPx -> child-pager, + @{bin}/less rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b49c20fc..35f4afbc4 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,16 +11,16 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include + include - capability sys_ptrace, + capability net_admin, - ptrace read peer=@{p_systemd}, + network netlink raw, @{exec_path} mr, @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, - @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,23 +29,6 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, - @{sys}/firmware/uv/prot_virt_guest r, - @{sys}/hypervisor/properties/features r, - @{sys}/hypervisor/type r, - - @{PROC}/1/environ r, - @{PROC}/device-tree/ r, - @{PROC}/device-tree/compatible r, - @{PROC}/device-tree/hypervisor/compatible r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sysinfo r, - @{PROC}/xen/capabilities r, - - /dev/cpu/@{int}/msr r, - - deny capability net_admin, - deny capability perfmon, - deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 1bbb91858..7dc10fd46 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,11 +27,11 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=@{p_systemd}, + ptrace read peer=unconfined, @{exec_path} mr, - @{sbin}/fsck rPx, + @{bin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 4836c9747..a7290dc48 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsck -profile systemd-fsck @{exec_path} flags=(attach_disconnected) { +profile systemd-fsck @{exec_path} { include include include @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/e2fsck rPx, - @{sbin}/fsck rPx, - @{sbin}/fsck.* rPx, + @{bin}/e2fsck rPx, + @{bin}/fsck rPx, + @{bin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 7abde7c90..33a433a09 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { +profile systemd-fsckd @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot b/apparmor.d/groups/systemd/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-bless-boot rename to apparmor.d/groups/systemd/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-cloud-init rename to apparmor.d/groups/systemd/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup b/apparmor.d/groups/systemd/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-debug b/apparmor.d/groups/systemd/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-debug rename to apparmor.d/groups/systemd/systemd-generator-debug diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify similarity index 90% rename from apparmor.d/groups/systemd-generators/systemd-generator-ds-identify rename to apparmor.d/groups/systemd/systemd-generator-ds-identify index daa877efe..6b42e55ed 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,15 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace read peer=@{p_systemd}, + ptrace (read) peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/blkid rPx, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, - @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch b/apparmor.d/groups/systemd/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-arch rename to apparmor.d/groups/systemd/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-fstab rename to apparmor.d/groups/systemd/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-getty rename to apparmor.d/groups/systemd/systemd-generator-getty diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto similarity index 97% rename from apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd/systemd-generator-gpt-auto index 4bf0092d0..0d6c09c6b 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto @@ -17,7 +17,8 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - @{efi}/ r, + /boot/ r, + /efi/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup b/apparmor.d/groups/systemd/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-integritysetup rename to apparmor.d/groups/systemd/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-ostree rename to apparmor.d/groups/systemd/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-run b/apparmor.d/groups/systemd/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-run rename to apparmor.d/groups/systemd/systemd-generator-run diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd/systemd-generator-system-update similarity index 90% rename from apparmor.d/groups/systemd-generators/systemd-generator-system-update rename to apparmor.d/groups/systemd/systemd-generator-system-update index 9767a2e72..557e4ab6e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd/systemd-generator-system-update @@ -13,8 +13,7 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart similarity index 85% rename from apparmor.d/groups/systemd-generators/systemd-generator-user-autostart rename to apparmor.d/groups/systemd/systemd-generator-user-autostart index ff4c74664..c42548ef5 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -7,16 +7,17 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { +profile systemd-generator-user-autostart @{exec_path} { include include - include include capability net_admin, @{exec_path} mr, + @{system_share_dirs}/applications/*.desktop r, + @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment similarity index 90% rename from apparmor.d/groups/systemd-generators/systemd-generator-user-environment rename to apparmor.d/groups/systemd/systemd-generator-user-environment index 27db22078..db128405f 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { +profile systemd-generator-user-environment @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup b/apparmor.d/groups/systemd/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd-generators/systemd-generator-veritysetup rename to apparmor.d/groups/systemd/systemd-generator-veritysetup diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index c53be3a35..205012cd2 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,8 +14,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include - userns, - capability chown, capability dac_override, capability dac_read_search, @@ -26,7 +24,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, - capability sys_ptrace, capability sys_resource, network inet dgram, @@ -35,27 +32,19 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount -> @{run}/systemd/user-home-mount/, - mount options=(rw private) -> @{run}/systemd/user-home-mount/, - mount options=(rw rslave) -> @{run}/, - - umount @{run}/systemd/user-home-mount/, - - signal (send receive) set=kill peer=systemd-homed//&systemd-homework, - - ptrace read peer=systemd-homed//&systemd-homework, + mount options=(rw, rslave) -> @{run}/, + mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> &systemd-homework, - @{sbin}/mkfs.btrfs rPx, - @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, + @{lib}/systemd/systemd-homework rPx, + @{bin}/mkfs.btrfs rPx, + @{bin}/mkfs.fat rPx, + @{bin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, @@ -85,12 +74,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index b81c196f8..f0fe98a16 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,68 +7,14 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} flags=(attach_disconnected) { +profile systemd-homework @{exec_path} { include - include - include include - - userns, - - capability chown, - capability fowner, - capability fsetid, - capability setfcap, - capability setgid, - capability setuid, - capability sys_admin, - capability sys_resource, - - network netlink raw, - - mount options=(rw rslave) -> @{run}/, - mount -> @{run}/systemd/user-home-mount/, - - umount @{run}/systemd/user-home-mount/, - - signal (send receive) set=kill peer=systemd-homed//&systemd-homework, - - ptrace read peer=systemd-homed//&systemd-homework, + include @{exec_path} mr, - @{sbin}/mkfs.btrfs rPx, - @{sbin}/mkfs.fat rPx, - @{sbin}/mke2fs rPx, - /etc/machine-id r, - /etc/skel/{,**} r, - - /var/cache/systemd/home/{,**} rw, - - @{HOMEDIRS}/ r, - @{HOMEDIRS}/.#homework@{user}.* rw, - @{HOMEDIRS}/@{user}.home rw, - - @{run}/ r, - @{run}/cryptsetup/ r, - @{run}/cryptsetup/* rwk, - @{run}/systemd/user-home-mount/ rw, - @{run}/systemd/user-home-mount/@{user}/{,**} rw, - - @{sys}/fs/ r, - - @{PROC}/devices r, - @{PROC}/swaps r, - @{PROC}/sys/fs/nr_open r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/uid_map w, - - /dev/loop-control rwk, - /dev/loop@{int} rw, - /dev/mapper/control rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 8fae34b29..cd77b9826 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -22,6 +22,11 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.hostname1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetConnectionUnixUser + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{etc_rw}/.#hostname* rw, @@ -44,8 +49,6 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_serial r, - @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb index ae64274c6..9b6203e92 100644 --- a/apparmor.d/groups/systemd/systemd-hwdb +++ b/apparmor.d/groups/systemd/systemd-hwdb @@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{exec_path} mr, @{lib}/udev/#@{int} rwl, - @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int}, + @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int}, @{lib}/udev/hwdb.bin w, - /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> /etc/udev/#@{int}, + /etc/udev/.#hwdb.bin@{hex16} wl -> /etc/udev/#@{int}, /etc/udev/hwdb.bin w, /etc/udev/hwdb.d/{,*} r, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index ae475ff48..2be38e6ba 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=@{p_packagekitd}, + signal receive set=term peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl deleted file mode 100644 index 05f32a7f6..000000000 --- a/apparmor.d/groups/systemd/systemd-initctl +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-initctl -profile systemd-initctl @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability net_admin, - - unix type=stream addr=@@{udbus}/bus/systemd-initctl/, - - @{exec_path} mr, - - @{run}/initctl rw, - @{run}/systemd/notify rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index e0a8a2e47..cc1f541dd 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted) { +profile systemd-journald @{exec_path} { include include include @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace read, + ptrace (read), @{exec_path} mr, @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. + @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+ieee80211:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI - @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. - @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) + @{run}/udev/data/+mdio_bus:* r, + @{run}/udev/data/+pci:* r, + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+sdio:* r, + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+usb-serial:* r, + @{run}/udev/data/+usb:* r, + @{run}/udev/data/+virtio:* r, @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -82,7 +82,6 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index cefab3890..205d8a55f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,43 +14,25 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=Reload - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, - @{bin}/cat ix, - @{bin}/gzip ix, - @{bin}/localedef ix, - @{bin}/rm ix, - @{bin}/sort ix, - @{sbin}/locale-gen rPx, - - /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, - /etc/ r, /etc/.#locale.conf@{hex16} rw, - /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, - /etc/locale.gen rw, - /etc/nsswitch.conf r, - /etc/passwd r, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ rw, - /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, + /etc/X11/xorg.conf.d/ r, + /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b102829d..f7e0af838 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include - include include include include include + include capability chown, capability dac_override, @@ -27,10 +27,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { network netlink raw, - mqueue getattr type=posix /, mqueue r type=posix /, - unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 @@ -41,6 +40,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(label=ksmserver-logout-greeter), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, /etc/machine-id r, @@ -50,12 +54,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - @{efi}/{,**} r, + /boot/{,**} r, + /efi/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/{,@{user}} rw, + /var/lib/systemd/linger/ r, @{run}/.#nologin* rw, @{run}/credentials/getty@tty@{int}.service/ r, @@ -68,15 +73,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+drivers:* r, # For drivers loaded in the system + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+drivers:* r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+i2c:* r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) + @{run}/udev/data/+wakeup:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @@ -90,7 +95,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @@ -124,13 +128,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/mountinfo r, - @{PROC}/@{pids}/sessionid r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/stat r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -138,12 +141,10 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, /dev/dri/card@{int} rw, - @{att}/dev/dri/card@{int} rw, - - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - /dev/shm/{,**/} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + owner /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index a2115a926..5f60b5676 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace read, + ptrace (read), mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, @@ -25,13 +25,11 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{att}/ r, / r, /etc/ r, /etc/machine-id rw, /var/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 520080082..3a111f7f3 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,10 +7,9 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} flags=(attach_disconnected) { +profile systemd-machined @{exec_path} { include include - include include include @@ -22,7 +21,6 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, - capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,47 +31,26 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal send set=rtmin+6 peer=systemd-nspawn, - - ptrace read peer=systemd-nspawn, - - unix type=stream addr=@@{udbus}/bus/systemd-machine/system, - #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, + /var/lib/machines/{,**} rw, /etc/machine-id r, - / r, - @{att}/ r, - - owner /var/lib/machines/ rw, - owner /var/lib/machines/** rwk, - - owner @{run}/systemd/nspawn/ w, - owner @{run}/systemd/nspawn/locks/ w, - owner @{run}/systemd/nspawn/locks/** rwk, - @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, - /dev/pts/ptmx rw, - /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 74a824411..8556e51d7 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{sbin}/mkfs.* rPx, - @{sbin}/mkswap rPx, + @{bin}/mkfs.* rPx, + @{bin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index 3f778244b..d3527c22b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-modules-load -profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { +profile systemd-modules-load @{exec_path} { include include @@ -24,9 +24,6 @@ profile systemd-modules-load @{exec_path} flags=(attach_disconnected) { /etc/modules-load.d/ r, /etc/modules-load.d/*.conf r, - @{run}/modprobe.d/ r, - @{run}/modprobe.d/*.conf r, - @{sys}/devices/@{pci}/config r, @{sys}/module/*/initstate r, @{sys}/module/compression r, diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index ceebbc5c2..e22d89629 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { +profile systemd-network-generator @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ccb6d9629..3eaedfaac 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -14,12 +14,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { include include - capability bpf, capability net_admin, capability net_bind_service, capability net_broadcast, capability net_raw, - capability sys_admin, network inet dgram, network inet6 dgram, @@ -29,9 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, - - signal receive set=usr2 peer=@{p_systemd}, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 @@ -42,52 +38,39 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), + peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), @{exec_path} mr, /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/network.conf r, - /etc/systemd/network/{,**} r, /etc/systemd/networkd.conf r, - /etc/systemd/networkd.conf.d/{,**} r, + /etc/systemd/network/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, - @{att}/@{run}/systemd/notify rw, - - @{run}/mount/utab r, - @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, - owner /var/lib/systemd/network/ rw, - owner /var/lib/systemd/network/** rwk, - @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, + @{run}/systemd/notify rw, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, + @{sys}/devices/@{pci}/ r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/fs/cgroup/ r, - @{sys}/kernel/btf/vmlinux r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/version_signature r, - owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index c36b5af39..0d5e40730 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { +profile systemd-networkd-wait-online @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced deleted file mode 100644 index 97dcb3b05..000000000 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ /dev/null @@ -1,41 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { - include - include - - capability bpf, - capability perfmon, - capability sys_resource, - - signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, - - @{exec_path} mr, - - @{lib}/systemd/systemd-nsresourcework ix, # no new privs - - @{run}/systemd/nsresource/ rw, - @{run}/systemd/nsresource/** rw, - - @{sys}/devices/kprobe/type r, - @{sys}/fs/bpf/ r, - @{sys}/fs/bpf/systemd/ rw, - @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, - @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, - @{sys}/kernel/btf/vmlinux r, - @{sys}/kernel/security/lsm r, - - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework deleted file mode 100644 index 5b8d53398..000000000 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/systemd/systemd-nsresourcework -profile systemd-nsresourcework @{exec_path} { - include - - capability sys_resource, - - signal send set=usr2 peer=systemd-nsresourced, - - @{exec_path} mr, - - @{run}/systemd/nsresource/registry/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index ce61dba23..d16c67f7d 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix bind type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 0d061d845..747527776 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,10 +10,11 @@ include profile systemd-path @{exec_path} { include include - include @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index 86ea02a0d..be33d39cd 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { +profile systemd-random-seed @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 73213160b..8c63a1d5a 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-remount-fs -profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { +profile systemd-remount-fs @{exec_path} { include include include @@ -17,19 +17,18 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { capability sys_resource, mount options=(rw, remount) -> /, - mount options=(rw, remount) -> @{PROC}/, + mount options=(rw, remount) -> /proc/, @{exec_path} mr, @{bin}/mount rix, - @{etc_ro}/blkid.conf r, - @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.* rwk, + @{run}/mount/utab.@{rand6} rw, + @{run}/mount/utab.lock rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve new file mode 100644 index 000000000..f716aa3af --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-resolve @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/resolvectl +@{exec_path} += @{bin}/systemd-resolve +profile systemd-resolve @{exec_path} { + include + + capability mknod, + capability net_admin, + + network netlink raw, + + @{exec_path} mr, + + @{PROC}/ r, + owner @{PROC}/@{pids}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 8f4b5bc57..f693cbee4 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -31,6 +31,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.resolve1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, /etc/systemd/resolved.conf r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 34e7255ab..ff9e2d540 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -8,12 +8,11 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-rfkill -profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { +profile systemd-rfkill @{exec_path} { include include capability net_admin, - capability sys_admin, capability sys_ptrace, network netlink raw, @@ -23,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/+rfkill:* r, @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a55bf752d..34916ecc6 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sleep -profile systemd-sleep @{exec_path} flags=(attach_disconnected) { +profile systemd-sleep @{exec_path} { include include include @@ -19,8 +19,6 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} mr, - @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index 38be5772f..b2b42bf44 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 5b9c51dbe..71008c96d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,9 +11,6 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, - @{sh_path} r, - - @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 2ca5d7474..4ebb4851f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,7 +11,6 @@ profile systemd-sleep-nvidia @{exec_path} { include include - capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index e29a41a7a..94e2e8daf 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,9 +12,6 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, - @{lib}/sysstat/sa{1,2} Px, - @{lib}/sysstat/debian-sa{1,2} Px, - include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index fc9a51067..60a28d4af 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -13,7 +13,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/tlp rPUx, + @{bin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index c2c107b1f..4f2cce637 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,7 +11,6 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, - @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge deleted file mode 100644 index 5f3bc2e36..000000000 --- a/apparmor.d/groups/systemd/systemd-stdio-bridge +++ /dev/null @@ -1,22 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/systemd-stdio-bridge -profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { - include - include - include - - signal send set=term peer=@{p_systemd}, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index 5ccf33219..094366391 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-sulogin-shell -profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { +profile systemd-sulogin-shell @{exec_path} { include include @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/sulogin rPx, + @{bin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 87e0ede5c..454105011 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - @{lib}/sysctl.d/{,*.conf} r, + /usr/lib/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2d250f63c..254faeca0 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - @{lib}/sysusers.d/{,*.conf} r, + /usr/lib/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index b65f2b7af..e070afe4e 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 @@ -23,14 +23,6 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={DisableUnitFiles,EnableUnitFiles} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member={JobRemoved,Reload,StartUnit,StopUnit} - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 2ac7f09fb..b603b2411 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index 0e1e404ab..f591ef9f7 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - @{lib}/tmpfiles.d/{,*.conf} r, + /usr/lib/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - @{run}/{,**} rw, + /run/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, @@ -51,10 +51,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/{,**} rw, @{sys}/class/net/ r, - @{sys}/devices/system/cpu/cpufreq/ r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor w, @{sys}/devices/system/cpu/microcode/reload w, - @{sys}/module/pcie_aspm/parameters/policy w, @{PROC}/@{pid}/net/unix r, @{PROC}/1/cmdline r, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b318bf3dd..3e2129d39 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -13,28 +13,17 @@ profile systemd-tty-ask-password-agent @{exec_path} { include capability dac_override, - capability dac_read_search, capability net_admin, capability sys_resource, - signal receive set=(term cont winch) peer=@{p_logrotate}, - signal receive set=(term cont winch) peer=*//systemctl, - signal receive set=(term cont winch) peer=deb-systemd-invoke, - signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=machinectl, - signal receive set=(term cont winch) peer=makepkg//sudo, - signal receive set=(term cont winch) peer=role_*, - signal receive set=(term cont winch) peer=rpm, + signal (receive) set=(term cont) peer=*//systemctl, + signal (receive) set=(term cont) peer=default, + signal (receive) set=(term cont) peer=logrotate, @{exec_path} mrix, @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, - - @{run}/user/@{uid}/ w, - @{run}/user/@{uid}/systemd/ w, - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/utmp rk, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index cb9592d47..b8a0c7e4c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,12 +8,11 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { include include include include - include capability chown, capability dac_override, @@ -35,56 +34,52 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - unix type=stream addr=@@{udbus}/bus/udevadm/, - @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/logger rix, - @{bin}/ls rix, - @{bin}/mknod rix, - @{bin}/nfsrahead rix, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/systemd-run rix, # TODO: rCx -> run, - @{bin}/unshare rix, - @{sbin}/ethtool rix, - - @{bin}/ddcutil rPx, - @{bin}/kmod rCx -> kmod, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/vmmouse_detect rPx, - @{pager_path} rPx -> child-pager, - @{sbin}/alsactl rPx, - @{sbin}/dmsetup rPx, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPx, - @{sbin}/lvm rPx, - @{sbin}/multipath rPx, - @{sbin}/u-d-c-print-pci-ids rPx, + @{sh_path} rix, + @{coreutils_path} rix, + @{pager_path} rPx -> child-pager, + @{bin}/*-print-pci-ids rix, + @{bin}/alsactl rPUx, + @{bin}/ddcutil rPx, + @{bin}/dmsetup rPUx, + @{bin}/ethtool rix, + @{bin}/issue-generator rPx, + @{bin}/kmod rPx, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/lvm rPx, + @{bin}/mknod rix, + @{bin}/multipath rPx, + @{bin}/nfsrahead rix, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/perl rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/snap rPUx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rix, + @{bin}/unshare rix, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPx, + @{lib}/open-iscsi/net-interface-handler rPUx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, /etc/nfs.conf rk, /etc/udev/{,**} r, - /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw, + /etc/udev/.#hwdb.bin* rw, /etc/udev/hwdb.bin rw, /etc/modprobe.d/ r, @@ -98,12 +93,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, - @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, - @{att}/@{run}/systemd/notify w, - @{att}/@{run}/udev/control rw, - @{run}/udev/ rw, @{run}/udev/** rwk, @@ -124,21 +115,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, - profile kmod flags=(attach_disconnected,complain) { - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/kmod ix, - - @{sys}/module/*/initstate r, - @{sys}/module/compression r, - - include if exists - } - profile systemctl flags=(attach_disconnected,complain) { include include @@ -146,6 +122,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + # / r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e7a44d01d..c17be7ab2 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} flags=(attach_disconnected) { +profile systemd-update-done @{exec_path} { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 82025859b..9d512b495 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { +profile systemd-update-utmp @{exec_path} { include include include @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { network netlink raw, - unix bind type=stream addr=@@{udbus}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 363b9a32d..9c7fe975b 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { +profile systemd-user-runtime-dir @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 8de32dfe2..6f16b2f19 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { +profile systemd-user-sessions @{exec_path} { include include diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f9fad3693..c57327bcb 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -32,8 +32,6 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - @{att}/@{run}/systemd/userdb/io.systemd.Home rw, - @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 2521c655e..29641fd74 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,7 +18,6 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup index 8c99d606c..5f28050c1 100644 --- a/apparmor.d/groups/systemd/systemd-vconsole-setup +++ b/apparmor.d/groups/systemd/systemd-vconsole-setup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-vconsole-setup -profile systemd-vconsole-setup @{exec_path} flags=(attach_disconnected) { +profile systemd-vconsole-setup @{exec_path} { include include include diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index fa7c13297..97625db38 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} flags=(attach_disconnected) { +profile userdbctl @{exec_path} { include include include @@ -29,7 +29,6 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, - owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 193bfc9b6..f6406811d 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,37 +11,30 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + @{exec_path} mr, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rix, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, + /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, owner @{run}/systemd/generator/swap.target.wants/{,dev-zram@{int}.swap} rw, owner @{run}/systemd/generator/systemd-zram-setup@zram@{int}.service.d/{,*.conf} rw, - @{sys}/block/zram@{int}/* rw, - @{sys}/devices/virtual/block/zram@{int}/* rw, + @{sys}/block/zram@{int}/{disksize,reset} rw, + @{sys}/devices/virtual/block/zram@{int}/{disksize,reset,comp_algorithm} rw, + @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/systemd/zramctl similarity index 77% rename from apparmor.d/groups/utils/zramctl rename to apparmor.d/groups/systemd/zramctl index 29428a96f..9dbf23243 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/systemd/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/zramctl +@{exec_path} = @{bin}/zramctl profile zramctl @{exec_path} { include include @@ -14,12 +14,10 @@ profile zramctl @{exec_path} { @{exec_path} mr, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, @{sys}/devices/virtual/block/zram@{int}/disksize r, - @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, - @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 211dda9cc..11aad0da3 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,15 +9,14 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include - include + include include include capability chown, capability dac_read_search, - capability fowner, capability fsetid, capability setgid, capability setuid, @@ -27,54 +26,33 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> &child-dpkg, - @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, - @{bin}/md5sum rix, + @{bin}/{,e,f}grep rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-divert rPx -> child-dpkg-divert, /usr/share/apport/{,**} r, - @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,**} r, + /etc/login.defs r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/*.md5sums r, - /var/lib/dpkg/diversions r, - /var/lib/dpkg/triggers/* r, - /var/lib/dpkg/updates/ r, - - /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, - owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, - @{run}/apport.lock rwk, - @{run}/log/journal/ r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, owner @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports index 5e39988fd..665b3eaca 100644 --- a/apparmor.d/groups/ubuntu/apport-checkreports +++ b/apparmor.d/groups/ubuntu/apport-checkreports @@ -14,15 +14,15 @@ profile apport-checkreports @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, /usr/share/apport/ r, - @{etc_ro}/login.defs r, /etc/apt/apt.conf.d/{,**} r, /etc/default/apport r, + /etc/login.defs r, /var/crash/ r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 6d90cadda..0121dd46d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,14 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include - include include + include include + include + include + include include include - include include include include @@ -27,12 +29,10 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, - network netlink raw, @{exec_path} mr, @{sh_path} rix, - @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -41,26 +41,22 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rPx, + @{bin}/ischroot rix, @{bin}/journalctl rPx, + @{bin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, - @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, - @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, - @{bin}/* r, - @{sbin}/* r, - /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -83,10 +79,9 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, - @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{word8} rw, + owner @{tmp}/@{rand8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -115,6 +110,7 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, @@ -139,15 +135,6 @@ profile apport-gtk @{exec_path} { include include - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.systemd1, label=unconfined), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label=unconfined), - include if exists } diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index 2555d0373..a04fc771d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index e8f03807d..2dcf50743 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), @@ -22,7 +22,7 @@ profile apt-esm-json-hook @{exec_path} { /var/lib/ubuntu-advantage/apt-esm/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, - @{run}/cloud-init/cloud-id-* r, + @{run}/cloud-init/cloud-id-nocloud r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news deleted file mode 100644 index 91c8b29cc..000000000 --- a/apparmor.d/groups/ubuntu/apt_news +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py -profile apt_news @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - capability chown, - capability fowner, - capability kill, - capability setgid, - capability setuid, - - signal send set=int peer=apt-methods-*, - - @{exec_path} mr, - - @{lib}/apt/methods/* Px, - - /etc/ubuntu-advantage/uaclient.conf r, - - @{run}/ubuntu-advantage/ rw, - @{run}/ubuntu-advantage/apt-news/{,**} rw, - - owner @{run}/ubuntu-advantage/apt-news/** rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 2b7b2b4ee..b2fe83f6b 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,8 +9,11 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include + include include + include + include include include include @@ -26,11 +29,11 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, - @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, - @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, + @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index a80a4f729..c5c31edd3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,14 +15,20 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rPx, - @{bin}/{,e}grep rix, + @{bin}/fanctl rix, + @{bin}/flock rix, + @{bin}/grep rix, + @{bin}/id rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, + @{bin}/touch rix, /etc/network/fan r, + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + include if exists } diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e9c4c9ab3..86c211f24 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include @@ -26,8 +26,8 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache deleted file mode 100644 index 53238564a..000000000 --- a/apparmor.d/groups/ubuntu/esm_cache +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py -profile esm_cache @{exec_path} { - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl deleted file mode 100644 index ef278da63..000000000 --- a/apparmor.d/groups/ubuntu/fanctl +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/fanctl -profile fanctl @{exec_path} flags=(attach_disconnected) { - include - - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/flock ix, - @{bin}/id ix, - @{bin}/touch ix, - @{bin}/mkdir ix, - @{bin}/ip ix, - @{bin}/sed ix, - - /etc/network/fan r, - - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index c85fb9966..3b4280e33 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,13 +9,13 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 5e4b09ce3..0023b48cb 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include - include include + include @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, + @{bin}/ischroot rix, - @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, /etc/machine-id r, diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index fb8eb259e..4d5ecb46a 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 1703d27cd..0e6641977 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,13 +9,10 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include - include + include include include - capability dac_read_search, - @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 8cf3ed885..7398fc404 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue (read,getattr) type=posix /, + mqueue r type=posix /, ptrace (read), diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd index b5d7d2885..08a54df0a 100644 --- a/apparmor.d/groups/ubuntu/release-upgrade-motd +++ b/apparmor.d/groups/ubuntu/release-upgrade-motd @@ -22,8 +22,6 @@ profile release-upgrade-motd @{exec_path} { /var/lib/ubuntu-release-upgrader/release-upgrade-available rw, - @{run}/motd.dynamic.new w, - /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 72e016573..93fd9ffcc 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include @@ -19,23 +19,18 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=@{busname}, label=software-properties-gtk), - - dbus receive bus=system path=/ - interface=com.ubuntu.SoftwareProperties - member=Reload - peer=(name=@{busname}, label=software-properties-gtk), + peer=(name=:*, label=software-properties-gtk), @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 836adbb55..4715f570c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,12 +7,13 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { +profile software-properties-gtk @{exec_path} { include - include - include + include + include include include + include include include include @@ -20,27 +21,26 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties - #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon - #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, @{bin}/ r, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, + /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -57,10 +57,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, - /dev/shm/ r, - owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, - owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -74,7 +70,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 8f673e261..58323b8ff 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -35,10 +35,10 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{sbin}/sshd rPx, + @{bin}/sshd rPx, @{bin}/snap rPUx, - @{lib}/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPx, + /usr/lib/snapd/snap-recovery-chooser rPUx, + /usr/share/netplan/netplan.script rPUx, # TODO: rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 4ede61bc8..7d797bd97 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include @@ -29,12 +29,13 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, + @{bin}/ischroot rix, + @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, @@ -52,18 +53,15 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, - owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, - owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, @{run}/ubuntu-advantage/{,**} rw, + @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, - @{PROC}/1/cgroup r, - @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index a44e226bc..bf3d4c6c0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,7 +9,10 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net deleted file mode 100644 index ab83ebed4..000000000 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/ubuntu-fan/fan-net -profile ubuntu-fan-net @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} mr, - @{bin}/{m,g,}awk ix, - @{bin}/kmod Cx -> kmod, - @{bin}/{,e}grep ix, - @{bin}/networkctl Px, - @{sbin}/fanctl Px, - - profile kmod { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 65fa3eaa0..19273f449 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} rw, + owner @{user_cache_dirs}/ubuntu-report/{,*} r, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 873f06b67..119ac517c 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,20 +9,23 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include - include include + include include include + include include include include + include + include + include include include include include include include - include network inet dgram, network inet6 dgram, @@ -41,16 +44,16 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/python3/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/python3/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, @@ -60,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - @{efi}/ r, + /boot/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index c244f2902..86ac61f41 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,21 +12,19 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{sbin}/dumpe2fs rPx, + @{bin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, /var/lib/update-notifier/fsck-at-reboot rw, - @{run}/motd.dynamic.new w, - @{PROC}/uptime r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 09775cb6f..b0101504c 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include @@ -18,7 +18,7 @@ profile update-motd-updates-available @{exec_path} { @{exec_path} mr, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, @{bin}/apt-config rPx, @@ -26,8 +26,8 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/ischroot rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 06e851b45..4ffaf60e0 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,36 +9,33 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include - include include + include include include + include + include include + include include include include - include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell - - dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending - interface=com.ubuntu.UnattendedUpgrade.Pending - member=Finished - peer=(name=@{busname}, label=unattended-upgrade), + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell @{exec_path} mr, @{sh_path} rix, @{bin}/ionice rix, + @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @@ -51,9 +48,8 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, - @{open_path} Cx -> open, - @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, + @{lib}/python3.@{int}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, @@ -89,6 +85,9 @@ profile update-notifier @{exec_path} { profile systemctl { include include + include + + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager @@ -98,13 +97,6 @@ profile update-notifier @{exec_path} { include if exists } - profile open { - include - include - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash deleted file mode 100644 index 4926c0b1c..000000000 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/update-notifier/update-notifier-crash -profile update-notifier-crash @{exec_path} { - include - include - - @{exec_path} mr, - - @{bin}/{,e}grep ix, - @{bin}/groups Px, - @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} rix, - @{sh_path} mr, - /usr/share/apport/apport-checkreports Px, - - owner @{HOME}/ r, - - profile systemctl { - include - include - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnitFileState - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock deleted file mode 100644 index d1433a605..000000000 --- a/apparmor.d/groups/utils/hwclock +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/hwclock -profile hwclock @{exec_path} { - include - include - - capability audit_write, - capability sys_time, - - network netlink raw, - - @{exec_path} mr, - - /etc/adjtime rw, - - @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, - - /dev/rtc@{int} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd deleted file mode 100644 index 96e497ea6..000000000 --- a/apparmor.d/groups/utils/lsfd +++ /dev/null @@ -1,69 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsfd -profile lsfd @{exec_path} flags=(attach_disconnected) { - include - include - - capability bpf, - capability checkpoint_restore, - capability dac_read_search, - capability net_admin, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - capability sys_resource, - capability syslog, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 raw, - network inet6 stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - network packet dgram, - - ptrace read, - ptrace trace, - - mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, - - @{exec_path} mr, - - / r, - @{att}/ r, - - owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, - - @{run}/ r, - @{run}/netns/ r, - - @{sys}/kernel/cpu_byteorder r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/syscall r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc deleted file mode 100644 index 7677a8a03..000000000 --- a/apparmor.d/groups/utils/lsipc +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsipc -profile lsipc @{exec_path} { - include - include - - @{exec_path} mr, - - @{PROC}/sys/fs/mqueue/msg_max r, - @{PROC}/sys/fs/mqueue/msgsize_max r, - @{PROC}/sys/fs/mqueue/queues_max r, - @{PROC}/sys/kernel/msgmax r, - @{PROC}/sys/kernel/msgmnb r, - @{PROC}/sys/kernel/msgmni r, - @{PROC}/sys/kernel/sem r, - @{PROC}/sys/kernel/shmall r, - @{PROC}/sys/kernel/shmmax r, - @{PROC}/sys/kernel/shmmni r, - @{PROC}/sysvipc/msg r, - @{PROC}/sysvipc/sem r, - @{PROC}/sysvipc/shm r, - - /dev/mqueue/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks deleted file mode 100644 index 44d2e1d01..000000000 --- a/apparmor.d/groups/utils/lslocks +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lslocks -profile lslocks @{exec_path} flags=(attach_disconnected) { - include - - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{sys}/devices/**/block/** r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/locks r, - owner @{PROC}/@{pid}/ r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins deleted file mode 100644 index 7393b47c0..000000000 --- a/apparmor.d/groups/utils/lslogins +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lslogins -profile lslogins @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/.pwd.lock w, - /etc/.pwd.lock wk, - /etc/login.defs r, - /etc/shadow r, - - /var/log/lastlog r, - /var/log/wtmp rk, - - @{run}/systemd/userdb/ r, - - @{PROC}/ r, - @{PROC}/sys/kernel/random/boot_id r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns deleted file mode 100644 index 7fbf56896..000000000 --- a/apparmor.d/groups/utils/lsns +++ /dev/null @@ -1,44 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsns -profile lsns @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability net_admin, - capability sys_ptrace, - capability dac_read_search, - - network, - - ptrace read, - ptrace trace, - - @{exec_path} mr, - - @{att}/ r, - - @{run}/*/netns/** r, - @{run}/*/ns/** r, - - @{sys}/devices/**/block/** r, - - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi deleted file mode 100644 index f0e7b4df2..000000000 --- a/apparmor.d/groups/utils/lsscsi +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/lsscsi -profile lsscsi @{exec_path} { - include - include - - @{exec_path} mr, - - / r, - - /dev/ r, - /dev/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index 9015d2157..a6c9149d2 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include - include capability sys_admin, capability net_admin, @@ -33,6 +32,8 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, + /usr/share/mime/globs2 r, + @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 0f2692ecf..73ad13cb1 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d8c71803d..1766cd2fb 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,12 +9,7 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include - include - include - include - include include - include include include @@ -31,17 +26,12 @@ profile cockpit-bridge @{exec_path} { ptrace read, + signal send set=term peer=cockpit-bridge//sudo, signal send set=term peer=cockpit-pcp, signal send set=term peer=dbus-daemon, signal send set=term peer=journalctl, signal send set=term peer=ssh-agent, signal send set=term peer=unconfined, - signal (send receive) set=term peer=cockpit-bridge//sudo, - - #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} - #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, @@ -49,12 +39,12 @@ profile cockpit-bridge @{exec_path} { @{bin}/date ix, @{bin}/find ix, @{bin}/ip ix, - @{python_path} ix, + @{bin}/python3.@{int} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{sbin}/dmidecode Px, + @{bin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, @@ -77,9 +67,9 @@ profile cockpit-bridge @{exec_path} { /usr/share/file/** r, /usr/share/iproute2/* r, - @{etc_ro}/login.defs r, /etc/cockpit/{,**} r, /etc/httpd/conf/mime.types r, + /etc/login.defs r, /etc/machine-id r, /etc/mime.types r, /etc/motd r, @@ -124,7 +114,7 @@ profile cockpit-bridge @{exec_path} { include include - signal (send receive) set=(cont hup term) peer=cockpit-bridge, + signal (send receive) set=term peer=cockpit-bridge, @{bin}/cockpit-bridge Px, @{lib}/cockpit/cockpit-askpass Px, @@ -136,8 +126,6 @@ profile cockpit-bridge @{exec_path} { include include - @{run}/udev/data/n@{int} r, # For network interfaces - include if exists } diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index 303fd074c..ac9dd5f6f 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,7 +21,6 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, - @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index bb1ba03bf..c2a7455ce 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,8 +10,6 @@ include profile cockpit-desktop @{exec_path} { include - userns, - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index ba51fc8a5..67ecd800e 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,17 +10,14 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include - include include include capability audit_write, - capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, - capability sys_resource, network netlink raw, @@ -29,8 +26,6 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, - @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -41,21 +36,17 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /etc/motd.d/ r, /etc/shells r, - @{att}/@{run}/systemd/sessions/*.ref rw, - - @{run}/cockpit/* r, + @{run}/cockpit/active.motd r, + @{run}/cockpit/inactive.motd r, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, + @{run}/systemd/sessions/*.ref rw, @{run}/utmp rwk, /var/log/btmp rw, /var/log/lastlog rw, /var/log/wtmp rwk, - /var/lib/lastlog/ r, - /var/lib/lastlog/lastlog2.db rwk, - /var/lib/lastlog/lastlog2.db-journal rw, - owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 8a345588a..0037b132c 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,9 +17,6 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, - @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, - owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index d4fb299fe..c78f63a63 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,23 +7,16 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} flags=(attach_disconnected) { +profile cockpit-ws @{exec_path} { include - include - include @{exec_path} mr, - @{sh_path} rix, @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, - /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /usr/share/plymouth/{,**} r, - - @{run}/cockpit/session rw, - @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + /etc/cockpit/ws-certs.d/ r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 248ca43e8..b14a1e36f 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,25 +9,11 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include - include capability net_admin, - unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - - dbus receive bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=JobRemoved - peer=(name=@{busname}, label="@{p_systemd}"), - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - @{exec_path} mr, - @{run}/cockpit/wsinstance/https-factory.sock w, - include if exists } diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 95d332a45..4f73ff985 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, @@ -87,8 +87,10 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, + owner @{tmp}/** rwkl, + owner /var/tmp/** rwkl, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 04b355a48..bff45ca39 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,12 +25,12 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, - @{sbin}/runc rPx, + @{bin}/runc rPUx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, @@ -50,14 +50,11 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, - @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, @{PROC}/sys/net/core/somaxconn r, - @{att}/dev/pts/ptmx rw, - include if exists } diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy index 9a8cbe379..2861514aa 100644 --- a/apparmor.d/groups/virt/docker-proxy +++ b/apparmor.d/groups/virt/docker-proxy @@ -15,9 +15,8 @@ profile docker-proxy @{exec_path} { network inet stream, network inet6 stream, - network netlink raw, - signal receive set=int peer=dockerd, + signal (receive) set=int peer=dockerd, @{exec_path} mr, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 0a214ccd1..2ea35f7b9 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin +@{exec_path} = @{bin}/dockerd profile dockerd @{exec_path} flags=(attach_disconnected) { include include @@ -21,32 +21,34 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability net_admin, - capability net_bind_service, - capability net_raw, capability setfcap, capability sys_admin, capability sys_chroot, capability sys_ptrace, network inet dgram, - network inet raw, network inet stream, network inet6 dgram, network inet6 stream, network netlink raw, - network packet dgram, mount /tmp/containerd-mount@{int}/, - mount /var/lib/docker/**/, - mount options=(rw bind) -> @{run}/docker/netns/*, + mount /var/lib/docker/buildkit/**/, + mount /var/lib/docker/overlay2/**/, + mount /var/lib/docker/tmp/buildkit-mount@{int}/, + mount fstype=overlay overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/, + mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw rbind) -> /var/lib/docker/tmp/docker-builder@{int}/, + mount options=(rw rbind) /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/, mount options=(rw rprivate) -> /.pivot_root@{int}/, + mount options=(rw rprivate) -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/, mount options=(rw rslave) -> /, remount /tmp/containerd-mount@{int10}/, remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount @{run}/docker/netns/*, + umount /run/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, @@ -64,48 +66,34 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, @{bin}/containerd rPx, - @{bin}/docker-init rCx -> init, - @{lib}/docker/docker-init rCx -> init, + @{bin}/docker-init rix, @{bin}/docker-proxy rPx, - @{bin}/tini-static rCx -> tini, - @{bin}/git rCx -> git, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rPx, @{bin}/ps rPx, - @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore=sbin + @{bin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rCx -> nft, - @{sbin}/xtables-legacy-multi rCx -> nft, + @{bin}/xtables-nft-multi rix, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. - /{,**} rwl, #aa:only apt - - @{att}/@{lib}/containerd/** rw, - @{att}/var/lib/docker/{,**} rwk, + /{,**} rwl, /etc/docker/{,**} r, @{att}/ r, + owner @{att}/@{lib}/containerd/** rw, owner @{lib}/docker/overlay2/*/work/{,**} rw, owner /var/lib/containerd/** rw, owner /var/lib/docker/{,**} rwk, owner /var/lib/docker/tmp/qemu-check@{int}/check rix, - /tmp/build/ w, - /tmp/containerd-mount@{int}/{,**} rw, - - @{run}/systemd/notify rw, - - @{run}/containerd/containerd.sock rw, - owner @{run}/docker.pid rw, owner @{run}/docker/ rw, owner @{run}/docker/** rwlk, + owner @{run}/docker.pid rw, - @{sys}/devices/virtual/net/** r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, @@ -115,9 +103,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, @{PROC}/sys/kernel/keys/root_maxkeys r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/threads-max r, @@ -131,73 +116,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, - profile nft flags=(attach_disconnected) { - include - - capability net_admin, - capability net_raw, - - network inet raw, - network inet6 raw, - network netlink raw, - - @{sbin}/xtables-nft-multi rix, - @{sbin}/xtables-legacy-multi rix, - @{bin}/kmod rPx -> dockerd//kmod, - - @{PROC}/@{pid}/net/ip{,6}_tables_names r, - @{PROC}/sys/kernel/modprobe r, - - @{run}/xtables.lock rwk, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - @{run}/xtables.lock r, - - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - include if exists - } - - profile tini { - include - - @{bin}/tini-static mr, - - include if exists - } - - profile init flags=(attach_disconnected) { - include - - @{bin}/docker-init mr, - @{lib}/docker/docker-init mr, - - include if exists - } - - profile git flags=(attach_disconnected) { - include - - @{bin}/git mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 59c4b9473..96e50ba35 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,12 +62,13 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, + /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, @@ -158,7 +159,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 971cdf55e..44d24f1ae 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/libvirt-dbus +@{exec_path} = @{bin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -16,26 +16,18 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, - @{sbin}/libvirtd rPx, + @{bin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/libvirt/libvirt-sock rw, - - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 378449352..db6d5d377 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,16 +14,13 @@ abi , include -@{exec_path} = @{sbin}/libvirtd +@{exec_path} = @{bin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include - include - include - include include + include include include - include include capability audit_write, @@ -49,12 +46,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, # Needed for vfio + capability sys_resource, - network inet dgram, network inet stream, - network inet6 dgram, + network inet dgram, network inet6 stream, + network inet6 dgram, network netlink raw, network packet dgram, network packet raw, @@ -88,16 +85,10 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), - unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -112,26 +103,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{sbin}/dmidecode rPx, - @{sbin}/dnsmasq rPx, - @{bin}/kmod rCx -> kmod, - @{sbin}/lvm rPUx, + @{bin}/dmidecode rPx, + @{bin}/dnsmasq rPx, + @{bin}/kmod rPx, + @{bin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{sbin}/virtlogd rPx, + @{bin}/virtlogd rPx, @{sh_path} rix, @{bin}/ip rix, - @{sbin}/nft rix, + @{bin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{sbin}/tc rix, + @{bin}/tc rix, @{bin}/xmllint rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -142,6 +133,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, @@ -152,8 +144,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/ rw, - /var/lib/libvirt/** rwk, + /var/lib/libvirt/{,**} rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -162,11 +153,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, - owner @{user_config_dirs}/libvirt/{,**} rwk, - - owner @{run}/user/@{uid}/libvirt/ rw, - owner @{run}/user/@{uid}/libvirt/** rwk, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -176,9 +162,35 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+dmi:* r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, + @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad + @{run}/udev/data/+leds:* r, + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+sound:card@{int} r, # For sound card + @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/c1:@{int} r, # For RAM disk + @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* + @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c13:@{int} r, # For /dev/input/* + @{run}/udev/data/c21:@{int} r, # Generic SCSI access + @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c89:@{int} r, # For I2C bus interface + @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash + @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* + @{run}/udev/data/c108:@{int} r, # For /dev/ppp + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c202:@{int} r, # CPU model-specific registers + @{run}/udev/data/c203:@{int} r, # CPU CPUID information + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, @@ -235,7 +247,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, - @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, @@ -253,19 +264,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{sbin}/apparmor_parser rwxl, + audit deny @{bin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, - profile kmod { - include - include - - include if exists - } - profile qemu_bridge_helper { include @@ -284,7 +288,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - @{PROC}/@{pids}/status r, + owner @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index b49368f07..c10f44922 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,36 +19,16 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, - @{etc_rw}/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, - @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - - # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) - /var/lib/nova/images/{,**} r, - /var/lib/nova/instances/_base/{,**} r, - /var/lib/nova/instances/snapshots/{,**} r, - /var/snap/nova-hypervisor/common/instances/_base/{,**} r, - /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, - - # Eucalyptus disks & loader (LP: #564914 #637544) - /var/lib/eucalyptus/instances/**/disk* r, - /var/lib/eucalyptus/instances/**/loader* r, - - # For uvtool - /var/lib/uvtool/libvirt/images/{,**} r, - - # For multipass - /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, - - # Common mount directories - @{MOUNTDIRS}/{,**} r, + /var/lib/nova/instances/_base/* r, # User VM images @{user_share_dirs}/ r, @@ -65,6 +45,7 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index ae7ac5fa9..905e2c170 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} { include userns, @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vmshare_dirs}/, + mount options=(rw, rbind) -> @{user_vm_shares}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vmshare_dirs}/, + pivot_root @{user_vm_shares}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} flags=(attach_disconnected) { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vmshare_dirs}/{,**} r, + @{user_vm_shares}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ef28e59e9..ea9336cef 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/virtlockd +@{exec_path} = @{bin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index d362ad108..44bf06ba0 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/virtlogd +@{exec_path} = @{bin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 2d7df07b6..42e13ef64 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/dnsmasq rPx, + @{bin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index fb593068e..0b48d63fd 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,17 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. - @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+bluetooth:* r, @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) + @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+thunderbolt:* r, @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,17 +70,17 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/**/ r, - @{sys}/devices/@{pci}/net/{,**} r, - @{sys}/devices/@{pci}/numa_node r, - @{sys}/devices/@{pci}/resource r, - @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/@{pci}/vpd r, @{sys}/devices/**/{class,revision,subsystem_vendor,subsystem_device} r, @{sys}/devices/**/{config,device,vendor} r, @{sys}/devices/**/uevent r, + @{sys}/devices/@{pci}/net/{,**} r, + @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, + @{sys}/devices/@{pci}/numa_node r, + @{sys}/devices/@{pci}/sriov_totalvfs r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/{product_name,product_serial,product_uuid,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index a10b75dde..71f75b642 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi +@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 325535cce..d39517569 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,10 +19,10 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, - @{bin}/systemd-cat rix, + @{bin}/systemd-cat rPx, @{bin}/tee rix, @{bin}/timeout rix, @{bin}/tor-circuit-established-check rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 23ab3aeb4..51053ccee 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,8 +14,8 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/faillock rix, - @{bin}/{,e}grep rix, + @{bin}/faillock rix, + @{bin}/grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 8bdeb2c13..e76570b34 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,8 +19,8 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/{m,g,}awk rix, - @{bin}/{,e}grep rix, + @{bin}/gawk rix, + @{bin}/grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index 1e4850e7a..d34f8087c 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui index 84a6fb379..23c0a6df4 100644 --- a/apparmor.d/groups/whonix/sdwdate-gui +++ b/apparmor.d/groups/whonix/sdwdate-gui @@ -28,7 +28,7 @@ profile sdwdate-gui @{exec_path} { @{lib}/sdwdate-gui/log-viewer rix, @{lib}/helper-scripts/* rix, - @{lib}/@{python_name}/dist-packages/sdwdate_gui/__pycache__/ rw, + @{lib}/python3/dist-packages/sdwdate_gui/__pycache__/ rw, @{lib}/sdwdate-gui/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 17bedc43b..4130d9cd9 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index c86d91099..fc20ad0fb 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/{,e}grep ix, + @{bin}/grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 08322714f..01e1cb418 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce index 110da187b..8d91581cb 100644 --- a/apparmor.d/groups/xfce/startxfce +++ b/apparmor.d/groups/xfce/startxfce @@ -19,7 +19,6 @@ profile startxfce @{exec_path} { @{bin}/mkdir rix, @{bin}/id rix, - @{bin}/xdg-user-dirs-update rPx, @{bin}/xfce4-session rPx, @{bin}/xrdb rPx, @{bin}/systemctl rCx -> systemctl, @@ -28,8 +27,6 @@ profile startxfce @{exec_path} { /etc/X11/xinit/xinitrc.d/{,**} r, /etc/xdg/xfce4/{,**} r, - owner @{HOME}/.Xdefaults r, - profile systemctl flags=(attach_disconnected) { include include @@ -39,7 +36,6 @@ profile startxfce @{exec_path} { profile dbus { include - include @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 10096bce2..d8f04d49c 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -7,9 +7,8 @@ abi , include @{exec_path} = @{bin}/thunar -profile thunar @{exec_path} flags=(attach_disconnected) { +profile thunar @{exec_path} { include - include include include include @@ -18,10 +17,6 @@ profile thunar @{exec_path} flags=(attach_disconnected) { network netlink raw, - #aa:dbus own bus=session name=org.xfce.Thunar - #aa:dbus own bus=session name=org.xfce.FileManager - #aa:dbus own bus=session name=org.freedesktop.FileManager1 - @{exec_path} mr, @{bin}/thunar-volman rPx, @@ -35,7 +30,6 @@ profile thunar @{exec_path} flags=(attach_disconnected) { /etc/fstab r, /etc/timezone r, - /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r, # Full access to user's data / r, @@ -49,20 +43,15 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/{,**} rw, owner @{tmp}/{,**} rw, - @{run}/mount/utab r, - - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, - - owner @{PROC}/@{pid}/mountinfo r, - # Silence non user's data - deny @{efi}/{,**} r, + deny /boot/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, deny /tmp/.*/{,**} rw, + owner @{PROC}/@{pid}/mountinfo r, + profile dbus { include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index 41e098548..350255834 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd index 3ba81c688..99971abb8 100644 --- a/apparmor.d/groups/xfce/tumblerd +++ b/apparmor.d/groups/xfce/tumblerd @@ -9,30 +9,18 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd profile tumblerd @{exec_path} { include - include - include - include include include include - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1 - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1 - #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1 - @{exec_path} mr, - @{bin}/gdk-pixbuf-thumbnailer rPx, - /usr/share/backgrounds/xfce/{,**} r, /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/tumbler/* r, - owner /tmp/tumbler-@{rand6}.png r, - owner /tmp/tumbler-@{rand6}.??? w, - owner @{PROC}/@{pid}/mountinfo r, /dev/ r, diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman deleted file mode 100644 index 270f7266f..000000000 --- a/apparmor.d/groups/xfce/xfce-clipman +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# Copyright (C) 2025 Sighy Brantler -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xfce4-clipman -profile xfce-clipman @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, - - owner @{user_cache_dirs}/xfce4/clipman/ r, - owner @{user_cache_dirs}/xfce4/clipman/* rw, - - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, - owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 021a377b8..248d60b7e 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,11 +9,8 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include - #aa:dbus own bus=session name=org.xfce.clipman.settings - @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index be813a84d..f5c80e07c 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include @@ -23,9 +22,6 @@ profile xfce-notifyd @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.xfce.Notifyd - #aa:dbus own bus=session name=org.freedesktop.Notifications - @{exec_path} mr, owner @{user_cache_dirs}/xfce4/notifyd/ rw, diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index 00c5d8700..7b192ffc5 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,21 +9,12 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include - include - include - include include include include include include - ptrace (read) peer=xfce-terminal, - - #aa:dbus own bus=session name=org.xfce.Panel - #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher - @{exec_path} mr, @{bin}/exo-open rix, @@ -35,7 +26,6 @@ profile xfce-panel @{exec_path} { @{bin}/sudo rCx -> root, /usr/share/desktop-directories/{,**} r, - /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, /usr/share/livecheck/** r, /usr/share/xfce4/{,**} r, @@ -43,20 +33,15 @@ profile xfce-panel @{exec_path} { /etc/machine-id r, /etc/timezone r, /etc/xdg/menus/{,**} r, - /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r, + /etc/xdg/xfce4/{,**} r, owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw, - owner @{user_cache_dirs}/xfce4-indicator-plugin.log w, owner @{user_config_dirs}/xfce4/panel/{,**} rw, - owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w, - @{PROC}/cmdline r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/{,*} r, - profile root { include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 11ccca455..1c2a0263d 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -9,15 +9,9 @@ include @{exec_path} = @{bin}/xfce4-power-manager profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include - include - include - include include include - #aa:dbus own bus=session name=org.xfce.PowerManager - #aa:dbus own bus=session name=org.freedesktop.PowerManagement - @{exec_path} mr, @{bin}/xfpm-power-backlight-helper rPx, diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index e9e19cca5..e486ac6d9 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,14 +9,11 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include include - #aa:dbus own bus=session name=org.xfce.ScreenSaver - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index c1bd98111..e7ee1080b 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index be0f5c73d..17007122e 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,9 +9,6 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include - include - include - include include include include @@ -19,8 +16,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term) peer=lightdm, - #aa:dbus own bus=session name=org.xfce.SessionManager - @{exec_path} mr, @{sh_path} rix, @@ -38,7 +33,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { @{lib}/msgcollector/msgdispatcher_xdg_autostart rPx, @{lib}/sdwdate-gui/start-maybe rPx, @{lib}/setup-wizard-dist/setup-dist_check_for_start rPx, - @{lib}/xapps/sn-watcher/xapp-sn-watcher rPUx, /usr/share/kde-power-savings-disable-in-vms/{,**} r, /usr/share/kde-screen-locker-disable-in-vms/{,**} r, @@ -54,15 +48,11 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { /etc/xdg/autostart/*.desktop r, owner @{user_cache_dirs}/sessions/{,**} rw, - owner @{user_config_dirs}/autostart/ r, - owner @{user_config_dirs}/autostart/*.desktop r, owner @{tmp}/.xfsm-ICE-@{rand6} rw, owner @{PROC}/@{pid}/stat r, - @{sys}/class/i2c-adapter/ r, - /dev/tty rw, profile systemctl flags=(attach_disconnected) { diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 0f8836326..342ffd3b4 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,19 +9,11 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include - include - include include include - include include include - signal send, - - #aa:dbus own bus=session name=org.xfce.Terminal5 - @{exec_path} mr, @{open_path} rPx -> child-open-help, @@ -34,10 +26,7 @@ profile xfce-terminal @{exec_path} { @{bin}/micro rPUx, @{bin}/nvtop rPx, - @{editor_path} rPUx, - /usr/share/ r, - /usr/share/desktop-base/profiles/xdg-config/ r, /usr/share/xfce4/ r, /usr/share/xfce4/terminal/{,**} r, @@ -45,7 +34,6 @@ profile xfce-terminal @{exec_path} { /etc/xdg/ r, /etc/xdg/xfce4/ r, - owner @{user_config_dirs}/xfce4/ r, owner @{user_config_dirs}/xfce4/terminal/{,**} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd index 9cd273544..0ab17ac5c 100644 --- a/apparmor.d/groups/xfce/xfconfd +++ b/apparmor.d/groups/xfce/xfconfd @@ -10,14 +10,11 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd profile xfconfd @{exec_path} { include - include include - #aa:dbus own bus=session name=org.xfce.Xfconf - @{exec_path} mr, - /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r, + /etc/xdg/xfce4/xfconf/** r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index 6bc5ec15c..d19e3de63 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,22 +10,14 @@ include profile xfdesktop @{exec_path} { include include - include - include include include include - #aa:dbus own bus=session name=org.xfce.xfdesktop - @{exec_path} mr, @{bin}/xfce4-mime-helper rix, - /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r, - /etc/xdg/menus/{,*.menu} r, - /usr/share/xfce4/helpers/{,*.desktop} r, - /usr/share/desktop-directories/{,*.directory} r, /usr/share/backgrounds/xfce/{,**} r, /etc/fstab r, diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index d3f88c196..3eec3377f 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,13 +10,8 @@ include profile xfsettingsd @{exec_path} { include include - include - include - include include - #aa:dbus own bus=session name=org.xfce.SettingsDaemon - @{exec_path} mr, /etc/xdg/autostart/xfsettingsd.desktop r, diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index c41e5254f..d7af2ccb9 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base deleted file mode 100644 index f74b90418..000000000 --- a/apparmor.d/mappings/login/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by login to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base deleted file mode 100644 index dd9218d9c..000000000 --- a/apparmor.d/mappings/sshd/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by login to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base deleted file mode 100644 index 95e395501..000000000 --- a/apparmor.d/mappings/sudo/base +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# It is used by su/sudo to run pre login scripts (as root) such as the motd. -# After the login, Apparmor libpam will transition to the roles defined in -# other files under - - @{shells_path} rCx -> shell, - - profile shell flags=(attach_disconnected) { - include - include - include - - @{shells_path} rix, - @{bin}/env rix, - @{bin}/run-parts rix, #aa:only apt - - #aa:only apt - /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, - - @{run}/motd.dynamic.new rw, #aa:only apt - - include if exists - } - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled similarity index 100% rename from apparmor.d/groups/apparmor/aa-enabled rename to apparmor.d/profiles-a-f/aa-enabled diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce similarity index 79% rename from apparmor.d/groups/apparmor/aa-enforce rename to apparmor.d/profiles-a-f/aa-enforce index 1f8368045..da4d63460 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/profiles-a-f/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable +@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -16,8 +16,8 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{sbin}/ r, - @{sbin}/apparmor_parser rPx, + @{bin}/ r, + @{bin}/apparmor_parser rPx, /usr/share/terminfo/** r, @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/profiles-a-f/aa-log similarity index 56% rename from apparmor.d/groups/apparmor/aa-log rename to apparmor.d/profiles-a-f/aa-log index 1a3e0aeff..39c42d435 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/profiles-a-f/aa-log @@ -16,32 +16,21 @@ profile aa-log @{exec_path} { @{exec_path} mr, - @{bin}/journalctl rCx -> journalctl, + @{bin}/journalctl rix, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, /var/log/audit/* r, /var/log/syslog* r, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + /dev/tty@{int} rw, - profile journalctl { - include - include - - capability sys_resource, - - @{bin}/journalctl mr, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{PROC}/sys/kernel/random/boot_id r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify new file mode 100644 index 000000000..7e901509f --- /dev/null +++ b/apparmor.d/profiles-a-f/aa-notify @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/aa-notify +profile aa-notify @{exec_path} { + include + include + include + include + include + + capability setgid, + capability setuid, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{bin}/ r, + + /usr/share/terminfo/** r, + + @{etc_ro}/inputrc r, + @{etc_ro}/inputrc.keys r, + /etc/apparmor.d/{,**} r, + /etc/apparmor/*.conf r, + + /var/log/audit/audit.log r, + + owner @{HOME}/.inputrc r, + owner @{HOME}/.terminfo/@{int}/dumb r, + + owner @{tmp}/@{rand8} rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/profiles-a-f/aa-status similarity index 81% rename from apparmor.d/groups/apparmor/aa-status rename to apparmor.d/profiles-a-f/aa-status index 9badb78c1..a48dc693c 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/profiles-a-f/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status +@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status profile aa-status @{exec_path} { include include @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/apparmor/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown similarity index 93% rename from apparmor.d/groups/apparmor/aa-teardown rename to apparmor.d/profiles-a-f/aa-teardown index 059766181..b625ad8c6 100644 --- a/apparmor.d/groups/apparmor/aa-teardown +++ b/apparmor.d/profiles-a-f/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/aa-teardown +@{exec_path} = @{bin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/profiles-a-f/aa-unconfined similarity index 88% rename from apparmor.d/groups/apparmor/aa-unconfined rename to apparmor.d/profiles-a-f/aa-unconfined index 7308a5ef0..08c401270 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/profiles-a-f/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/aa-unconfined +@{exec_path} = @{bin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{sbin}/ss Px, + @{bin}/ss Px, /usr/share/terminfo/** r, @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 3b42be234..2914180e6 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,6 +19,7 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, + include if exists } diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index fd1d0af03..796194146 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,10 +13,11 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{sbin}/killall5 rix, + @{bin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, + @{bin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 4985bca3a..5bf6c433a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/acpid +@{exec_path} = @{bin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 039518b51..9103b25b3 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser +@{exec_path} = @{bin}/add{user,group} profile adduser @{exec_path} { include include @@ -24,6 +24,7 @@ profile adduser @{exec_path} { capability sys_admin, # For logger @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/find rix, @@ -33,12 +34,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{sbin}/groupadd rPx, - @{sbin}/groupdel rPx, + @{bin}/groupadd rPx, + @{bin}/groupdel rPx, @{bin}/passwd rPx, - @{sbin}/useradd rPx, - @{sbin}/userdel rPx, - @{sbin}/usermod rPx, + @{bin}/useradd rPx, + @{bin}/userdel rPx, + @{bin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 7025f9787..6f2e1d5c7 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -17,8 +17,9 @@ profile adequate @{exec_path} flags=(complain) { #capability sys_tty_config, @{exec_path} r, + @{bin}/perl r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, @@ -54,12 +55,14 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, + @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, + @{lib}{,x}32/ld-*.so rix, include if exists } @@ -71,6 +74,7 @@ profile adequate @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, + @{bin}/perl r, @{bin}/adequate rPx, @@ -88,7 +92,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/profiles-a-f/agetty similarity index 88% rename from apparmor.d/groups/utils/agetty rename to apparmor.d/profiles-a-f/agetty index 9ae450196..9e6db414e 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/profiles-a-f/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/agetty +@{exec_path} = @{bin}/agetty profile agetty @{exec_path} { include include @@ -20,20 +20,19 @@ profile agetty @{exec_path} { network netlink raw, - signal receive set=hup peer=@{p_systemd}, - @{exec_path} mr, @{bin}/login rPx, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, @{etc_rw}/issue r, /{,usr/}lib/os-release r, /{etc,run,lib,usr/lib}/issue r, /{etc,run,lib,usr/lib}/issue.d/{,*} r, /etc/inittab r, + /etc/login.defs r, + /etc/login.defs.d/{,*} r, /etc/os-release r, + /usr/etc/login.defs r, @{run}/credentials/getty@tty@{int}.service/ r, @{run}/credentials/serial-getty@ttyS@{int}.service/ r, diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 87908dc9e..7ebb3b629 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,17 +7,16 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} flags=(attach_disconnected) { +profile alacarte @{exec_path} { include - include include include include @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{lib}/@{python_name}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, + @{lib}/python3.@{int}/site-packages/Alacarte/{,**/}__pycache__/*.cpython-@{int}.*.pyc.@{int} w, /usr/share/alacarte/{,**} r, /usr/share/desktop-directories/{,**} r, @@ -31,11 +30,6 @@ profile alacarte @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index adf0d5cd3..b2b97a62a 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/alsactl +@{exec_path} = @{bin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule index ce600200a..b54e62022 100644 --- a/apparmor.d/profiles-a-f/amule +++ b/apparmor.d/profiles-a-f/amule @@ -27,7 +27,7 @@ profile amule @{exec_path} { # @{open_path} rPx -> child-open, @{exec_path} mr, - @{bin}/uname rix, + @{bin}/uname rPx, @{sh_path} rix, @{system_share_dirs}/amule/{,**} r, owner @{HOME}/.aMule/{,**} rwk, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/profiles-a-f/anacron similarity index 79% rename from apparmor.d/groups/cron/anacron rename to apparmor.d/profiles-a-f/anacron index 3acfc14fd..3e7c9d092 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/profiles-a-f/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/anacron +@{exec_path} = @{bin}/anacron profile anacron @{exec_path} { include include @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{sbin}/exim4 rPx, + @{bin}/exim4 rPx, / r, /etc/anacrontab r, @@ -26,9 +26,7 @@ profile anacron @{exec_path} { @{HOME}/ r, - @{tmp}/file@{rand6} rw, - /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, + /tmp/file* rw, profile run-parts { include @@ -41,9 +39,6 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, - /tmp/anacron-@{rand6} rw, - /tmp/anacron-@{rand6}@{c} rw, - include if exists } diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 43ecdb0cd..b7e4a127b 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, @@ -81,8 +81,8 @@ profile anyremote @{exec_path} { /usr/share/anyremote/cfg-data/Icons/common/*.png r, - /usr/share/ImageMagick-@{int}/*.xml rw, - /etc/ImageMagick-@{int}/*.xml r, + /usr/share/ImageMagick-[0-9]/*.xml rw, + /etc/ImageMagick-[0-9]/*.xml r, owner @{HOME}/.anyRemote/*.png rw, owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r, diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay index eba042635..fb4f2cb85 100644 --- a/apparmor.d/profiles-a-f/aplay +++ b/apparmor.d/profiles-a-f/aplay @@ -19,8 +19,6 @@ profile aplay @{exec_path} flags=(complain) { owner @{HOME}/.Xauthority r, - /dev/snd/controlC@{int} rw, - include if exists } diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd similarity index 76% rename from apparmor.d/groups/apparmor/apparmor.systemd rename to apparmor.d/profiles-a-f/apparmor.systemd index f58512a02..75394f5de 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/profiles-a-f/apparmor.systemd @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/apparmor/apparmor.systemd -profile apparmor.systemd @{exec_path} { +profile apparmor.systemd @{exec_path} flags=(complain) { include include include @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{sbin}/aa-status rPx, - @{sbin}/apparmor_parser rPx, + @{bin}/aa-status rPx, + @{bin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,19 +43,10 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser similarity index 83% rename from apparmor.d/groups/apparmor/apparmor_parser rename to apparmor.d/profiles-a-f/apparmor_parser index a5769931c..19c0f6902 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -6,9 +6,9 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include @@ -17,7 +17,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, @@ -46,7 +45,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? + deny /apparmor/.null rw, include if exists } diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli index f2231479d..36ca9555f 100644 --- a/apparmor.d/profiles-a-f/appstreamcli +++ b/apparmor.d/profiles-a-f/appstreamcli @@ -24,7 +24,6 @@ profile appstreamcli @{exec_path} flags=(complain) { /usr/share/app-info/{,**} r, /usr/share/appdata/ r, - /usr/share/byobu/desktop/{,**} r, /usr/share/gvfs/remote-volume-monitors/{,**} r, /usr/share/metainfo/ r, /usr/share/metainfo/*.{metainfo,appdata}.xml r, diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr index 77bf1bf96..e260321e6 100644 --- a/apparmor.d/profiles-a-f/arandr +++ b/apparmor.d/profiles-a-f/arandr @@ -19,7 +19,7 @@ profile arandr @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/xrandr rPx, diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount index d445df0e2..64f25e181 100644 --- a/apparmor.d/profiles-a-f/archivemount +++ b/apparmor.d/profiles-a-f/archivemount @@ -24,19 +24,33 @@ profile archivemount @{exec_path} { owner @{HOME}/*/ r, owner @{HOME}/*/*/ r, + mount fstype=fuse.archivemount -> @{HOME}/*/, + mount fstype=fuse.archivemount -> @{HOME}/*/*/, + + /dev/fuse rw, + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/, mount fstype={fuse,fuse.archivemount} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + /dev/fuse rw, + /etc/fuse.conf r, + + owner @{HOME}/ r, /**.{tar,tar.gz,zip} r, /**.{TAR,TAR.GZ,ZIP} r, + @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 629caca10..16b5b6f6d 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - @{lib}/aspell/{,*} r, + /usr/lib/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 14feb75df..769f15cf0 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,13 +7,14 @@ abi , include -@{exec_path} = @{sbin}/aspell-autobuildhash +@{exec_path} = @{bin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/basename rix, @@ -32,8 +33,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - @{lib}/aspell/{,*} r, - @{lib}/aspell/*.rws rw, + /usr/lib/aspell/{,*} r, + /usr/lib/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, @@ -46,8 +47,9 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include /usr/share/debconf/frontend r, + @{bin}/perl r, - @{sbin}/aspell-autobuildhash rPx, + @{bin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, @@ -62,7 +64,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 783d210fb..f8d39c8f5 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -20,15 +20,15 @@ profile atd @{exec_path} { capability setuid, capability sys_resource, - signal receive set=hup peer=at, + signal (receive) set=hup peer=at, - ptrace read peer=unconfined, + ptrace (read) peer=unconfined, @{exec_path} mr, @{sh_path} rix, - @{sbin}/sendmail rPUx, - @{sbin}/exim4 rPx, + @{bin}/sendmail rPUx, + @{bin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index 2444bd128..dc7f2bf36 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,12 +18,6 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 2782aacc0..99cb0fed6 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, + @{bin}/bzip2 rix, + @{bin}/bzip2 rix, @{bin}/bzip rix, - @{bin}/bzip2 rix, - @{bin}/bzip2 rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,15 +30,16 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, - @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, + @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, + @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -47,7 +48,6 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, - @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 55502dd3e..284c35911 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include + include include + include + include include include - include + include + include + include include include include + include network netlink raw, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index 762273a9f..d6881f3e7 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/auditctl +@{exec_path} = @{bin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index 41fb158c0..92afa1d08 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/auditd +@{exec_path} = @{bin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include @@ -27,8 +27,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) { /var/log/audit/{,**} rw, - @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, - owner @{run}/auditd.pid rwl, owner @{run}/auditd.state rw, diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 5ae84876b..7a515c1ba 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/augenrules +@{exec_path} = @{bin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{sbin}/auditctl rPx, + @{bin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index ff3a710c3..e0f686b90 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/badblocks +@{exec_path} = @{bin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 654e40117..1f9f14dc1 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,12 +19,11 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, - #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, - deny @{efi}/{,**} r, + deny /boot/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 87457a129..8010b380a 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/biosdecode +@{exec_path} = @{bin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index 771560c6b..c63a8de7c 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index bff816339..ad575351f 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,20 +7,18 @@ abi , include -@{exec_path} = @{sbin}/blkdeactivate +@{exec_path} = @{bin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @{exec_path} rm, - @{sh_path} rix, - @{sbin}/dmsetup rPx, - @{bin}/{,e}grep rix, - @{bin}/touch rix, + @{bin}/dmsetup rPUx, + @{bin}/grep rix, @{bin}/lsblk rPx, - @{sbin}/lvm rPx, - @{sbin}/multipathd rPx, + @{bin}/lvm rPx, + @{bin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/profiles-a-f/blkid similarity index 93% rename from apparmor.d/groups/utils/blkid rename to apparmor.d/profiles-a-f/blkid index 4105a7419..27207bdb7 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/blkid +@{exec_path} = @{bin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include @@ -34,6 +34,8 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, + @{run}/cloud-init/ds-identify.log w, # file_inherit + @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -45,9 +47,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, - # file_inherit - deny @{run}/cloud-init/ds-identify.log w, - include if exists } diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/profiles-a-f/blockdev similarity index 86% rename from apparmor.d/groups/utils/blockdev rename to apparmor.d/profiles-a-f/blockdev index 0c5e7b17c..88059a4c5 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/profiles-a-f/blockdev @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{sbin}/blockdev +@{exec_path} = @{bin}/blockdev profile blockdev @{exec_path} { include - include + include capability sys_admin, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/profiles-a-f/blueman similarity index 100% rename from apparmor.d/groups/bluetooth/blueman rename to apparmor.d/profiles-a-f/blueman diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism similarity index 87% rename from apparmor.d/groups/bluetooth/blueman-mechanism rename to apparmor.d/profiles-a-f/blueman-mechanism index 9b4800210..aae5d53cd 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/profiles-a-f/blueman-mechanism @@ -10,8 +10,6 @@ include @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include - include - include include include @@ -37,9 +35,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{sbin}/ip rix, - #@{sbin}/xtables-nft-multi rix, - #@{sbin}/dnsmasq rPx, + #@{bin}/ip rix, + #@{bin}/xtables-nft-multi rix, + #@{bin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher similarity index 86% rename from apparmor.d/groups/bluetooth/blueman-rfcomm-watcher rename to apparmor.d/profiles-a-f/blueman-rfcomm-watcher index 2d52a6e01..516f14bdd 100644 --- a/apparmor.d/groups/bluetooth/blueman-rfcomm-watcher +++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/blueman-rfcomm-watcher @{lib}/blueman/blueman-rfcomm-watcher +@{exec_path} = @{lib}/blueman-rfcomm-watcher profile blueman-rfcomm-watcher @{exec_path} { include include diff --git a/apparmor.d/groups/bluetooth/bluemoon b/apparmor.d/profiles-a-f/bluemoon similarity index 100% rename from apparmor.d/groups/bluetooth/bluemoon rename to apparmor.d/profiles-a-f/bluemoon diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl similarity index 75% rename from apparmor.d/groups/bluetooth/bluetoothctl rename to apparmor.d/profiles-a-f/bluetoothctl index 0b075581b..01565b4ff 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/profiles-a-f/bluetoothctl @@ -10,17 +10,9 @@ include @{exec_path} = @{bin}/bluetoothctl profile bluetoothctl @{exec_path} { include - include - include - - network bluetooth raw, - - #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, - /usr/share/terminfo/** r, - /etc/inputrc r, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd similarity index 75% rename from apparmor.d/groups/bluetooth/bluetoothd rename to apparmor.d/profiles-a-f/bluetoothd index 12c8e2e80..ee7efdcfd 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/profiles-a-f/bluetoothd @@ -12,7 +12,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include - include # Needed for configuring HCI interfaces capability net_admin, @@ -26,15 +25,20 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.bluez - dbus send bus=system path=/{,MediaEndpoint} + dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=@{busname}), + peer=(name=:*, label="{brave,NetworkManager,pulseaudio,upowerd}"), + + dbus send bus=system path=/MediaEndpoint + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=:*, label=pulseaudio), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member={InterfacesRemoved,InterfacesAdded} - peer=(name=org.freedesktop.DBus), + member=InterfacesRemoved + peer=(name=org.freedesktop.DBus, label="{jwupd,NetworkManager,pulseaudio,upowerd}"), @{exec_path} mr, @@ -46,8 +50,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, @@ -58,6 +61,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, + /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/profiles-a-f/boltd similarity index 91% rename from apparmor.d/groups/freedesktop/boltd rename to apparmor.d/profiles-a-f/boltd index 5b72f8427..b70b72088 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -25,9 +25,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{att}/@{run}/systemd/notify w, - - @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/systemd/notify rw, + @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 544be3be0..dbf6c228d 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -27,13 +27,12 @@ profile borg @{exec_path} { @{exec_path} r, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, - @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, @@ -96,7 +95,10 @@ profile borg @{exec_path} { profile fusermount { include - include + include + include + + capability sys_admin, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/, mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/, @@ -104,9 +106,17 @@ profile borg @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index 1cfda03d9..a0b57a38b 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Roman Beslik +# Copyright (C) 2024 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -34,7 +34,6 @@ profile briar-desktop @{exec_path} { @{system_share_dirs}/java/briar-desktop.jar r, /etc/java*/{,**} r, - /etc/machine-id r, owner @{HOME}/.briar/desktop/{,**} rw, owner @{HOME}/.briar/desktop/db/db.mv.db k, @@ -58,11 +57,10 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, - @{PROC}/asound/version r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/coredump_filter rw, @@ -80,7 +78,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{sbin}/ldconfig ix, + @{bin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor index ae818d1df..af98f9fc7 100644 --- a/apparmor.d/profiles-a-f/briar-desktop-tor +++ b/apparmor.d/profiles-a-f/briar-desktop-tor @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Roman Beslik +# Copyright (C) 2024 Roman Beslik # SPDX-License-Identifier: GPL-2.0-only abi , @@ -13,13 +13,11 @@ profile briar-desktop-tor { network inet6 stream, network netlink raw, - signal send set=term peer=briar-desktop-tor//lyrebird, signal send set=term peer=briar-desktop-tor//obfs4proxy, signal send set=term peer=briar-desktop-tor//snowflake, owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw, owner @{HOME}/.briar/desktop/tor/.tor/lock k, - owner @{HOME}/.briar/desktop/tor/lyrebird Cx -> lyrebird, owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy, owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake, owner @{HOME}/.briar/desktop/tor/tor r, @@ -29,25 +27,6 @@ profile briar-desktop-tor { include if exists - profile lyrebird { - include - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - signal receive set=term peer=briar-desktop-tor, - - owner @{HOME}/.briar/desktop/tor/lyrebird mr, - @{PROC}/sys/net/core/somaxconn r, - - include if exists - } - profile obfs4proxy { include diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index c896e96f8..86da0e6a7 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native +@{exec_path} = @{bin}/browserpass profile browserpass @{exec_path} flags=(attach_disconnected) { include include @@ -22,7 +22,7 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r, owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r, - owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google@{d}/goog-phish-proto-@{int}.vlpset rw, + owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw, owner @{tmp}/mozilla-temp-@{int} r, owner @{PROC}/@{pid}/mountinfo r, @@ -48,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bac8aea75..bab483dde 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,16 +10,15 @@ include profile btop @{exec_path} { include include + include include - capability kill, - capability perfmon, capability sys_ptrace, network netlink raw, - signal send, - ptrace read, + signal (send), + ptrace (read), @{exec_path} mr, @@ -28,42 +27,33 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, - owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/ r, - @{sys}/devices/@{pci}/{,**}/ r, + @{sys}/devices/@{pci}/**/stat r, @{sys}/devices/@{pci}/net/*/{,**} r, - @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, - @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, - @{sys}/devices/*/events/{,*} r, - @{sys}/devices/platform/*/ r, - @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/task/@{tid}/comm rw, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/config r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, + @{PROC} r, + @{PROC}/@{pid}/statm r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, + owner @{PROC}/@{pid}/mounts r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/profiles-a-f/btrfs similarity index 98% rename from apparmor.d/groups/filesystem/btrfs rename to apparmor.d/profiles-a-f/btrfs index 40149588d..82742fd4a 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/profiles-a-f/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - @{efi}/ r, - @{efi}/**/ r, + /boot/ r, + /boot/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/groups/filesystem/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert similarity index 92% rename from apparmor.d/groups/filesystem/btrfs-convert rename to apparmor.d/profiles-a-f/btrfs-convert index 22715c857..2dccbf1fd 100644 --- a/apparmor.d/groups/filesystem/btrfs-convert +++ b/apparmor.d/profiles-a-f/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/btrfs-convert +@{exec_path} = @{bin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root similarity index 92% rename from apparmor.d/groups/filesystem/btrfs-find-root rename to apparmor.d/profiles-a-f/btrfs-find-root index cec2bbb61..eef4b6823 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/profiles-a-f/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/btrfs-find-root +@{exec_path} = @{bin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image similarity index 93% rename from apparmor.d/groups/filesystem/btrfs-image rename to apparmor.d/profiles-a-f/btrfs-image index 48be7c381..6f18ac095 100644 --- a/apparmor.d/groups/filesystem/btrfs-image +++ b/apparmor.d/profiles-a-f/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/btrfs-image +@{exec_path} = @{bin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical similarity index 100% rename from apparmor.d/groups/filesystem/btrfs-map-logical rename to apparmor.d/profiles-a-f/btrfs-map-logical diff --git a/apparmor.d/groups/filesystem/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super similarity index 100% rename from apparmor.d/groups/filesystem/btrfs-select-super rename to apparmor.d/profiles-a-f/btrfs-select-super diff --git a/apparmor.d/groups/filesystem/btrfstune b/apparmor.d/profiles-a-f/btrfstune similarity index 94% rename from apparmor.d/groups/filesystem/btrfstune rename to apparmor.d/profiles-a-f/btrfstune index 24a8ef46e..f8fa4a047 100644 --- a/apparmor.d/groups/filesystem/btrfstune +++ b/apparmor.d/profiles-a-f/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/btrfstune +@{exec_path} = @{bin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 281d15718..6d71ed28d 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,10 +12,12 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include + include include + include + include include include - include include include include @@ -33,13 +35,11 @@ profile calibre @{exec_path} { capability sys_ptrace, - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, network netlink raw, - # unix (send, receive) type=stream peer=(addr=none, label=xorg), + unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,10 +47,9 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, - @{bin}/env r, @{bin}/file rix, + @{bin}/ldconfig{,.real} rix, @{bin}/uname rix, - @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -62,7 +61,6 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, - /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -70,15 +68,10 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - - owner @{user_books_dirs}/{,**} rwl, - owner @{user_books_dirs}/Calibre/** rwk, owner @{user_documents_dirs}/{,**} rwl, - owner @{user_documents_dirs}/Calibre/** rwk, + owner @{user_books_dirs}/{,**} rwl, owner @{user_torrents_dirs}/{,**} rwl, - owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, - owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -89,11 +82,10 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/@{rand8} rw, - audit owner @{tmp}/@{int}-*/ rw, - audit owner @{tmp}/@{int}-*/** rwl, - audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, - audit owner @{tmp}/calibre-@{rand8}/{,**} rw, + owner @{tmp}/calibre_*_tmp_*/{,**} rw, + owner @{tmp}/calibre-*/{,**} rw, + owner @{tmp}/@{int}-*/ rw, + owner @{tmp}/@{int}-*/** rwl, owner /dev/shm/#@{int} rw, @@ -116,7 +108,6 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, - /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index ee8d277f2..9cacb9324 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cfdisk +@{exec_path} = @{bin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 8f3f11af0..0f91c1e85 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cgdisk +@{exec_path} = @{bin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 6f31a43d5..08b1d83b5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -12,32 +12,42 @@ profile cgrulesengd @{exec_path} { include include - capability dac_read_search, + # For creating Unix domain sockets/IPC sockets: + # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 + # ... + # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation + # not permitted) capability net_admin, + + # To remove the following errors: + # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) capability sys_ptrace, + # To be able to read the /proc/ files of all processes in the system. + capability dac_read_search, + network netlink dgram, ptrace (read), @{exec_path} mr, - - /etc/cgconfig.conf r, - /etc/cgconfig.d/{,*} r, - - /etc/cgrules.conf r, - /etc/cgrules.d/{,*} r, - - owner @{run}/cgred.socket w, - - @{sys}/fs/cgroup/** rw, + @{sys}/fs/cgroup/**/tasks w, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, - @{PROC}/cgroups r, owner @{PROC}/@{pid}/mounts r, + @{PROC}/cgroups r, + + @{sys}/fs/cgroup/unified/cgroup.controllers r, + + owner @{run}/cgred.socket w, + + /etc/cgconfig.conf r, + /etc/cgrules.conf r, + /etc/cgconfig.d/ r, + include if exists } diff --git a/apparmor.d/groups/shadow/chage b/apparmor.d/profiles-a-f/chage similarity index 97% rename from apparmor.d/groups/shadow/chage rename to apparmor.d/profiles-a-f/chage index 43f34a703..a89e204a8 100644 --- a/apparmor.d/groups/shadow/chage +++ b/apparmor.d/profiles-a-f/chage @@ -20,7 +20,7 @@ profile chage @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow} rw, /etc/{passwd,shadow}.@{pid} w, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index c44b6eaa5..775e3f640 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/check-bios-nx +@{exec_path} = @{bin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{bin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status index 07baedfae..313fa6c54 100644 --- a/apparmor.d/profiles-a-f/check-support-status +++ b/apparmor.d/profiles-a-f/check-support-status @@ -70,6 +70,7 @@ profile check-support-status @{exec_path} { include @{bin}/debconf-escape r, + @{bin}/perl r, owner @{tmp}/debian-security-support.postinst.*/output r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 8101b3008..5eb0eda0f 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{sbin}/adduser rPx, + @{bin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{sbin}/runuser rCx -> runuser, + @{bin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -53,6 +53,7 @@ profile check-support-status-hook @{exec_path} { include @{bin}/debconf-escape r, + @{bin}/perl r, /tmp/ r, owner @{tmp}/debian-security-support.postinst.*/output r, @@ -67,6 +68,7 @@ profile check-support-status-hook @{exec_path} { include /usr/share/debconf/frontend r, + @{bin}/perl r, /usr/share/debian-security-support/ r, /usr/share/debian-security-support/check-support-status.hook rPx, @@ -84,7 +86,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, @@ -111,7 +113,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{sbin}/runuser mr, + @{bin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese deleted file mode 100644 index 33b933be2..000000000 --- a/apparmor.d/profiles-a-f/cheese +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/cheese -profile cheese @{exec_path} { - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{bin}/bwrap Px -> gnome-desktop-thumbnailers, - @{open_path} rPx -> child-open-help, - - @{system_share_dirs}/gnome-video-effects/{,*.effect} r, - @{system_share_dirs}/ladspa/rdf/{,**} r, - @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, - - /etc/machine-id r, - - owner @{HOME}/ r, # file save dialog - owner @{user_pictures_dirs}/{,**} rw, - owner @{user_videos_dirs}/{,**} rw, - - owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - - owner @{tmp}/flatpak-seccomp-@{rand6} rw, - owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, - - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/profiles-a-f/chfn similarity index 87% rename from apparmor.d/groups/utils/chfn rename to apparmor.d/profiles-a-f/chfn index 45b50c7ad..7201d1a7a 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/profiles-a-f/chfn @@ -10,16 +10,19 @@ include @{exec_path} = @{bin}/chfn profile chfn @{exec_path} { include - include - include include include + include include + # To write records to the kernel auditing log. capability audit_write, + + # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - capability net_admin, + + # chfn is a SETUID binary capability setuid, network netlink raw, diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/profiles-a-f/chpasswd similarity index 74% rename from apparmor.d/groups/shadow/chpasswd rename to apparmor.d/profiles-a-f/chpasswd index 5e84f31b4..fb8438cc1 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/profiles-a-f/chpasswd @@ -6,26 +6,20 @@ abi , include -@{exec_path} = @{sbin}/chpasswd +@{exec_path} = @{bin}/chpasswd profile chpasswd @{exec_path} { include - include include include - capability audit_write, capability chown, capability fsetid, - capability net_admin, capability setuid, - network netlink raw, - @{exec_path} mr, - @{etc_ro}/login.defs r, - /etc/.pwd.lock wk, + /etc/login.defs r, /etc/passwd rw, /etc/passwd.@{int} w, /etc/passwd.lock l -> /etc/passwd.@{int}, @@ -37,11 +31,6 @@ profile chpasswd @{exec_path} { /etc/shadow.lock w, /etc/shadow+ rw, - /etc/pam.d/* r, - /etc/security/pwquality.conf r, - - @{PROC}/@{pid}/loginuid r, - include if exists } diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index e4a986c8a..155d82f07 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{sbin}/chronyd +@{exec_path} = @{bin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/profiles-a-f/chsh similarity index 83% rename from apparmor.d/groups/utils/chsh rename to apparmor.d/profiles-a-f/chsh index e3581be31..f8a2af5c4 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,33 +10,27 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include - include include + include include include capability audit_write, capability chown, capability fsetid, - capability net_admin, capability setuid, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" - @{exec_path} mr, /etc/shells r, - /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, + /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, - /etc/passwd.OLD wl -> /etc/passwd, - /etc/passwd+ rw, /etc/shadow r, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider deleted file mode 100644 index be59811a1..000000000 --- a/apparmor.d/profiles-a-f/cider +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = {C,c}ider sh.cider.genten -@{domain} = sh.cider.genten org.chromium.Chromium -@{lib_dirs} = @{lib}/cider -@{cache_dirs} = @{user_cache_dirs}/@{name} -@{config_dirs} = @{user_config_dirs}/@{name} - -@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider -profile cider @{exec_path} { - include - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mrix, - - @{lib_dirs}/ r, - @{lib_dirs}/** r, - @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rPx, - - @{bin}/xdg-settings rPx, - - owner @{user_config_dirs}/sh.cider.genten/ rw, - owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, - - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/statm r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 263bb5794..7c5486c50 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,14 +24,14 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{sbin}/exim4 rPUx, + @{bin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index 750fe9345..c3916890f 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -18,9 +18,6 @@ profile cmus @{exec_path} { /etc/machine-id r, - / r, - owner @{HOME}/ r, # For pwd - owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/ r, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 674432b2e..5a31889b9 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/tmp.* rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky index 9e4372e1d..3c059abcf 100644 --- a/apparmor.d/profiles-a-f/conky +++ b/apparmor.d/profiles-a-f/conky @@ -104,7 +104,7 @@ profile conky @{exec_path} { deny ptrace (trace, read), # Display the hard disk model name - @{sys}/devices/@{pci}/{usb,ata}@{int}/**/model r, + @{sys}/devices/@{pci}/{usb,ata}[0-9]/**/model r, @{sys}/block/{s,v}d[a-z]/device/model r, # Display the disk write/read speed @{PROC}/diskstats r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index aa0a56648..d3aaddf7f 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -12,11 +12,9 @@ profile console-setup @{exec_path} { @{exec_path} mr, - @{sh_path} r, - @{bin}/uname rix, + @{bin}/uname rPx, @{bin}/mkdir rix, - @{run}/console-setup/ rw, @{run}/console-setup/boot_completed w, include if exists diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached deleted file mode 100644 index 332f05341..000000000 --- a/apparmor.d/profiles-a-f/console-setup-cached +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh -profile console-setup-cached @{exec_path} { - include - include - - capability sys_tty_config, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/gzip rix, - @{bin}/ls ix, - @{bin}/mkdir ix, - @{bin}/setfont ix, - - /usr/share/consolefonts/{,**} r, - - @{run}/console-setup/ w, - @{run}/console-setup/font-loaded w, - - /dev/ r, - /dev/tty rw, - /dev/tty@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard deleted file mode 100644 index 1f4045e2e..000000000 --- a/apparmor.d/profiles-a-f/console-setup-keyboard +++ /dev/null @@ -1,31 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh -profile console-setup-keyboard @{exec_path} { - include - include - - capability sys_tty_config, - - @{exec_path} mrix, - - @{sh_path} rix, - @{bin}/gzip rix, - @{bin}/kbd_mode rix, - @{bin}/loadkeys rix, - - /etc/console-setup/{,**} r, - - /dev/tty@{int} rw, - /dev/tty rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall index 52e80cc54..8c38f85a3 100644 --- a/apparmor.d/profiles-a-f/convertall +++ b/apparmor.d/profiles-a-f/convertall @@ -20,7 +20,7 @@ profile convertall @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, /usr/share/convertall/{,**} r, /usr/share/doc/convertall/{,*} r, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index 4db396fa0..cc183f527 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/cracklib-packer +@{exec_path} = @{bin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index d3b6cba6f..50d34bad4 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crda +@{exec_path} = @{bin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh similarity index 95% rename from apparmor.d/groups/cups/cups-backend-beh rename to apparmor.d/profiles-a-f/cups-backend-beh index 1e9fe5b78..e2dbc1b51 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/profiles-a-f/cups-backend-beh @@ -13,7 +13,6 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth similarity index 95% rename from apparmor.d/groups/cups/cups-backend-bluetooth rename to apparmor.d/profiles-a-f/cups-backend-bluetooth index 78ffbac77..ada4926ce 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth @@ -13,7 +13,6 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf similarity index 95% rename from apparmor.d/groups/cups/cups-backend-brf rename to apparmor.d/profiles-a-f/cups-backend-brf index 6d50b284f..27e98efc3 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/profiles-a-f/cups-backend-brf @@ -15,7 +15,6 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd similarity index 82% rename from apparmor.d/groups/cups/cups-backend-dnssd rename to apparmor.d/profiles-a-f/cups-backend-dnssd index 877200660..f45b99216 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/profiles-a-f/cups-backend-dnssd @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp similarity index 95% rename from apparmor.d/groups/cups/cups-backend-hp rename to apparmor.d/profiles-a-f/cups-backend-hp index cd9af3d7f..636121553 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/profiles-a-f/cups-backend-hp @@ -13,7 +13,6 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass similarity index 95% rename from apparmor.d/groups/cups/cups-backend-implicitclass rename to apparmor.d/profiles-a-f/cups-backend-implicitclass index c71295f83..ba85c62fa 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass @@ -13,7 +13,6 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp similarity index 95% rename from apparmor.d/groups/cups/cups-backend-ipp rename to apparmor.d/profiles-a-f/cups-backend-ipp index 8d61f4072..b473ecaa3 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/profiles-a-f/cups-backend-ipp @@ -13,7 +13,6 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd similarity index 95% rename from apparmor.d/groups/cups/cups-backend-lpd rename to apparmor.d/profiles-a-f/cups-backend-lpd index 89b62b569..af2901be0 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/profiles-a-f/cups-backend-lpd @@ -13,7 +13,6 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns similarity index 95% rename from apparmor.d/groups/cups/cups-backend-mdns rename to apparmor.d/profiles-a-f/cups-backend-mdns index 9e5dfbe0f..0b9cce0da 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/profiles-a-f/cups-backend-mdns @@ -13,7 +13,6 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel similarity index 95% rename from apparmor.d/groups/cups/cups-backend-parallel rename to apparmor.d/profiles-a-f/cups-backend-parallel index b4340b2ed..a985e5042 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/profiles-a-f/cups-backend-parallel @@ -13,7 +13,6 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf similarity index 92% rename from apparmor.d/groups/cups/cups-backend-pdf rename to apparmor.d/profiles-a-f/cups-backend-pdf index 21da6bf93..7782ecb11 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/profiles-a-f/cups-backend-pdf @@ -14,10 +14,9 @@ profile cups-backend-pdf @{exec_path} { include capability chown, - capability dac_override, - capability dac_read_search, capability setgid, capability setuid, + capability dac_override, unix peer=(label=cupsd), @@ -25,17 +24,16 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs{,.bin} rix, + @{bin}/gs rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, /usr/share/ghostscript/{,**} r, + /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, - /etc/papersize r, - /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial similarity index 95% rename from apparmor.d/groups/cups/cups-backend-serial rename to apparmor.d/profiles-a-f/cups-backend-serial index 26811ab59..3959a091d 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/profiles-a-f/cups-backend-serial @@ -13,7 +13,6 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp similarity index 96% rename from apparmor.d/groups/cups/cups-backend-snmp rename to apparmor.d/profiles-a-f/cups-backend-snmp index 816f6c25b..5badd529a 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/profiles-a-f/cups-backend-snmp @@ -19,7 +19,6 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket similarity index 95% rename from apparmor.d/groups/cups/cups-backend-socket rename to apparmor.d/profiles-a-f/cups-backend-socket index f8f36a056..3efcf183b 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/profiles-a-f/cups-backend-socket @@ -13,7 +13,6 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb similarity index 96% rename from apparmor.d/groups/cups/cups-backend-usb rename to apparmor.d/profiles-a-f/cups-backend-usb index 7d9dbd237..fa21e0204 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/profiles-a-f/cups-backend-usb @@ -21,7 +21,6 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, - /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed similarity index 62% rename from apparmor.d/groups/cups/cups-browsed rename to apparmor.d/profiles-a-f/cups-browsed index ca1dc9630..41d22ed9b 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/profiles-a-f/cups-browsed @@ -6,20 +6,19 @@ abi , include -@{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/cups-browsed +profile cups-browsed @{exec_path} { include include + include include - include - include - include include include include capability net_admin, capability net_bind_service, + capability sys_nice, network inet dgram, network inet6 dgram, @@ -27,30 +26,26 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=:*, label=avahi-daemon), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=@{busname}, label=NetworkManager), + peer=(name=:*, label=NetworkManager), @{exec_path} mr, - @{bin}/ippfind rPx, - /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, + /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, - /var/cache/cups/{,**} rw, - owner /var/cache/cups-browsed/{,**} rw, - - owner @{tmp}/@{hex} rw, - @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus similarity index 92% rename from apparmor.d/groups/cups/cups-notifier-dbus rename to apparmor.d/profiles-a-f/cups-notifier-dbus index fa31b726d..6e3b38490 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/profiles-a-f/cups-notifier-dbus @@ -16,8 +16,6 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, - #aa:dbus own bus=system name=org.cups.cupsd.Notifier - @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/groups/cups/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto similarity index 100% rename from apparmor.d/groups/cups/cups-notifier-mailto rename to apparmor.d/profiles-a-f/cups-notifier-mailto diff --git a/apparmor.d/groups/cups/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss similarity index 100% rename from apparmor.d/groups/cups/cups-notifier-rss rename to apparmor.d/profiles-a-f/cups-notifier-rss diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism similarity index 96% rename from apparmor.d/groups/cups/cups-pk-helper-mechanism rename to apparmor.d/profiles-a-f/cups-pk-helper-mechanism index 89d517631..89d55c2f1 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/@{int} rw, + owner @{tmp}/[a-z0-9]* rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/profiles-a-f/cupsd similarity index 87% rename from apparmor.d/groups/cups/cupsd rename to apparmor.d/profiles-a-f/cupsd index ec0bbfd67..f65fc8349 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/profiles-a-f/cupsd @@ -6,13 +6,13 @@ abi , include -@{exec_path} = @{sbin}/cupsd +@{exec_path} = @{bin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include @@ -29,9 +29,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, - network inet dgram, network inet stream, - network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -52,14 +50,14 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/{,e}grep rix, - @{bin}/gs{,.bin} rix, + @{bin}/grep rix, + @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/smbspool rPx, @@ -92,7 +90,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, - @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient index 0928f0da4..c16629d6d 100644 --- a/apparmor.d/profiles-a-f/ddclient +++ b/apparmor.d/profiles-a-f/ddclient @@ -15,6 +15,7 @@ profile ddclient @{exec_path} { include @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/logger rix, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index d8cb23a5c..c752dcbb8 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,15 +21,14 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, / r, owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 2e7723995..4f60099a9 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,22 +7,21 @@ abi , include -@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include - include include include - include - include - include include + include + include + include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3f749a24b..1f2e86579 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser +@{exec_path} = @{bin}/del{user,group} profile deluser @{exec_path} { include include @@ -18,20 +18,20 @@ profile deluser @{exec_path} { capability dac_override, @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/crontab rPx, @{bin}/gpasswd rPx, - @{sbin}/groupdel rPx, + @{bin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{sbin}/userdel rPx, + @{bin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, owner /etc/shadow r, - #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/groups/utils/df b/apparmor.d/profiles-a-f/df similarity index 90% rename from apparmor.d/groups/utils/df rename to apparmor.d/profiles-a-f/df index baceace65..1a823e4db 100644 --- a/apparmor.d/groups/utils/df +++ b/apparmor.d/profiles-a-f/df @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/df -profile df @{exec_path} flags=(attach_disconnected) { +profile df @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9d84a4065..b650498cf 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,19 +10,13 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, @{sh_path} mrix, @@ -42,22 +36,22 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{sbin}/resolvconf rPx, + @{bin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,16 +65,7 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, - - include if exists - } + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, profile run-parts { include diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 0991a243e..53038a6d7 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,18 +8,18 @@ abi , include @{name} = discord -@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} flags=(attach_disconnected) { +profile discord @{exec_path} { include include + include + include include include - include include include @@ -31,15 +31,13 @@ profile discord @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, + @{bin}/lsb_release rPx -> lsb_release, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, - @{bin}/lsb_release rPx, - @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, - /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -48,16 +46,14 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, - owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - deny ptrace read, - include if exists } diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 8d5ff99b6..ecf1d1c64 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{sbin}/dkms +@{exec_path} = @{bin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -28,39 +28,29 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{bin}/as rix, @{bin}/bc rix, - @{bin}/clang-@{version} rix, - @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, - @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, - @{bin}/ld.lld rix, - @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/xz rix, + @{bin}/update-secureboot-policy rPUx, @{bin}/zstd rix, - @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, @{lib}/linux-kbuild-*/tools/objtool/objtool rix, @{lib}/llvm-[0-9]*/bin/clang rix, - @{lib}/modules/*/build/arch/x86/** rix, - @{lib}/modules/*/build/include/** rix, @{lib}/modules/*/build/scripts/** rix, @{lib}/modules/*/build/tools/** rix, - @{lib}/os-release rix, /var/lib/dkms/**/build/* rix, - /var/lib/dkms/vboxhost/*/build/** rw, /var/lib/dkms/**/configure rix, /var/lib/dkms/**/dkms.postbuild rix, @@ -107,8 +97,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, - /dev/pts/@{int} rw, - profile kmod { include include @@ -116,7 +104,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner @{efi}/System.map-* r, + owner /boot/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index 2d799987f..ffce30921 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dkms rPx, + @{bin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index f7d1e915e..9f78af639 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - @{efi}/** r, + /boot/** r, /usr/** r, include if exists diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/profiles-a-f/dmesg similarity index 90% rename from apparmor.d/groups/utils/dmesg rename to apparmor.d/profiles-a-f/dmesg index 2976d1316..6abc40c37 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -8,12 +8,11 @@ abi , include @{exec_path} = @{bin}/dmesg -profile dmesg @{exec_path} flags=(attach_disconnected) { +profile dmesg @{exec_path} { include include capability dac_read_search, - capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 984545508..0484cf99d 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/dmeventd +@{exec_path} = @{bin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index 680d25992..aba455535 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/dmidecode +@{exec_path} = @{bin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index eb9d1dc19..d532bb8cf 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,10 +6,9 @@ abi , include -@{exec_path} = @{sbin}/dmsetup +@{exec_path} = @{bin}/dmsetup profile dmsetup @{exec_path} { include - include include capability sys_admin, diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install deleted file mode 100644 index e99760a73..000000000 --- a/apparmor.d/profiles-a-f/dracut-install +++ /dev/null @@ -1,29 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/dracut/dracut-install -profile dracut-install @{exec_path} { - include - include - - @{exec_path} mr, - - @{bin}/cp rix, - - /etc/modprobe.d/{,**} r, - - @{sys}/devices/platform/{,**/} r, - @{sys}/devices/platform/**/modalias r, - @{sys}/module/compression r, - - @{PROC}/cmdline r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 57487b15c..065fe92c5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,14 +16,13 @@ include profile dropbox @{exec_path} { include include + include include include include include - include include include - include include @{exec_path} mr, @@ -33,14 +32,14 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, owner @{HOME}/ r, owner @{config_dirs}/ rw, @@ -62,6 +61,7 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index a1050aa94..634aebd02 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,14 +10,16 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include - include - include include + include + include # To capture packekts capability net_raw, capability net_admin, + signal (receive) peer=wireshark, + network inet dgram, network inet6 dgram, network netlink raw, @@ -25,8 +27,6 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, - signal (receive) peer=wireshark, - dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index a4184a358..eb3d4d61a 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus +@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index c120a3590..be5d26b9f 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 +@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{sbin}/badblocks rPx, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index c7238f262..b099f1ccf 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/e2image +@{exec_path} = @{bin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub deleted file mode 100644 index 2e7e88487..000000000 --- a/apparmor.d/profiles-a-f/e2scrub +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/e2scrub -profile e2scrub @{exec_path} flags=(complain) { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index e5d13f1de..25fab12c7 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,20 +6,19 @@ abi , include -@{exec_path} = @{sbin}/e2scrub_all +@{exec_path} = @{bin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include include - capability setuid, capability sys_admin, capability sys_rawio, @{exec_path} mr, - @{sh_path} mr, - @{bin}/readlink ix, + @{sh_path} r, + @{bin}/readlink rix, /etc/e2scrub.conf r, diff --git a/apparmor.d/groups/utils/eject b/apparmor.d/profiles-a-f/eject similarity index 100% rename from apparmor.d/groups/utils/eject rename to apparmor.d/profiles-a-f/eject diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 59cfa3577..05a900889 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,7 +7,6 @@ abi , include @{name} = {E,e}lement -@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,11 +15,11 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include include - include include network inet dgram, @@ -31,9 +30,11 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} r, + @{open_path} rPx -> child-open-strict, + #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, - @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3e650962f..c302ff400 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,8 +10,11 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include + include include - include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 5c4108094..023d13b47 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,7 +48,6 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, - #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 10b5ad4af..5ae754138 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,14 +9,15 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include + include include + include include include - include + include include include include - include include include include @@ -29,6 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, @@ -42,14 +44,13 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, + owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, - owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint_@{rand6} rw, - owner @{tmp}/gtkprint@{rand6} rw, + owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index dcd28ddc9..1597c35af 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 6fbabaf28..95fdba512 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include - include @{exec_path} mr, + /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut index 817ba6215..41d2324f6 100644 --- a/apparmor.d/profiles-a-f/execute-dcut +++ b/apparmor.d/profiles-a-f/execute-dcut @@ -13,7 +13,7 @@ profile execute-dcut @{exec_path} flags=(complain) { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, include if exists } diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput index 7161c5900..0decde05c 100644 --- a/apparmor.d/profiles-a-f/execute-dput +++ b/apparmor.d/profiles-a-f/execute-dput @@ -15,7 +15,7 @@ profile execute-dput @{exec_path} flags=(complain) { @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 3af283014..98364f0f1 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,8 +7,8 @@ abi , include -@{exec_path} = @{sbin}/exim4 -profile exim4 @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/exim4 +profile exim4 @{exec_path} { include include include diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail index e03e35403..3e1f92742 100644 --- a/apparmor.d/profiles-a-f/exo-compose-mail +++ b/apparmor.d/profiles-a-f/exo-compose-mail @@ -13,6 +13,7 @@ profile exo-compose-mail @{exec_path} { include @{exec_path} r, + @{bin}/perl r, # Mail clients @{bin}/thunderbird rPx, diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index a2cfe43c5..4d743fbb7 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client index d432bee94..7fae1218c 100644 --- a/apparmor.d/profiles-a-f/fail2ban-client +++ b/apparmor.d/profiles-a-f/fail2ban-client @@ -15,7 +15,7 @@ profile fail2ban-client @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 629208bc6..e858c2d8e 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,11 +20,11 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/xtables-nft-multi rix, @{bin}/iptables rix, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, /etc/fail2ban/{,**} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c8bdedaa3..c7ac0d399 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fatlabel +@{exec_path} = @{bin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 6f4c86647..e299a109b 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fatresize +@{exec_path} = @{bin}/fatresize profile fatresize @{exec_path} { include include @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index bab152574..e6a7aeebf 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fdisk +@{exec_path} = @{bin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 8633444d8..6e47ec8cb 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -28,7 +28,6 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, - owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, @@ -37,7 +36,7 @@ profile ffmpeg @{exec_path} { owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node[0-9]/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 4152ed49a..6d3e1972d 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,9 +11,10 @@ include profile ffplay @{exec_path} { include include - include + include include include + include network inet stream, network inet6 stream, @@ -29,7 +30,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node[0-9]/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 3d13b813f..0c5a18e83 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include + include include include include @@ -24,9 +25,20 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{archive_path} rix, + @{bin}/7z rix, + @{bin}/7zz rix, + @{bin}/ar rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/tar rix, + @{bin}/unrar-nonfree rix, + @{bin}/unzip rix, + @{bin}/xz rix, + @{bin}/zip rix, + @{bin}/zstd rix, + @{lib}/p7zip/7z rix, - #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/groups/cap/filecap b/apparmor.d/profiles-a-f/filecap similarity index 100% rename from apparmor.d/groups/cap/filecap rename to apparmor.d/profiles-a-f/filecap diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 16bafb886..be734ed50 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include + include + include include include include include - include include include include @@ -29,7 +29,6 @@ profile filezilla @{exec_path} { network netlink raw, signal send set=(term, kill) peer=fzsftp, - signal send set=(term, kill) peer=fzputtygen, @{exec_path} mr, @@ -37,8 +36,7 @@ profile filezilla @{exec_path} { @{bin}/uname rix, @{bin}/fzsftp rPx, # When using SFTP protocol - @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd deleted file mode 100644 index 7ce69ab64..000000000 --- a/apparmor.d/profiles-a-f/finalrd +++ /dev/null @@ -1,82 +0,0 @@ - -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/finalrd -profile finalrd @{exec_path} { - include - include - - capability dac_read_search, - capability sys_admin, - capability sys_chroot, - - remount options=(rw nodev nosuid relatime remount) @{run}/, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/cp ix, - @{bin}/dirname ix, - @{bin}/env ix, - @{bin}/find ix, - @{bin}/{,e}grep ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/mount ix, - @{bin}/readlink ix, - @{bin}/realpath ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/sed ix, - @{bin}/touch ix, - @{sbin}/ldconfig{,.real} ix, - - @{bin}/ldd Cx -> ldd, - @{bin}/systemd-tmpfiles Px, - @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, - @{lib}/systemd/systemd-shutdown Px, - /usr/share/finalrd/*.finalrd ix, - - @{bin}/{,*} r, - @{lib}/{,*} r, - @{sbin}/{,*} r, - - /usr/share/finalrd/{,**} r, - /usr/share/initramfs-tools/hook-functions r, - - /etc/fstab r, - /etc/iscsi/initiatorname.iscsi r, - /etc/iscsi/iscsid.conf r, - - / r, - - @{run}/ r, - @{run}/finalrd-libs.conf rw, - @{run}/initramfs/{,**} rw, - @{run}/mount/ r, - @{run}/mount/utab r, - - @{PROC}/@{pid}/mountinfo r, - - profile ldd { - include - include - include - - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/findmnt b/apparmor.d/profiles-a-f/findmnt similarity index 100% rename from apparmor.d/groups/utils/findmnt rename to apparmor.d/profiles-a-f/findmnt diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index d8086715a..a3aba8af1 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,13 +19,11 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{sbin}/apparmor_parser rPx, - - @{etc_ro}/login.defs r, + @{bin}/apparmor_parser rPx, + /etc/login.defs r, /etc/firejail/firejail.users r, /etc/firejail/firecfg.config r, - /etc/firejail/firecfg.d/{,*} r, /usr/local/bin/ r, /usr/local/bin/* rw, @@ -34,14 +32,10 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { /usr/share/applications/ r, /usr/share/applications/*.desktop r, @{user_share_dirs}/applications/ r, + @{user_share_dirs}/applications/*.desktop rw, - @{user_config_dirs}/firejail/{,*} r, - - /dev/tty rw, - /dev/tty@{int} rw, - owner /dev/pts/@{int} rw, - + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/profiles-a-f/firewall-applet similarity index 85% rename from apparmor.d/groups/firewall/firewall-applet rename to apparmor.d/profiles-a-f/firewall-applet index bd144b7e2..17fca1462 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/profiles-a-f/firewall-applet @@ -17,13 +17,10 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/ r, - @{python_path} r, + @{bin}/python3.@{int} r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/cgroup r, - - owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } diff --git a/apparmor.d/groups/firewall/firewall-config b/apparmor.d/profiles-a-f/firewall-config similarity index 100% rename from apparmor.d/groups/firewall/firewall-config rename to apparmor.d/profiles-a-f/firewall-config diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/profiles-a-f/firewalld similarity index 64% rename from apparmor.d/groups/firewall/firewalld rename to apparmor.d/profiles-a-f/firewalld index 57a0baa20..142b25cde 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/profiles-a-f/firewalld @@ -6,9 +6,10 @@ abi , include -@{exec_path} = @{sbin}/firewalld +@{exec_path} = @{bin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -20,6 +21,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, + capability sys_module, network inet raw, network inet6 raw, @@ -28,20 +30,19 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.fedoraproject.FirewallD1 @{exec_path} mr, - @{python_path} r, @{bin}/ r, - @{sbin}/ r, - @{bin}/alts ix, - @{bin}/false ix, - @{bin}/kmod Cx -> kmod, - @{bin}/ebtables-legacy ix, - @{bin}/ebtables-legacy-restore ix, - @{sbin}/ipset ix, - @{sbin}/xtables-legacy-multi ix, - @{sbin}/xtables-nft-multi mix, + @{bin}/alts rix, + @{bin}/ebtables-legacy rix, + @{bin}/ebtables-legacy-restore rix, + @{bin}/false rix, + @{bin}/ipset rix, + @{bin}/kmod rix, + @{bin}/modprobe rix, + @{bin}/xtables-legacy-multi rix, + @{bin}/xtables-nft-multi rix, - /usr/local/lib/@{python_name}/dist-packages/ r, + /usr/local/lib/python3.@{int}/dist-packages/ r, /usr/share/iproute2/{,**} r, /usr/share/libalternatives/{,**} r, @@ -55,25 +56,18 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, + @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - @{sys}/module/nf_*/initstate r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/profiles-a-f/flatpak similarity index 58% rename from apparmor.d/groups/flatpak/flatpak rename to apparmor.d/profiles-a-f/flatpak index 341db555e..7368d7c3b 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -11,7 +11,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include @@ -37,26 +37,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak//fusermount), - - #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" - #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - - dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper - interface=org.freedesktop.Flatpak.SystemHelper - member=GetRevokefsFd - peer=(name=org.freedesktop.Flatpak.SystemHelper), - @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, @@ -66,54 +46,37 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, - @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, - @{lib}/polkit-agent-helper-[0-9] rPx, - /usr/share/flatpak/{,**} r, /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - @{att}/ r, + / r, /var/lib/flatpak/{,**} rwlk, /var/tmp/#@{int} rw, /var/tmp/flatpak-cache-@{rand6}/{,**/} r, - owner /var/tmp/flatpak-cache-@{rand6}/ rw, - owner /var/tmp/flatpak-cache-@{rand6}/** rwlk -> /var/tmp/flatpak-cache-@{rand6}/**, + owner /var/tmp/flatpak-cache-@{rand6}/{,**} rwk, owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, - # Can create dotfile directories for any app - owner @{user_cache_dirs}/*/ w, - owner @{user_config_dirs}/*/ w, - owner @{user_share_dirs}/*/ w, - owner @{user_games_dirs}/{,**/} w, - owner @{user_documents_dirs}/ w, + owner @{user_documents_dirs}/ rw, - @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, @{user_share_dirs}/flatpak/{,**} r, owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/flatpak/ rw, - owner @{user_share_dirs}/flatpak/** rwlk, + owner @{user_share_dirs}/flatpak/{,**} rwl, owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, - owner @{tmp}/remote-summary-sig.@{rand6} rw, - owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, - @{att}/@{run}/.userns r, - + @{run}/.userns r, @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -142,34 +105,36 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability dac_read_search, - @{bin}/gpg{,2} mr, - @{bin}/gpgconf mr, - @{bin}/gpgsm mr, - @{bin}/gpg-agent rix, - @{lib}/gnupg/scdaemon rix, + @{bin}/gpg{,2} mr, + @{bin}/gpgconf mr, + @{bin}/gpgsm mr, @{HOME}/@{XDG_GPG_DIR}/*.conf r, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{PROC}/@{pid}/fd/ r, - include if exists } profile fusermount { include - include + include + include - capability setuid, - - unix type=seqpacket peer=(label=flatpak-system-helper), - unix type=stream peer=(label=flatpak), + capability sys_admin, mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app similarity index 90% rename from apparmor.d/groups/flatpak/flatpak-app rename to apparmor.d/profiles-a-f/flatpak-app index e6be7ef4f..e332f50ca 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/profiles-a-f/flatpak-app @@ -41,16 +41,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace read, + ptrace (read), ptrace trace peer=flatpak-app, signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int term) peer=flatpak-session-helper, - - unix type=seqpacket peer=(label=dbus-session), - # unix type=seqpacket peer=(label=unconfined), - unix type=seqpacket peer=(label=xdg-dbus-proxy), + signal receive set=(int) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -61,7 +57,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, - @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, @@ -86,9 +81,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + /var/tmp/etilqs_@{hex16} rw, - owner @{att}/@{HOME}/.var/app/** rwlkmix, - + @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, @@ -98,8 +93,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, - /dev/ntsync r, - include if exists include if exists } diff --git a/apparmor.d/groups/flatpak/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator similarity index 100% rename from apparmor.d/groups/flatpak/flatpak-oci-authenticator rename to apparmor.d/profiles-a-f/flatpak-oci-authenticator diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal similarity index 67% rename from apparmor.d/groups/flatpak/flatpak-portal rename to apparmor.d/profiles-a-f/flatpak-portal index 97f9f4911..8a8d2b901 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/profiles-a-f/flatpak-portal @@ -10,9 +10,6 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include - include - include - include include capability sys_ptrace, @@ -25,24 +22,23 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{bin}/flatpak rPx, + /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - owner /att/**/ r, + /var/lib/flatpak/exports/share/mime/mime.cache r, + + owner @{att}/ r, owner @{att}/.flatpak-info r, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{HOME}/.var/app/*/**/.ref rw, + owner @{HOME}/.var/app/*/**/logs/* rw, owner @{user_config_dirs}/user-dirs.dirs r, + owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper similarity index 92% rename from apparmor.d/groups/flatpak/flatpak-session-helper rename to apparmor.d/profiles-a-f/flatpak-session-helper index 8a8f5afb7..162e3b448 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/profiles-a-f/flatpak-session-helper @@ -21,11 +21,6 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper similarity index 74% rename from apparmor.d/groups/flatpak/flatpak-system-helper rename to apparmor.d/profiles-a-f/flatpak-system-helper index 0bd74bdcb..2268de064 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -9,16 +9,12 @@ include @{exec_path} = @{lib}/flatpak-system-helper profile flatpak-system-helper @{exec_path} { include - include - include - include include include include capability chown, capability dac_override, - capability dac_read_search, capability fowner, capability net_admin, capability setgid, @@ -26,15 +22,9 @@ profile flatpak-system-helper @{exec_path} { capability sys_nice, capability sys_ptrace, - ptrace read, - - unix type=seqpacket peer=(label=dbus-system), - unix type=seqpacket peer=(label=flatpak), - unix type=seqpacket peer=(label=flatpak//fusermount), - unix type=seqpacket peer=(label=unconfined), + ptrace (read), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, @@ -47,7 +37,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/{,**} r, + /usr/share/mime/mime.cache r, /usr/share/flatpak/triggers/ r, /var/lib/flatpak/{,**} rwkl, @@ -57,11 +47,7 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - @{tmp}/remote-summary-sig.@{rand6} r, - @{tmp}/remote-summary.@{rand6} r, - - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/flatpak/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon similarity index 100% rename from apparmor.d/groups/flatpak/flatpak-validate-icon rename to apparmor.d/profiles-a-f/flatpak-validate-icon diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index a07976ce9..b1c485408 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -15,7 +15,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_override, @@ -31,17 +30,31 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/gjs-console rix, + @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + /usr/share/com.github.johnfactotum.Foliate/{,**} r, + owner /bindfile@{rand6} rw, + owner /.flatpak-info r, + owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, @@ -51,6 +64,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 56941f60b..81c53aafd 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,9 +11,11 @@ include profile font-manager @{exec_path} { include include - include include + include + include include + include include include diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8a5f9c01a..182d9013d 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,7 +15,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, - capability sys_admin, capability sys_nice, network netlink raw, @@ -33,7 +32,8 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index a7222a664..6dfb84452 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,7 +13,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include - include include network inet dgram, @@ -36,8 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{run}/user/@{uid}/fractal/{,**} rw, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, @@ -53,8 +50,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, - owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index b820f249c..295cbe760 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,7 +8,6 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} -@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -17,12 +16,12 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include + include + include include include - include include - include network inet dgram, network inet6 dgram, @@ -34,11 +33,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> freetube//&xdg-settings, @{open_path} rPx -> child-open-strict, - deny @{sys}/devices/@{pci}/usb@{int}/** r, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> freetube//&xdg-settings, include if exists } diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index c57323c6a..18b990bbc 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,13 +10,16 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include + include + include + include include - include + include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -27,25 +30,26 @@ profile fritzing @{exec_path} { @{exec_path} mrix, - /usr/share/fritzing/{,**} r, - /usr/share/hwdata/pnp.ids r, - - /etc/debian_version r, - /etc/fstab r, - /etc/machine-id r, - /var/lib/dbus/machine-id r, - owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, + /usr/share/fritzing/{,**} r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + /usr/share/hwdata/pnp.ids r, + + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + + /etc/fstab r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + /etc/debian_version r, @{sys}/bus/ r, @{sys}/class/ r, @@ -53,13 +57,15 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, + include if exists } diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend new file mode 100644 index 000000000..ac8a6a5a8 --- /dev/null +++ b/apparmor.d/profiles-a-f/frontend @@ -0,0 +1,130 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + @{bin}/perl r, + + @{sh_path} rix, + @{bin}/hostname rix, + @{bin}/locale rix, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/stty rix, + @{bin}/update-secureboot-policy rPx, + + # debconf apps + @{bin}/adequate rPx, + @{bin}/aspell-autobuildhash rPx, + @{bin}/debconf-apt-progress rPx, + @{bin}/linux-check-removal rPx, + @{bin}/pam-auth-update rPx, + @{bin}/ucf rPx, + @{bin}/whiptail rPx, + @{lib}/tasksel/tasksel-debconf rPx -> tasksel, + /usr/share/debian-security-support/check-support-status.hook rPx, + + # Grub + @{lib}/grub/grub-multi-install rPx, + /usr/share/grub/grub-check-signatures rPx, + + # Run the package maintainer's scripts + # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) + #/var/lib/dpkg/info/*.{config,templates} rPUx, + #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, + #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, + /var/lib/dpkg/info/*.control r, + #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, + #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, + #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, + /var/lib/dpkg/tmp.ci/control r, + /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, + /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, + /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, + + # DKMS scipts + # What to do with it? (#FIXME#) + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/debconf.conf r, + /etc/inputrc r, + /etc/shadow r, + + owner @{tmp}/file* w, + owner /var/cache/debconf/* rwk, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + profile scripts flags=(complain) { + include + include + + capability dac_read_search, + + /var/lib/dpkg/info/*.config r, + /var/lib/dpkg/info/*.{preinst,postinst} r, + /var/lib/dpkg/info/*.{prerm,postrm} r, + /var/lib/dpkg/tmp.ci/config r, + /var/lib/dpkg/tmp.ci/{preinst,postinst} r, + /var/lib/dpkg/tmp.ci/{prerm,postrm} r, + + / r, + + @{bin}/ r, + @{bin}/* rPUx, + + @{lib}/ r, + @{lib}/** rPUx, + + /usr/share/ r, + /usr/share/** rPUx, + + /etc/init.d/ r, + /etc/init.d/* rPUx, + + /etc/ r, + /etc/** rw, + /var/ r, + /var/** rw, + @{sys}/ r, + @{sys}/**/ r, + @{run}/ r, + @{run}/** rw, + /tmp/ r, + owner @{tmp}/** rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/profiles-a-f/fsck similarity index 91% rename from apparmor.d/groups/utils/fsck rename to apparmor.d/profiles-a-f/fsck index e2537b21c..5d0588026 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/profiles-a-f/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fsck +@{exec_path} = @{bin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,15 +18,15 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/e2fsck rPx, - @{sbin}/fsck.* rPx, + @{bin}/e2fsck rPx, + @{bin}/fsck.* rPx, /etc/fstab r, # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - @{efi}/ r, + /boot/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs similarity index 92% rename from apparmor.d/groups/filesystem/fsck.btrfs rename to apparmor.d/profiles-a-f/fsck.btrfs index 512265788..f8ac9419d 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/profiles-a-f/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fsck.btrfs +@{exec_path} = @{bin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/groups/filesystem/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat similarity index 87% rename from apparmor.d/groups/filesystem/fsck.fat rename to apparmor.d/profiles-a-f/fsck.fat index 0e7df947d..fd944532f 100644 --- a/apparmor.d/groups/filesystem/fsck.fat +++ b/apparmor.d/profiles-a-f/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck +@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/profiles-a-f/fstrim similarity index 78% rename from apparmor.d/groups/utils/fstrim rename to apparmor.d/profiles-a-f/fstrim index 87bd7fad5..a55337659 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/profiles-a-f/fstrim @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{sbin}/fstrim -profile fstrim @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/fstrim +profile fstrim @{exec_path} { include include @@ -22,11 +22,10 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - @{efi}/ r, + /boot/ r, + /boot/efi/ r, /var/ r, - @{PROC}/@{pid}/mountinfo r, - include if exists } diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index 91b279d20..da61184a3 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -10,21 +10,14 @@ include profile fuse-overlayfs @{exec_path} { include - capability chown, + capability sys_admin, capability dac_override, capability dac_read_search, - capability fowner, - capability setfcap, - capability setuid, - capability sys_admin, - - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, - mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, + capability chown, @{exec_path} mr, - @{bin}/mount rix, - @{bin}/umount rix, + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso index 75d19a0d5..ed2bcc936 100644 --- a/apparmor.d/profiles-a-f/fuseiso +++ b/apparmor.d/profiles-a-f/fuseiso @@ -36,17 +36,27 @@ profile fuseiso @{exec_path} { profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + capability dac_read_search, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/, mount fstype={fuse,fuse.fuseiso} -> @{HOME}/*/*/, mount fstype={fuse,fuse.fuseiso} -> @{user_cache_dirs}/**/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{user_cache_dirs}/**/, + @{bin}/fusermount{,3} mr, - owner @{user_img_dirs}/{,**} r, # Image files to be mounted + /etc/fuse.conf r, + + # Image files to be mounted + owner @{user_img_dirs}/{,**} r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, include if exists } diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index a84b85322..2bad1d773 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -10,7 +10,10 @@ include @{exec_path} = @{bin}/fusermount{,3} profile fusermount @{exec_path} { include - include + include + + capability dac_read_search, + capability sys_admin, # Be able to mount ISO images mount fstype={fuse,fuse.*} -> @{HOME}/*/, @@ -30,10 +33,10 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, - umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, + /etc/fuse.conf r, /etc/machine-id r, /var/tmp/flatpak-cache-*/*/ r, @@ -48,6 +51,10 @@ profile fusermount @{exec_path} { @{run}/user/@{uid}/doc/ r, + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 65793364d..45b2ccfb4 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,16 +11,15 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include + include + include include - include + include include - include include - include - include capability dac_override, capability dac_read_search, @@ -39,14 +38,16 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ - #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd - #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=@{busname}, label=bluetoothd), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=system path=/org/freedesktop/UDisks2/Manager + interface=org.freedesktop.UDisks2.Manager + member=GetBlockDevices + peer=(name=:*, label=udisksd), @{exec_path} mr, @@ -57,9 +58,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids r, - /usr/share/misc/*.ids r, + /usr/share/hwdata/*.ids r, + /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, /etc/lsb-release r, @@ -69,39 +69,36 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - @{efi}/{,**} r, - @{efi}/EFI/*/.goutputstream-@{rand6} rw, - @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, - @{efi}/EFI/*/fwupdx@{int}.efi rw, + /boot/{,**} r, + /boot/EFI/*/.goutputstream-@{rand6} rw, + /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, + /boot/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, - @{MOUNTDIRS}/*/{,@{efi}/} r, - @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - + /var/lib/flatpak/exports/share/mime/mime.cache r, + /var/tmp/etilqs_@{hex16} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, + # In order to get to this file, the attach_disconnected flag has to be set owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @{sys}/**/ r, @{sys}/devices/** r, - @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, - @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, - @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, + @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @@ -110,9 +107,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, @@ -134,6 +129,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, + /dev/sd[a-z]* r, + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 2d781a734..f599bbc1f 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,24 +27,18 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ @{exec_path} mr, @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, - /usr/share/terminfo/** r, - - /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, - owner /var/lib/fwupd/ w, - owner /var/lib/fwupd/.cache/ w, - @{user_cache_dirs}/dconf/user rw, owner @{user_cache_dirs}/ rw, owner @{user_cache_dirs}/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 561e1af61..1de493892 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, # To play sounds @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, @@ -86,7 +86,7 @@ profile gajim @{exec_path} { # Silencer deny /usr/share/gajim/** w, - deny @{lib}/@{python_name}/dist-packages/** w, + deny /usr/lib/python3/dist-packages/** w, profile ccache { include diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded index eb2d3fc1e..8f5067b77 100644 --- a/apparmor.d/profiles-g-l/gamemoded +++ b/apparmor.d/profiles-g-l/gamemoded @@ -57,8 +57,8 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) { @{lib}/gamemode/gpuclockctl ix, @{lib}/gamemode/procsysctl ix, - @{etc_ro}/security/limits.d/ r, - @{etc_ro}/security/limits.d/@{int}-gamemode.conf r, + /etc/security/limits.d/ r, + /etc/security/limits.d/@{int}-gamemode.conf r, /etc/shells r, @{sys}/devices/@{pci}/power_dpm_force_performance_level rw, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 727bf8cdf..e9f4d4e30 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -22,7 +22,7 @@ profile ganyremote @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index b49e20570..1357b03b6 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/gdisk +@{exec_path} = @{bin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index 04c9a33f2..b64c34a4b 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,10 +18,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, - @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, - @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, + @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer deleted file mode 100644 index d3df6f5f3..000000000 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/gdk-pixbuf-thumbnailer -profile gdk-pixbuf-thumbnailer @{exec_path} { - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index 3ccfdec4a..df6613042 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} +@{exec_path} = @{bin}/ghc-pkg{,-*} profile ghc-pkg @{exec_path} { include include @@ -26,8 +26,6 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, - @{PROC}/@{pid}/task/@{tid}/comm rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index ad324e153..a9be29bec 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,12 +11,8 @@ profile gimp @{exec_path} { include include include - include - include include include - include - include include include @@ -27,36 +23,21 @@ profile gimp @{exec_path} { @{exec_path} mr, - @{python_path} rix, - @{bin}/env rix, - @{bin}/gimp-debug-tool-3.0 rix, - @{bin}/gimp-script-fu-interpreter-* rix, - @{bin}/gjs-console rix, - @{bin}/lua rix, - @{lib}/gimp/@{version}/extensions/*/* rix, - @{lib}/gimp/*/plug-ins/** rix, + @{lib}/gimp/*/plug-ins/** rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, - @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, - /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, - /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, - /etc/fstab r, /etc/gimp/{,**} r, - owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, - owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, owner @{user_cache_dirs}/gegl-*/{,**} r, owner @{user_cache_dirs}/gegl-*/{,**} r, @@ -71,19 +52,6 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, - @{run}/mount/utab r, - - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 01b491b98..71bace3c3 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,7 +38,6 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, - deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" @@ -65,7 +64,6 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, @@ -117,8 +115,6 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, - deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -136,20 +132,17 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, - @{bin}/ksshaskpass ix, - @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, + owner @{HOME}/@{XDG_SSH_DIR}/* r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, - owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index d668fbfd2..ff5e12444 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include + include include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index aabde9cef..e5cbf1959 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,25 +6,18 @@ abi , include -@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} -@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include - include - - signal receive set=term peer=*//shell, - signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, - # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index 59c56bb12..fcabd84c3 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index cfd9f0dac..1e27790df 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,7 +25,6 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, - owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d74945777..93e65f0a2 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,36 +7,42 @@ abi , include -@{exec_path} = @{sbin}/gparted -profile gparted @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/gparted +profile gparted @{exec_path} { include - include - ptrace read, + ptrace (read), @{exec_path} r, - @{bin}/ r, - @{coreutils_path} rix, + @{bin}/ r, @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cut rix, + @{bin}/id rix, + @{bin}/ls rix, + @{bin}/mkdir rix, + @{bin}/pidof rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/touch rix, - @{sbin}/killall5 rCx -> killall, - @{bin}/systemctl rCx -> systemctl, - @{bin}/udevadm rCx -> udevadm, - - @{bin}/pidof rPx, - @{bin}/pkexec rPx, - @{bin}/ps rPx, - @{bin}/xhost rPx, - - @{sbin}/gpartedbin rPx, + @{bin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @{lib}/{,udisks2/}udisks2-inhibit rix, - @{run}/udev/rules.d/ rw, - @{run}/udev/rules.d/@{int}-*.rules rw, + @{run}/udev/rules.d/90-udisks-inhibit.rules rw, + + @{bin}/udevadm rCx -> udevadm, + @{bin}/killall5 rCx -> killall, + + @{bin}/ps rPx, + @{bin}/xhost rPx, + @{bin}/pkexec rPx, + @{bin}/systemctl rCx -> systemctl, # For shell pwd / r, @@ -51,6 +57,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { # file_inherit owner /dev/tty@{int} rw, + profile udevadm { include include @@ -71,11 +78,13 @@ profile gparted @{exec_path} flags=(attach_disconnected) { ptrace (read), - @{sbin}/killall5 mr, + @{bin}/killall5 mr, - @{PROC}/ r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, + # The /proc/ dir is needed to avoid the following error: + # /proc: Permission denied + @{PROC}/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, include if exists } @@ -84,8 +93,6 @@ profile gparted @{exec_path} flags=(attach_disconnected) { include include - capability net_admin, - include if exists } diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 35dc03584..e56bb5733 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,16 +7,14 @@ abi , include -@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin +profile gpartedbin @{exec_path} { include include include include include - include - capability dac_override, capability dac_read_search, capability ipc_lock, capability sys_admin, @@ -30,45 +28,43 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, - @{sbin}/blkid rPx, - @{sbin}/dmidecode rPx, - @{sbin}/hdparm rPx, + @{bin}/blkid rPx, + @{bin}/dmidecode rPx, + @{bin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{sbin}/btrfs rPx, - @{sbin}/btrfstune rPx, - @{sbin}/dmraid rPUx, - @{sbin}/dmsetup rPUx, - @{sbin}/dumpe2fs rPx, - @{sbin}/e2fsck rPx, - @{sbin}/e2image rPx, - @{sbin}/fsck.* rPUx, - @{sbin}/lvm rPUx, - @{sbin}/mdadm rPUx, - @{sbin}/mke2fs rPx, - @{sbin}/mkfs.* rPUx, - @{sbin}/mkntfs rPx, - @{sbin}/mkswap rPx, + @{bin}/btrfs rPx, + @{bin}/btrfstune rPx, + @{bin}/dmraid rPUx, + @{bin}/dmsetup rPUx, + @{bin}/dumpe2fs rPx, + @{bin}/e2fsck rPx, + @{bin}/e2image rPx, + @{bin}/fsck.btrfs rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mdadm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.* rPx, + @{bin}/mkntfs rPx, + @{bin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{sbin}/ntfslabel rPx, - @{sbin}/ntfsresize rPx, - @{sbin}/resize2fs rPx, - @{sbin}/swaplabel rPx, - @{sbin}/swapoff rPx, - @{sbin}/swapon rPx, - @{bin}/tune.* rPUx, - @{sbin}/tune2fs rPx, - @{sbin}/xfs_io rPUx, + @{bin}/ntfslabel rPx, + @{bin}/ntfsresize rPx, + @{bin}/resize2fs rPx, + @{bin}/swaplabel rPx, + @{bin}/swapoff rPx, + @{bin}/swapon rPx, + @{bin}/tune2fs rPx, + @{bin}/xfs_io rPUx, @{open_path} rPx -> child-open, - /etc/fstab r, - @{HOME}/.Xauthority r, owner @{HOME}/*.htm w, @@ -92,7 +88,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, + mount /dev/{s,v}d[a-z]*@{int} -> /boot/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -108,7 +104,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount @{efi}/, + umount /boot/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/groups/shadow/gpasswd b/apparmor.d/profiles-g-l/gpasswd similarity index 97% rename from apparmor.d/groups/shadow/gpasswd rename to apparmor.d/profiles-g-l/gpasswd index ab2d21860..8afdff8db 100644 --- a/apparmor.d/groups/shadow/gpasswd +++ b/apparmor.d/profiles-g-l/gpasswd @@ -29,7 +29,7 @@ profile gpasswd @{exec_path} { owner @{PROC}/@{pid}/loginuid r, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 46ff3eec5..4088f51fb 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,11 +11,10 @@ include profile gpo @{exec_path} { include include - include include - include - include + include include + include network inet dgram, network inet6 dgram, @@ -23,7 +22,7 @@ profile gpo @{exec_path} { network inet6 stream, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -37,6 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index e60034172..ec1adabe4 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,7 +14,6 @@ profile gpodder @{exec_path} { include include include - include include include @@ -25,7 +24,7 @@ profile gpodder @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, @@ -48,6 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, + owner /var/tmp/etilqs_@{hex16} rw, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres index 55033d107..11896a26c 100644 --- a/apparmor.d/profiles-g-l/gpodder-migrate2tres +++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres @@ -13,7 +13,7 @@ profile gpodder-migrate2tres @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 0ad848c50..8cc49acdf 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,16 +16,15 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{,e}grep rix, + @{sh_path} rix, + @{bin}/grep rix, /etc/modprobe.d/{,**} r, - @{lib}/modprobe.d/{,**} r, + /usr/lib/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, /var/log/gpu-manager.log w, - /var/log/gpu-manager-switch.log w, @{sys}/devices/@{pci}/boot_vga r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim deleted file mode 100644 index 5717837ec..000000000 --- a/apparmor.d/profiles-g-l/grim +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/grim -profile grim @{exec_path} { - include - include - include - - @{exec_path} mr, - - owner @{HOME}/@{int8}_**_grim.png w, - - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/profiles-g-l/groupadd similarity index 94% rename from apparmor.d/groups/shadow/groupadd rename to apparmor.d/profiles-g-l/groupadd index 2d135007a..9450974a1 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/profiles-g-l/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/groupadd +@{exec_path} = @{bin}/groupadd profile groupadd @{exec_path} { include include @@ -22,7 +22,7 @@ profile groupadd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}- w, diff --git a/apparmor.d/groups/shadow/groupdel b/apparmor.d/profiles-g-l/groupdel similarity index 94% rename from apparmor.d/groups/shadow/groupdel rename to apparmor.d/profiles-g-l/groupdel index 8f8b28239..99b7fddaa 100644 --- a/apparmor.d/groups/shadow/groupdel +++ b/apparmor.d/profiles-g-l/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/groupdel +@{exec_path} = @{bin}/groupdel profile groupdel @{exec_path} { include include @@ -25,7 +25,7 @@ profile groupdel @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{group,gshadow} rw, /etc/{group,gshadow}.@{pid} w, diff --git a/apparmor.d/groups/shadow/groupmod b/apparmor.d/profiles-g-l/groupmod similarity index 95% rename from apparmor.d/groups/shadow/groupmod rename to apparmor.d/profiles-g-l/groupmod index 34bf046cd..4b9b0446a 100644 --- a/apparmor.d/groups/shadow/groupmod +++ b/apparmor.d/profiles-g-l/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/groupmod +@{exec_path} = @{bin}/groupmod profile groupmod @{exec_path} { include include @@ -24,7 +24,7 @@ profile groupmod @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,gshadow,group} rw, /etc/{passwd,gshadow,group}.@{pid} w, diff --git a/apparmor.d/groups/shadow/grpck b/apparmor.d/profiles-g-l/grpck similarity index 94% rename from apparmor.d/groups/shadow/grpck rename to apparmor.d/profiles-g-l/grpck index 1e47307e4..5fad8960c 100644 --- a/apparmor.d/groups/shadow/grpck +++ b/apparmor.d/profiles-g-l/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grpck +@{exec_path} = @{bin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include @@ -18,7 +18,7 @@ profile grpck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{gshadow,group} rw, /etc/{gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 9b8eca8ee..4ac891769 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,15 +7,14 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} flags=(attach_disconnected) { +profile gsettings @{exec_path} { include include - include include - include @{exec_path} mr, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, @@ -23,13 +22,7 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - # file_inherit - deny network netlink raw, - deny /etc/nsswitch.conf r, - deny /etc/passwd r, - deny /opt/*/** r, - deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 988c547f0..5d04e33fb 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{sbin}/smartctl Px, + @{bin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{sbin}/update-smart-drivedb rPx, + @{bin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 4fdb1084b..10c1f445b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index e6d37db44..46aece91a 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b709511e2..b1a6779ae 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,8 +12,6 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include - capability fowner, - @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer index 0b9075bc1..029e542ee 100644 --- a/apparmor.d/profiles-g-l/gtk-youtube-viewer +++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer @@ -25,6 +25,7 @@ profile gtk-youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 5d78a90e3..f91887297 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -38,15 +38,15 @@ profile hardinfo @{exec_path} { @{bin}/locale rix, @{bin}/make rix, @{bin}/perl rix, - @{python_path} rix, - @{sbin}/route rix, - @{bin}/ruby@{int}.@{int} rix, + @{bin}/python3.@{int} rix, + @{bin}/route rix, + @{bin}/ruby[0-9].@{int} rix, @{bin}/strace rix, @{bin}/tr rix, @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,8 +132,9 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, - @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, + + @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 527629202..910e9a2f0 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{sbin}/haveged +@{exec_path} = @{bin}/haveged profile haveged @{exec_path} { include @@ -20,9 +20,10 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + owner @{PROC}/@{pid}/status r, /dev/random w, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index 55d2abb5d..e96a45237 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,20 +10,32 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include - include - include - capability sys_admin, + # To remove the following errors: + # /dev/sda: Permission denied capability sys_rawio, + # There's the following error in strace: + # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) + # This should be covered by CAP_SYS_RAWIO instead. + # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) + # It looks like hddtemp works just fine without it. + deny capability sys_admin, + network inet stream, network inet6 stream, @{exec_path} mr, + # Monitored hard drives + /dev/sd[a-z]* r, + # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, + # Needed when the hddtemp daemon is started in the TCP/IP mode + /etc/gai.conf r, + include if exists } diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index 53e520509..a4fa34973 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/hdparm +@{exec_path} = @{bin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index 7fbe74040..cb459919f 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} flags=(attach_disconnected) { +profile homebank @{exec_path} { include include include diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index ab0cf0cba..cb9f8d2d9 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,15 +18,13 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, - network netlink raw, @{exec_path} mr, - @{sys}/kernel/mm/transparent_hugepage/enabled r, - - @{PROC}/version_signature r, owner @{PROC}/@{pids}/task/@{tid}/comm rw, + @{sys}/kernel/mm/transparent_hugepage/enabled r, + include if exists } diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname index 7e87173cc..326d156ef 100644 --- a/apparmor.d/profiles-g-l/hostname +++ b/apparmor.d/profiles-g-l/hostname @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{hostname,domainname,ypdomainname,nisdomainname,nisdomainname} -profile hostname @{exec_path} flags=(attach_disconnected) { +profile hostname @{exec_path} { include include include @@ -16,14 +16,11 @@ profile hostname @{exec_path} flags=(attach_disconnected) { capability sys_admin, network inet dgram, - network inet6 dgram, # network ip=127.0.0.1:53, TODO: abi 4.0 network netlink raw, @{exec_path} mr, - owner /dev/tty@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/profiles-g-l/htop similarity index 93% rename from apparmor.d/groups/procps/htop rename to apparmor.d/profiles-g-l/htop index ef14d9ca9..08b58ebd2 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/profiles-g-l/htop @@ -20,15 +20,14 @@ profile htop @{exec_path} { network netlink raw, - signal send, - signal receive set=hup peer=gnome-terminal-server, + signal (send), + signal (receive) set=(hup) peer=gnome-terminal-server, - ptrace read, + ptrace (read), @{exec_path} mr, @{bin}/lsof rix, - @{bin}/strace rix, /usr/share/terminfo/** r, @@ -39,13 +38,58 @@ profile htop @{exec_path} { owner @{user_config_dirs}/htop/ rw, owner @{user_config_dirs}/htop/* rw, + owner @{PROC}/@{pid}/smaps_rollup r, + + @{PROC}/ r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/pressure/cpu r, + @{PROC}/pressure/io r, + @{PROC}/pressure/memory r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/sched_autogroup_enabled r, + @{PROC}/tty/drivers r, + @{PROC}/uptime r, + + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/autogroup rw, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/net/dev r, + @{PROC}/@{pids}/oom_{,score_}adj r, + @{PROC}/@{pids}/oom_score r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/wchan r, + + @{PROC}/@{pids}/task/ r, + @{PROC}/@{pids}/task/@{tid}/ r, + @{PROC}/@{pids}/task/@{tid}/attr/current r, + @{PROC}/@{pids}/task/@{tid}/cgroup r, + @{PROC}/@{pids}/task/@{tid}/cmdline r, + @{PROC}/@{pids}/task/@{tid}/comm r, + @{PROC}/@{pids}/task/@{tid}/environ r, + @{PROC}/@{pids}/task/@{tid}/io r, + @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, + @{PROC}/@{pids}/task/@{tid}/oom_score r, + @{PROC}/@{pids}/task/@{tid}/stat r, + @{PROC}/@{pids}/task/@{tid}/statm r, + @{PROC}/@{pids}/task/@{tid}/status r, + @{PROC}/@{pids}/task/@{tid}/wchan r, + @{sys}/bus/dax/devices/ r, @{sys}/bus/i2c/devices/ r, @{sys}/bus/soc/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +100,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-*/name r, - @{sys}/devices/platform/*/i2c-*/name r, + @{sys}/devices/i2c-@{int}/name r, + @{sys}/devices/platform/*/i2c-@{int}/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @@ -85,54 +129,8 @@ profile htop @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, - @{PROC}/ r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/sched_autogroup_enabled r, - @{PROC}/tty/drivers r, - @{PROC}/uptime r, - - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/attr/current r, - @{PROC}/@{pids}/autogroup rw, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/mounts r, - @{PROC}/@{pids}/net/dev r, - @{PROC}/@{pids}/oom_{,score_}adj r, - @{PROC}/@{pids}/oom_score r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, - @{PROC}/@{pids}/wchan r, - - @{PROC}/@{pids}/task/ r, - @{PROC}/@{pids}/task/@{tid}/ r, - @{PROC}/@{pids}/task/@{tid}/attr/current r, - @{PROC}/@{pids}/task/@{tid}/cgroup r, - @{PROC}/@{pids}/task/@{tid}/cmdline r, - @{PROC}/@{pids}/task/@{tid}/comm r, - @{PROC}/@{pids}/task/@{tid}/environ r, - @{PROC}/@{pids}/task/@{tid}/io r, - @{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r, - @{PROC}/@{pids}/task/@{tid}/oom_score r, - @{PROC}/@{pids}/task/@{tid}/stat r, - @{PROC}/@{pids}/task/@{tid}/statm r, - @{PROC}/@{pids}/task/@{tid}/status r, - @{PROC}/@{pids}/task/@{tid}/wchan r, - @{PROC}/cmdline r, owner @{PROC}/@{pid}/cpuset r, - owner @{PROC}/@{pid}/smaps_rollup r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index fd9c3dfa0..6bb737ca0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include - include include include @@ -27,6 +26,7 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, + /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, @@ -37,17 +37,10 @@ profile hugo @{exec_path} { owner @{user_cache_dirs}/hugo_cache/{,**} rwkl, - owner @{user_config_dirs}/git/*config r, - owner @{user_config_dirs}/go/telemetry/mode r, - owner @{tmp}/hugo_cache/{,**} rwkl, owner @{tmp}/go-codehost-@{int} rw, - @{sys}/kernel/mm/hugepages/ r, - - @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, + @{PROC}/sys/net/core/somaxconn r, include if exists } diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 739073201..f5c1ecdd6 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,6 +11,7 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include + include capability sys_admin, @@ -18,12 +19,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network inet6 dgram, @{exec_path} rm, + @{bin}/perl r, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{sbin}/efibootmgr rix, + @{bin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -33,26 +35,35 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, - @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, + @{bin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, + @{bin}/dkms rPx, @{bin}/dmesg rPx, + @{bin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, + @{bin}/ethtool rCx -> netconfig, + @{bin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, + @{bin}/hdparm rPx, + @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, + @{bin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, + @{bin}/iw rCx -> netconfig, + @{bin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx, + @{bin}/kmod rix, + @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @@ -60,8 +71,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, + @{bin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, + @{bin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -71,23 +84,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, - @{sbin}/biosdecode rPx, - @{sbin}/dkms rPx, - @{sbin}/dmidecode rPx, - @{sbin}/fdisk rPx, - @{sbin}/hdparm rPx, - @{bin}/boltctl rPUx, - @{sbin}/hwinfo rPx, - @{sbin}/rfkill rPx, - @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, - @{efi}/EFI/{,**} r, - owner @{HOME}/HW_PROBE/{,**} rw, - owner @{tmp}/@{rand10}/ rw, + audit owner @{tmp}/*/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -97,34 +99,19 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, + @{sys}/module/*/ r, + @{sys}/module/*/{coresize,refcnt} r, + @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, + @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, - profile kmod { - include - include - - capability syslog, - - @{sys}/module/{,**} r, - - include if exists - } - - profile curl flags=(attach_disconnected) { - include - - @{bin}/curl mr, - - include if exists - } - profile pacman flags=(attach_disconnected) { include include @@ -172,12 +159,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, - /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, owner @{PROC}/@{pid}/stat r, @@ -208,6 +192,31 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile netconfig flags=(attach_disconnected) { + include + + # Not needed + deny capability net_admin, + deny capability net_raw, + + network inet dgram, + network inet6 dgram, + network ipx dgram, + network ax25 dgram, + network appletalk dgram, + network netlink raw, + + @{bin}/iw mr, + @{bin}/ifconfig mr, + @{bin}/iwconfig mr, + @{bin}/ethtool mr, + + owner @{PROC}/@{pid}/net/if_inet6 r, + owner @{PROC}/@{pid}/net/dev r, + + include if exists + } + profile systemctl flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 314975208..e7bf2937c 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/hwinfo +@{exec_path} = @{bin}/hwinfo profile hwinfo @{exec_path} { include include @@ -27,10 +27,9 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{sbin}/acpidump rPUx, - @{bin}/lsscsi rPx, + @{bin}/acpidump rPUx, - @{sbin}/dmraid rPUx, + @{bin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, @@ -40,7 +39,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/{,**} r, + @{sys}/devices/@{pci}/** r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -71,12 +70,9 @@ profile hwinfo @{exec_path} { include include - capability sys_module, - owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index ce1ad519b..be18726a0 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -31,10 +31,10 @@ profile hypnotix @{exec_path} { network netlink raw, @{exec_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index f101c56e6..5ce4da0bb 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,13 +13,8 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, - @{sys}/class/i2c-dev/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - owner @{PROC}/@{pid}/mounts r, - /dev/i2c-@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy index b192856d2..78c5081d6 100644 --- a/apparmor.d/profiles-g-l/i3lock-fancy +++ b/apparmor.d/profiles-g-l/i3lock-fancy @@ -52,8 +52,8 @@ profile i3lock-fancy @{exec_path} { @{bin}/import-im6.q16 mr, @{bin}/scrot mr, - /usr/share/ImageMagick-@{int}/*.xml r, - /etc/ImageMagick-@{int}/*.xml r, + /usr/share/ImageMagick-[0-9]/*.xml r, + /etc/ImageMagick-[0-9]/*.xml r, owner @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth index d46374984..03c8650dd 100644 --- a/apparmor.d/profiles-g-l/iceauth +++ b/apparmor.d/profiles-g-l/iceauth @@ -16,7 +16,7 @@ profile iceauth @{exec_path} { owner @{tmp}/.xfsm-ICE-@{rand6} r, owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, - owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n, + owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n, owner @{run}/user/@{uid}/ICEauthority-c w, owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c, owner @{run}/user/@{uid}/ICEauthority-n rw, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 48181e130..5bebad691 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ifconfig +@{exec_path} = @{bin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop deleted file mode 100644 index 232aff538..000000000 --- a/apparmor.d/profiles-g-l/iftop +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/iftop -profile iftop @{exec_path} { - include - include - include - - capability net_raw, - - network inet dgram, - network inet6 dgram, - network netlink raw, - network packet raw, - - @{exec_path} mr, - - /usr/share/terminfo/** r, - - owner @{HOME}/.iftoprc r, - - # When running in promiscuous mode - @{sys}/devices/**/net/*/statistics/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 3c641f8e1..aac25b811 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -20,7 +20,7 @@ profile ifup @{exec_path} { @{sh_path} rix, @{bin}/ip rix, - @{sbin}/route rix, + @{bin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{sbin}/sysctl mr, + @{bin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch index 04abb7e0c..c5c4aa276 100644 --- a/apparmor.d/profiles-g-l/im-launch +++ b/apparmor.d/profiles-g-l/im-launch @@ -22,7 +22,6 @@ profile im-launch @{exec_path} { @{bin}/sed rix, @{bin}/sleep rix, @{bin}/startplasma-x11 rPx, - @{bin}/startxfce4 rPx, @{bin}/true rix, @{bin}/uim-toolbar-gtk3 rPUx, @{bin}/uim-xim rPUx, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 199483f4f..074b4e735 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{sbin}/kexec rPx, + @{bin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 522d003f3..1b27d1a4e 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{sbin}/kexec rPx, + @{bin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner @{efi}/grub/{grub.cfg,grubenv} r, + owner /boot/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index 6a26d4dea..b1a56c41d 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver index facd2fa3b..8ea351857 100644 --- a/apparmor.d/profiles-g-l/install-printerdriver +++ b/apparmor.d/profiles-g-l/install-printerdriver @@ -16,7 +16,7 @@ profile install-printerdriver @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index e80875ca2..eafcab799 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -20,6 +20,7 @@ profile inxi @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{bin}/ r, @{sh_path} rix, @@ -43,11 +44,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{sbin}/blockdev rPx, + @{bin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -56,7 +57,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 0cb507e36..1ff3615f1 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - @{efi}/** r, + /boot/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index 8ea787ea6..c53b4656d 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -10,28 +10,32 @@ include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include + # Needed? + audit deny capability net_admin, + + # To set processes' priorities capability sys_nice, - network netlink raw, - @{exec_path} r, + @{bin}/python3.@{int} r, + + @{bin}/file rix, @{bin}/ r, - @{bin}/file rix, - @{python_path} r, - - /etc/magic r, @{PROC}/ r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, + + # For file + /etc/magic r, include if exists } diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 0a27c4b59..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> @{sys}, + mount fstype=sysfs -> /sys/, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount @{sys}, + umount /sys/, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index c6dfa762a..ff7f1c799 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -13,6 +13,7 @@ profile ipcalc @{exec_path} { include @{exec_path} r, + @{bin}/perl r, include if exists } diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index 022dc92d5..fec2d7c93 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/irqbalance +@{exec_path} = @{bin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot deleted file mode 100644 index 8c18782f9..000000000 --- a/apparmor.d/profiles-g-l/ischroot +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} flags=(attach_disconnected) { - include - include - - @{exec_path} mr, - - /var/lib/update-notifier/tmp.@{rand10} w, - - @{PROC}/@{pid}/mountinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 093cd7100..8f2d53f76 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/issue-generator +@{exec_path} = @{bin}/issue-generator profile issue-generator @{exec_path} { include include @@ -19,7 +19,6 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, - @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,7 +30,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} rw, + @{run}/issue.d/{,**} r, /dev/tty rw, diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index 631b0b9d1..8639b8aad 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/iw +@{exec_path} = @{bin}/iw profile iw @{exec_path} { include @@ -21,7 +21,7 @@ profile iw @{exec_path} { @{exec_path} mr, - @{sys}/devices/@{pci}/ieee80211/phy@{int}/index r, + @{sys}/devices/@{pci}/ieee80211/phy[0-9]*/index r, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index ec6b9a46b..962b4ab23 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/iwconfig +@{exec_path} = @{bin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index b89af77b9..298c94688 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/iwlist +@{exec_path} = @{bin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome new file mode 100644 index 000000000..3a1e504a8 --- /dev/null +++ b/apparmor.d/profiles-g-l/jami-gnome @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/jami-gnome +profile jami-gnome @{exec_path} { + include + include + include + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + /usr/share/ring/{,**} r, + /usr/share/sounds/jami-gnome/{,**} r, + + owner @{user_cache_dirs}/ rw, + owner @{user_cache_dirs}/jami-gnome/ rw, + owner @{user_cache_dirs}/jami-gnome/** rw, + + owner @{user_share_dirs}/jami/ rw, + owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, + + owner @{user_config_dirs}/autostart/jami-gnome.desktop w, + + owner @{user_share_dirs}/ r, + owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, + owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, + owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, + + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/** r, + + owner @{PROC}/@{pid}/statm r, + owner @{PROC}/@{pid}/smaps r, + deny owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + @{PROC}/zoneinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs index 618ac14e7..eb51b1239 100644 --- a/apparmor.d/profiles-g-l/jmtpfs +++ b/apparmor.d/profiles-g-l/jmtpfs @@ -18,7 +18,8 @@ profile jmtpfs @{exec_path} { @{bin}/fusermount{,3} rCx -> fusermount, - /etc/magic r, + owner @{tmp}/tmp* rw, + owner @{tmp}/#@{int} rw, # Mount points owner @{HOME}/*/ r, @@ -26,20 +27,36 @@ profile jmtpfs @{exec_path} { owner @{user_cache_dirs}/*/mtp{,-@{int}}/ rw, - owner @{tmp}/tmp* rw, - owner @{tmp}/#@{int} rw, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, + mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, + + /etc/magic r, + + /dev/fuse rw, + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, + + # + capability dac_read_search, + + @{bin}/fusermount{,3} mr, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/, mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/, mount fstype={fuse,fuse.jmtpfs} -> @{user_cache_dirs}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{user_cache_dirs}/*/*/, + /etc/fuse.conf r, + + /dev/fuse rw, + + @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 91eb37c58..0e27fa5ae 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 947cfabd1..743da77a1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -13,13 +13,13 @@ profile kconfig-hardened-check @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, # The usual kernel config locations - @{efi}/config-* r, + /boot/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy deleted file mode 100644 index ccc0a2b25..000000000 --- a/apparmor.d/profiles-g-l/kdestroy +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kdestroy -profile kdestroy @{exec_path} { - include - include - - #Allow root to destroy other users' creds cache - capability dac_override, - - @{exec_path} mr, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config deleted file mode 100644 index 75c536612..000000000 --- a/apparmor.d/profiles-g-l/kdump-config +++ /dev/null @@ -1,110 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} flags=(attach_disconnected) { - include - - capability sys_admin, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/basename ix, - @{bin}/cat ix, - @{bin}/cmp ix, - @{bin}/cp ix, - @{bin}/cut ix, - @{bin}/file ix, - @{bin}/find ix, - @{bin}/flock ix, - @{bin}/hexdump ix, - @{bin}/ln ix, - @{bin}/logger ix, - @{bin}/plymouth Px, - @{bin}/readlink ix, - @{bin}/rev ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/sed ix, - @{bin}/systemctl Cx -> systemctl, - @{bin}/uname ix, - @{sbin}/kexec Cx -> kexec, - @{sbin}/sysctl Cx -> sysctl, - - /etc/kernel/postinst.d/kdump-tools rPx, - - /etc/kdump/{,**} r, - /etc/default/kdump-tools r, - /etc/magic r, - - / r, - @{efi}/ r, - - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - /var/lib/kdump/{,**} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - - @{sys}/firmware/efi/efivars/ r, - @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, - @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - @{sys}/kernel/kexec_crash_loaded r, - - @{PROC}/cmdline r, - @{PROC}/iomem r, - - profile systemctl flags=(attach_disconnected) { - include - include - - capability net_admin, - capability sys_ptrace, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - profile sysctl { - include - - @{sbin}/sysctl mr, - - @{PROC}/sys/kernel/panic_on_oops rw, - - include if exists - } - - profile kexec { - include - - capability sys_admin, - capability sys_boot, - - @{sbin}/kexec mr, - - @{efi}/* r, - - owner /var/lib/kdump/* r, - - @{PROC}/iomem r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init deleted file mode 100644 index 7767831a8..000000000 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/init.d/kdump-tools -profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { - include - - @{exec_path} mr, - @{sh_path} mr, - - @{bin}/cat ix, - @{bin}/plymouth Px, - @{bin}/run-parts ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/kdump-config Px, - - /etc/default/kdump-tools r, - - @{PROC}/cmdline r, - - profile systemctl flags=(attach_disconnected) { - include - include - - capability net_admin, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator deleted file mode 100644 index 5f85af3fe..000000000 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator -profile kdump_mem_estimator @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/uname ix, - @{bin}/systemctl Cx -> systemctl, - @{bin}/uname ix, - - owner /var/lib/kdump/mem* w, - - profile systemctl { - include - include - - capability net_admin, - - ptrace read peer=@{p_systemd}, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index de95d3c9f..d2dee61aa 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -48,10 +48,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_passwordstore_dirs}/ r, - owner @{user_passwordstore_dirs}/*.csv rw, - owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, - owner @{user_passwordstore_dirs}/#@{int} rw, + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/*.csv rw, + owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, + owner @{user_password_store_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel deleted file mode 100644 index c46b5556e..000000000 --- a/apparmor.d/profiles-g-l/kernel +++ /dev/null @@ -1,80 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* -@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* -profile kernel @{exec_path} { - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rCx -> kmod, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{bin}/bootctl rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/kernel-install rPx, - @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - @{sbin}/dkms rPx, - @{sbin}/update-grub rPx, - @{sbin}/update-initramfs rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - @{efi}/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - profile kmod { - include - include - - capability sys_module, - - @{sys}/module/compression r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index dede5da41..07c058124 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,20 +11,22 @@ include profile kernel-install @{exec_path} { include include - include include - capability sys_rawio, - capability sys_resource, - - ptrace read peer=@{p_systemd}, - @{exec_path} r, @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/kmod rCx -> kmod, + @{bin}/mountpoint rix, + @{bin}/sort rix, + @{bin}/rm rix, + @{bin}/mkdir rix, + @{bin}/cp rix, + @{bin}/chown rix, + @{bin}/chmod rix, + @{bin}/basename rix, + @{pager_path} rPx -> child-pager, + @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -35,39 +37,27 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, - /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @{lib}/modules/*/modules.* w, - / r, - - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - owner @{efi}/{vmlinuz,initrd.img}-* r, - owner @{efi}/loader/ rw, - owner @{efi}/loader/entries/ rw, - owner @{efi}/loader/entries/*.conf w, - - owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner /boot/{vmlinuz,initrd.img}-* r, + owner /boot/[a-f0-9]*/*/ rw, + owner /boot/[a-f0-9]*/*/{linux,initrd} w, + owner /boot/loader/ rw, + owner /boot/loader/entries/ rw, + owner /boot/loader/entries/*.conf w, owner @{tmp}/sh-thd.* rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/1/environ r, @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, profile kmod { include include - @{lib}/modules/*/modules.* w, - - @{sys}/module/compression r, - include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump deleted file mode 100644 index eb17c5355..000000000 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ /dev/null @@ -1,62 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/kernel/postinst.d/kdump-tools -profile kernel-postinst-kdump @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/cp rix, - @{bin}/du rix, - @{bin}/find rix, - @{bin}/kmod rCx -> kmod, - @{bin}/ischroot rPx, - @{bin}/linux-version rPx, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/sync rix, - @{bin}/cut rix, - @{sbin}/mkinitramfs rPx, - - / r, - - /etc/initramfs-tools/{,**} r, - - owner /var/lib/kdump/** rw, - - owner /tmp/tmp.@{rand10}/ rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - - profile kmod { - include - include - - @{sys}/module/*/ r, - @{sys}/module/*/coresize r, - @{sys}/module/*/holders/ r, - @{sys}/module/*/refcnt r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 70c8b9460..815fa4e38 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/kerneloops +@{exec_path} = @{bin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index d9d556879..8f5e66cbc 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include - include - include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 09c414430..102b75d83 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/kexec +@{exec_path} = @{bin}/kexec profile kexec @{exec_path} flags=(complain) { include @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner @{efi}/{initrd.img,vmlinuz}-* r, + owner /boot/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit deleted file mode 100644 index 706a11c10..000000000 --- a/apparmor.d/profiles-g-l/kinit +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/kinit -profile kinit @{exec_path} { - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab r, - - #Credentials cache - /tmp/krb5cc_* rwk, - /tmp/tkt* rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist deleted file mode 100644 index f21f34295..000000000 --- a/apparmor.d/profiles-g-l/klist +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/klist -profile klist @{exec_path} { - include - include - - #Allow root to list other users' creds cache - capability dac_override, - capability dac_read_search, - - @{exec_path} mr, - - #User keytab file - /var/lib/krb5/user/@{uid}/client.keytab rk, - - #Credentials cache - /tmp/krb5cc_* rk, - /tmp/tkt* rk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 1d67b5678..08fc10c22 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -28,13 +28,17 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rCx -> sysctl, + @{bin}/sysctl rPx, @{bin}/true rix, + @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, + /etc/depmod.d/{,**} r, + /etc/modprobe.d/{,*.conf} r, + /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -44,7 +48,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner @{efi}/System.map-* r, + owner /boot/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build @@ -62,23 +66,14 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, + @{PROC}/cmdline r, + @{PROC}/modules r, + /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, - profile sysctl { - include - - @{sbin}/sysctl mr, - - /etc/sysctl.conf r, - /etc/sysctl.d/{,**} r, - @{lib}/sysctl.d/{,**} r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 9d6c9d1c2..fc6a6ede5 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,11 +30,11 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, @@ -50,8 +50,7 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/+*:* r, # Identifies all subsystems - @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/* r, @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index f62e9ddf9..eb3d1cc80 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/kvm-ok +@{exec_path} = @{bin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{bin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ab624f099..93234bf52 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,11 +38,12 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for ? @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, # for ? @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 47cbb22a2..52252882d 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/landscape-sysinfo profile landscape-sysinfo @{exec_path} { include - include include include @@ -21,24 +20,19 @@ profile landscape-sysinfo @{exec_path} { network inet6 dgram, network netlink raw, - ptrace read, + ptrace (read), @{exec_path} mr, - @{bin}/who rPx, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{bin}/who rix, /var/log/landscape/{,**} rw, - @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index 056b2d83c..e5c739bd5 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -9,14 +9,12 @@ include @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper profile landscape-sysinfo.wrapper @{exec_path} { include - include capability dac_override, capability fowner, capability fsetid, @{exec_path} mr, - @{python_path} mr, @{sh_path} rix, @{bin}/bc rix, @@ -25,7 +23,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/landscape-sysinfo rPx, / r, @@ -33,8 +31,6 @@ profile landscape-sysinfo.wrapper @{exec_path} { /var/lib/landscape/landscape-sysinfo.cache rw, - @{run}/motd.dynamic.new w, - @{PROC}/loadavg r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 3d7383aef..bf999b79e 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,9 +15,10 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/locale rix, + /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/groups/shadow/lastlog b/apparmor.d/profiles-g-l/lastlog similarity index 95% rename from apparmor.d/groups/shadow/lastlog rename to apparmor.d/profiles-g-l/lastlog index 0cb62819f..392aba362 100644 --- a/apparmor.d/groups/shadow/lastlog +++ b/apparmor.d/profiles-g-l/lastlog @@ -17,9 +17,8 @@ profile lastlog @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - /var/log/lastlog r, + /etc/login.defs r, include if exists } diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e4feed45..63634d788 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,20 +11,13 @@ include profile libreoffice @{exec_path} { include include - include include - include - include - include - include - include include include include include include include - include include include include @@ -37,14 +30,14 @@ profile libreoffice @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0 @{exec_path} mr, @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, @@ -56,12 +49,11 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/libreoffice/program/xpdfimport rix, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, @@ -75,29 +67,22 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, - /etc/cups/ppd/*.ppd r, - /etc/java{,-}{,@{version}}-openjdk/{,**} r, + /etc/java{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/papersize r, /etc/paperspecs r, /etc/xdg/* r, - /var/tmp/ r, - owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, - owner @{user_cache_dirs}/libreoffice/{,**} rw, - - owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/plasma_workspace.notifyrc r, owner @{user_config_dirs}/soffice.*.lock rwk, - owner @{user_config_dirs}/soffice.binrc r, + owner @{user_config_dirs}/plasma_workspace.notifyrc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - @{tmp}/ r, + owner @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, @@ -105,17 +90,16 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w, owner @{run}/user/@{uid}/#@{int} rw, - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 60189d911..8d2fcdcc8 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,12 +11,19 @@ include profile light-locker @{exec_path} { include include - include + include + include + include include + include include + include @{exec_path} mr, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -26,9 +33,6 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index f2895299f..a0c184032 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,15 +8,46 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} { +profile linux-check-removal @{exec_path} flags=(complain) { include - include + include + include - @{exec_path} rmix, + @{exec_path} r, + @{bin}/perl r, - @{bin}/stty rix, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, - /etc/shadow r, + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/linux-check-removal rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + owner @{tmp}/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + include if exists + } include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks deleted file mode 100644 index b97a0305b..000000000 --- a/apparmor.d/profiles-g-l/linux-update-symlinks +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/linux-update-symlinks -profile linux-update-symlinks @{exec_path} { - include - include - include - - @{exec_path} mr, - - /etc/kernel-img.conf r, - - @{efi}/ r, - @{efi}/* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index c718b6495..1a8ffbb0d 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -14,8 +14,9 @@ profile linux-version @{exec_path} { include @{exec_path} r, + @{bin}/perl r, - @{efi}/ r, + /boot/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index ff2ffe6b8..0e18eab1b 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,7 +7,6 @@ abi , include @{name} = QQ -@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -15,9 +14,10 @@ include @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq profile linuxqq @{exec_path} flags=(attach_disconnected) { include - include + include include include + include network netlink raw, network netlink dgram, @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/profiles-g-l/locale-gen similarity index 93% rename from apparmor.d/groups/utils/locale-gen rename to apparmor.d/profiles-g-l/locale-gen index 5366f1403..b9254171a 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/profiles-g-l/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/locale-gen +@{exec_path} = @{bin}/locale-gen profile locale-gen @{exec_path} { include include @@ -18,7 +18,6 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, diff --git a/apparmor.d/profiles-g-l/localsend b/apparmor.d/profiles-g-l/localsend deleted file mode 100644 index ad2e23fc6..000000000 --- a/apparmor.d/profiles-g-l/localsend +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/localsend -profile localsend @{exec_path} { - include - include - include - include - include - include - -# --system-talk-name=org.freedesktop.NetworkManager -# - --system-talk-name=org.freedesktop.hostname1 -# --talk-name=org.kde.StatusNotifierWatcher - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/login b/apparmor.d/profiles-g-l/login similarity index 79% rename from apparmor.d/groups/utils/login rename to apparmor.d/profiles-g-l/login index cf9663e8e..9b32614a9 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/profiles-g-l/login @@ -14,7 +14,6 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include - include #aa:only RBAC capability audit_write, capability chown, @@ -31,40 +30,41 @@ profile login @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal send set=(hup term), + signal (send) set=(hup term), + + unix type=stream addr=@@{udbus}/bus/login/system, ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{shells_path} Ux, #aa:exclude RBAC + @{bin}/@{shells} rUx, @{etc_ro}/environment r, - @{etc_ro}/security/group.conf r, - @{etc_ro}/security/limits.conf r, @{etc_ro}/security/limits.d/{,*} r, - @{etc_ro}/security/pam_env.conf r, /etc/default/locale r, /etc/legal r, /etc/machine-id r, /etc/motd r, /etc/motd.d/ r, + /etc/security/group.conf r, + /etc/security/limits.conf r, + /etc/security/pam_env.conf r, /etc/shells r, /var/lib/faillock/@{user} rwk, - /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, - @{att}/@{run}/systemd/sessions/@{int}.ref w, - @{run}/credentials/getty@tty@{int}.service/ r, + @{run}/dbus/system_bus_socket rw, @{run}/faillock/@{user} rwk, @{run}/motd.d/{,*} r, @{run}/motd.dynamic{,.new} rw, + @{run}/systemd/sessions/*.ref rw, @{PROC}/@{pids}/cgroup r, @{PROC}/1/limits r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 781a01a27..7990fb27d 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/logrotate +@{exec_path} = @{bin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal send set=hup, - signal send set=(term cont) peer=systemd-tty-ask-password-agent, + signal (send) set=(hup), + signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, @@ -30,9 +30,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, - @{sbin}/invoke-rc.d rix, + @{bin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, @@ -80,13 +80,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - ptrace read peer=@{p_systemd}, - - dbus send bus=system path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=KillUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), - @{run}/utmp rk, include if exists diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/profiles-g-l/losetup similarity index 65% rename from apparmor.d/groups/utils/losetup rename to apparmor.d/profiles-g-l/losetup index 9b32074ba..fd2472dce 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/profiles-g-l/losetup @@ -6,27 +6,22 @@ abi , include -@{exec_path} = @{sbin}/losetup +@{exec_path} = @{bin}/losetup profile losetup @{exec_path} { include include - include capability dac_override, capability dac_read_search, - unix receive type=stream, + unix (receive) type=stream, @{exec_path} mr, - @{user_img_dirs}/** rw, - @{user_vm_dirs}/** rw, - - @{sys}/block/ r, - @{sys}/devices/virtual/block/loop@{int}/{,**} r, + @{sys}/devices/**/usb[0-9]/{,**} r, /dev/loop-control rw, - /dev/loop@{int} rw, + /dev/loop[0-9]* rw, include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release deleted file mode 100644 index 5214632dc..000000000 --- a/apparmor.d/profiles-g-l/lsb-release +++ /dev/null @@ -1,47 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that -# does attach @{bin}/lsb_release. - -abi , - -include - -@{exec_path} = @{bin}/lsb_release -profile lsb-release @{exec_path} flags=(attach_disconnected) { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/ r, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/getopt rix, - @{bin}/head rix, - @{bin}/sed rix, - @{bin}/tr rix, - - #aa:only apt - @{bin}/dpkg-query px, - - @{etc_ro}/ r, - @{etc_ro}/*-release r, - @{etc_ro}/lsb-release r, - @{etc_ro}/lsb-release.d/{,*} r, - - # file_inherit - deny /opt/*/** r, - deny owner @{user_config_dirs}/*/** r, - deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/profiles-g-l/lsblk similarity index 92% rename from apparmor.d/groups/utils/lsblk rename to apparmor.d/profiles-g-l/lsblk index 6fc1d5bb2..7559e4e48 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/profiles-g-l/lsblk @@ -27,7 +27,6 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/utils/lscpu b/apparmor.d/profiles-g-l/lscpu similarity index 100% rename from apparmor.d/groups/utils/lscpu rename to apparmor.d/profiles-g-l/lscpu diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/profiles-g-l/lspci similarity index 86% rename from apparmor.d/groups/utils/lspci rename to apparmor.d/profiles-g-l/lspci index c6ac0fdcd..b390346bb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -13,14 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability dac_read_search, capability sys_admin, - network inet dgram, - network inet6 dgram, - @{exec_path} mr, + /app/lib/libzypak-preload-host*.so rm, + /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, @@ -45,9 +43,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - # file_inherit - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_cache_dirs}/*/** rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/profiles-g-l/lsusb similarity index 83% rename from apparmor.d/groups/usb/lsusb rename to apparmor.d/profiles-g-l/lsusb index a10659292..40e902a87 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/profiles-g-l/lsusb @@ -7,14 +7,13 @@ abi , include -@{exec_path} = @{bin}/lsusb @{bin}/lsusb.py +@{exec_path} = @{bin}/lsusb profile lsusb @{exec_path} { include include include capability net_admin, - capability sys_admin, network netlink raw, @@ -22,8 +21,6 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, - /dev/bus/usb/@{int}/@{int} w, - include if exists } diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/profiles-g-l/lvm similarity index 91% rename from apparmor.d/groups/filesystem/lvm rename to apparmor.d/profiles-g-l/lvm index ad4645bff..cff4ce186 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/profiles-g-l/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/lvm +@{exec_path} = @{bin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include @@ -23,14 +23,12 @@ profile lvm @{exec_path} flags=(attach_disconnected) { ptrace (read), - mqueue getattr type=posix /, mqueue r type=posix /, @{exec_path} rm, @{etc_rw}/lvm/** rwkl, /etc/multipath.conf r, - /etc/multipath/* r, @{run}/lock/ rw, @{run}/lock/lvm/ rw, @@ -49,7 +47,6 @@ profile lvm @{exec_path} flags=(attach_disconnected) { /dev/**/ r, /dev/mapper/control rw, - /dev/root r, include if exists } diff --git a/apparmor.d/groups/filesystem/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig similarity index 91% rename from apparmor.d/groups/filesystem/lvmconfig rename to apparmor.d/profiles-g-l/lvmconfig index 39224c22f..5e5a0d1dd 100644 --- a/apparmor.d/groups/filesystem/lvmconfig +++ b/apparmor.d/profiles-g-l/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/lvmconfig +@{exec_path} = @{bin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmdump b/apparmor.d/profiles-g-l/lvmdump similarity index 92% rename from apparmor.d/groups/filesystem/lvmdump rename to apparmor.d/profiles-g-l/lvmdump index 5e90ffeee..6a443fc57 100644 --- a/apparmor.d/groups/filesystem/lvmdump +++ b/apparmor.d/profiles-g-l/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/lvmdump +@{exec_path} = @{bin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld similarity index 88% rename from apparmor.d/groups/filesystem/lvmpolld rename to apparmor.d/profiles-g-l/lvmpolld index cce01b0d0..fdc3bad3f 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/profiles-g-l/lvmpolld @@ -6,14 +6,14 @@ abi , include -@{exec_path} = @{sbin}/lvmpolld +@{exec_path} = @{bin}/lvmpolld profile lvmpolld @{exec_path} { include include include @{exec_path} rm, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx index a9613e7c1..0fce66a96 100644 --- a/apparmor.d/profiles-g-l/lynx +++ b/apparmor.d/profiles-g-l/lynx @@ -33,7 +33,8 @@ profile lynx @{exec_path} { /etc/mailcap r, /etc/mime.types r, - owner @{tmp}/lynxXXXX*/{,**} rw, + owner @{tmp}/lynxXXXX*/ rw, + owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks deleted file mode 100644 index 89a57310f..000000000 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ /dev/null @@ -1,97 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** -profile initramfs-hooks @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/cpio ix, - @{bin}/dpkg Px, - @{bin}/fc-cache ix, - @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, - @{bin}/plymouth Px, - @{bin}/update-alternatives Px, - @{lib}/dracut/dracut-install Px, - @{lib}/initramfs-tools/bin/busybox ix, - @{lib}/klibc/bin/fstype ix, - @{sbin}/blkid Px, - @{sbin}/cryptsetup PUx, - @{sbin}/dmsetup Px, - @{sbin}/iucode_tool ix, - /usr/share/mdadm/mkconf Px, - - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/ r, - @{lib}/** mr, - - /usr/share/*/initramfs/{,**} r, - /usr/share/initramfs-tools/{,**} r, - /usr/share/plymouth/{,**} r, - - /etc/console-setup/{,**} r, - /etc/cryptsetup-initramfs/{,**} r, - /etc/crypttab r, - /etc/default/* r, - /etc/fstab r, - /etc/iscsi/*.iscsi r, - /etc/lvm/{,**} r, - /etc/mdadm/mdadm.conf r, - /etc/systemd/network/{,**} r, - /etc/udev/{,**} r, - - / r, - @{efi}/config-* r, - - /var/tmp/ r, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - @{sys}/firmware/efi/efivars/ r, - - @{PROC}/@{pid}/mounts r, - @{PROC}/cmdline r, - @{PROC}/swaps r, - - profile ldd { - include - include - include - - @{bin}/* mr, - @{sbin}/* mr, - - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts deleted file mode 100644 index d280c145a..000000000 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** -profile initramfs-scripts @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{sbin}/blkid Px, - @{bin}/dd ix, - @{bin}/debconf-escape Px, - @{bin}/ischroot Px, - @{bin}/ldd Cx -> ldd, - @{bin}/plymouth Px, - @{bin}/update-alternatives Px, - @{lib}/dracut/dracut-install Px, - @{lib}/initramfs-tools/bin/busybox Px, - /usr/share/mdadm/mkconf Px, - - /usr/share/initramfs-tools/{,**} r, - - /etc/cryptsetup-initramfs/{,**} r, - /etc/crypttab r, - /etc/default/console-setup r, - /etc/fstab r, - /etc/initramfs-tools/{,**} r, - /etc/mdadm/mdadm.conf r, - /etc/udev/rules.d/{,**} r, - - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - - profile ldd { - include - include - - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 551a6fec0..4826337d0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} { +profile mandb @{exec_path} flags=(complain) { include include include @@ -17,11 +17,12 @@ profile mandb @{exec_path} { @{exec_path} mr, - @{bin}/bzip2 rix, - /etc/man_db.conf r, /etc/manpath.config r, + /var/cache/man/ r, + /var/cache/man/** rwk, + /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -31,9 +32,6 @@ profile mandb @{exec_path} { /usr/share/**/man/man@{u8}/*.@{int}.gz r, - owner /var/cache/man/ rw, - owner /var/cache/man/** rwk, - owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm deleted file mode 100644 index b0397eb8d..000000000 --- a/apparmor.d/profiles-m-r/mdadm +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# Copyright (C) 2025 Zane Zakraisek -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability sys_admin, - capability mknod, - capability net_admin, - - network netlink raw, - - mqueue (read getattr) type=posix /, - - @{exec_path} mr, - - @{sh_path} rix, - @{sbin}/sendmail rPUx, - - /etc/{,mdadm/}mdadm.conf r, - /etc/{,mdadm/}mdadm.conf.d/* r, - - @{run}/initctl r, - @{run}/mdadm/* rwk, - - /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - - @{sys}/bus/pci/drivers/*/ r, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/@{pci}/device r, - @{sys}/devices/@{pci}/vendor r, - @{sys}/devices/virtual/block/md*/** rw, - @{sys}/module/md_mod/** rw, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/cmdline r, - @{PROC}/kcore r, - @{PROC}/partitions r, - @{PROC}/mdstat rw, - - /dev/**/ r, - /dev/.tmp.md.* rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf deleted file mode 100644 index 120138905..000000000 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/mdadm/mkconf -profile mdadm-mkconf @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/date ix, - @{bin}/cat ix, - @{bin}/sed ix, - @{sbin}/mdadm Px, - - /etc/default/mdadm r, - /etc/mdadm/mdadm.conf r, - - / r, - - /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 408947c83..f1b5034e6 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include - include @{exec_path} mr, @@ -19,6 +18,8 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 808427d85..0de151536 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,19 +9,23 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include + include + include + include include include include include @{exec_path} mr, - @{python_path} rix, + @{bin}/python3.@{int} rix, - @{bin}/bwrap Cx -> bwrap, - @{open_path} Px -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + @{open_path} rPx -> child-open-help, + /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, + /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -34,8 +38,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -45,7 +51,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal receive set=(kill) peer=metadata-cleaner, + signal (receive) set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 32950dbc4..d6823da9b 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,13 +10,23 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include include @{exec_path} r, + /usr/bin/perl r, + + /usr/share/mime/**.xml r, + /usr/share/mime/globs r, + /usr/share/mime/aliases r, + /usr/share/mime/magic r, + + owner @{user_share_dirs}/mime/**.xml r, + owner @{user_share_dirs}/mime/globs r, + owner @{user_share_dirs}/mime/aliases r, + owner @{user_share_dirs}/mime/magic r, # To read files - owner /** r, #aa:lint ignore=too-wide + /** r, include if exists } diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index bf6c55093..b8e79c0dc 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include - include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, + /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/profiles-m-r/mke2fs similarity index 81% rename from apparmor.d/groups/filesystem/mke2fs rename to apparmor.d/profiles-m-r/mke2fs index 90df8ecb1..acf88197f 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/profiles-m-r/mke2fs @@ -7,10 +7,9 @@ abi , include -@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 +@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 profile mke2fs @{exec_path} { include - include include include @@ -20,7 +19,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{sbin}/badblocks rPx, + @{bin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, @@ -35,8 +34,6 @@ profile mke2fs @{exec_path} { owner @{run}/blkid/blkid.tab{,-@{rand6}} rw, owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - owner @{tmp}/.guestfs-@{uid}/appliance.d.@{rand8}/@{user} rw, - @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs similarity index 94% rename from apparmor.d/groups/filesystem/mkfs-btrfs rename to apparmor.d/profiles-m-r/mkfs-btrfs index 54c83e559..1e6c95838 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/profiles-m-r/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/mkfs.btrfs +@{exec_path} = @{bin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat similarity index 100% rename from apparmor.d/groups/filesystem/mkfs-fat rename to apparmor.d/profiles-m-r/mkfs-fat diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index d94e5aa44..6585f6382 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{sbin}/mkinitramfs +@{exec_path} = @{bin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -19,10 +19,11 @@ profile mkinitramfs @{exec_path} { capability fsetid, @{exec_path} r, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/ r, - @{lib}/ r, + @{bin}/ r, + @{lib}/ r, + @{lib}64/ r, @{bin}/{,e}grep rix, @{bin}/basename rix, @@ -33,7 +34,6 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, - @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -43,43 +43,37 @@ profile mkinitramfs @{exec_path} { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/readlink rix, - @{bin}/realpath rix, @{bin}/rm rix, @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, - @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, - @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, @{lib}/dracut/dracut-install rix, - @{sbin}/blkid rPx, + @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{sbin}/ldconfig rCx -> ldconfig, + @{bin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - @{lib}/initramfs-tools/hooks/** rPx, - /etc/initramfs-tools/hooks/** rPx, - /etc/initramfs-tools/scripts/** rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + # What to do with it? (#FIXME#) + /usr/share/initramfs-tools/hooks/* rPUx, + /usr/share/initramfs-tools/scripts/*/* rPUx, + /etc/initramfs-tools/hooks/* rPUx, + /etc/initramfs-tools/scripts/*/* rPUx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, - /etc/xattr.conf r, - # For shell pwd / r, /etc/ r, @@ -87,44 +81,23 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - @{efi}/ r, - owner @{efi}/config-* r, - owner @{efi}/initrd.img-*.new rw, + /boot/ r, + owner /boot/config-* r, + owner /boot/initrd.img-*.new rw, - owner /var/lib/kdump/initramfs-tools/** rw, - owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/ rw, - /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - /var/tmp/mkinitramfs-@{rand6} rw, - /var/tmp/mkinitramfs-*_@{rand6} rw, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, - owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, - owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, - owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, - - @{sys}/bus/ r, - @{sys}/bus/*/drivers/ r, - @{sys}/devices/ r, - @{sys}/devices/**/ r, - @{sys}/devices/**/modalias r, - @{sys}/devices/**/uevent r, + @{sys}/devices/platform/ r, + @{sys}/devices/platform/**/ r, + @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, - @{sys}/module/firmware_class/parameters/path r, - @{sys}/class/ r, - @{sys}/class/*/ r, - @{sys}/bus/platform/drivers/simple-framebuffer/ r, - - @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -134,14 +107,15 @@ profile mkinitramfs @{exec_path} { include include - @{sh_path} rix, + @{bin}/ldd mr, + + @{sh_path} rix, + @{bin}/kmod mr, + @{lib}/initramfs-tools/bin/* mr, + @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, - @{bin}/* mr, - @{sbin}/* mr, - @{lib}/** mr, - include if exists } @@ -151,33 +125,56 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{sbin}/ldconfig mr, + @{bin}/ldconfig mr, @{sh_path} rix, - @{sbin}/ldconfig.real rix, + @{bin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, + + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, + owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, + + owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, + + owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, include if exists } + profile find { + include + include + + @{bin}/find mr, + + # pwd dir + / r, + /etc/ r, + /root/ r, + + /usr/share/initramfs-tools/scripts/{,**/} r, + /etc/initramfs-tools/scripts/{,**/} r, + + owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, + + include if exists + } + profile kmod { include include owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, + owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, - @{sys}/module/compression r, include if exists diff --git a/apparmor.d/groups/filesystem/mkntfs b/apparmor.d/profiles-m-r/mkntfs similarity index 100% rename from apparmor.d/groups/filesystem/mkntfs rename to apparmor.d/profiles-m-r/mkntfs diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi deleted file mode 100644 index f6489a501..000000000 --- a/apparmor.d/profiles-m-r/mkosi +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# This profile is large on purpose: -# - It is required to have a profile for mkosi to allow userns. -# - Mkosi uses a lot of different binaries and scripts inside sandbox. -# - Using the unconfined flag would Pix everything, we do not want that as the -# transitioned profile would have to account for mkosi paths too. - -abi , - -include - -@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi -profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - - all, - userns, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/profiles-m-r/mkswap similarity index 94% rename from apparmor.d/groups/filesystem/mkswap rename to apparmor.d/profiles-m-r/mkswap index fa30030f3..4a818cd58 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/profiles-m-r/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/mkswap +@{exec_path} = @{bin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 4e0ace19a..835e1a391 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,15 +10,19 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include + include + include + include + include include + include include include - include include include + include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 90bf73cf3..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,9 +17,9 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/{m,g,}awk rix, + @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index 6cbef400b..e847db872 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,11 +10,10 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include - include include + include + include + include capability net_admin, capability chown, @@ -29,76 +28,80 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace read, + ptrace (read), - signal receive set=(hup) peer=logroate, + signal (receive) set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/cat ix, - @{bin}/df ix, - @{bin}/free ix, - @{bin}/getconf ix, - @{bin}/ps Px, - @{bin}/sensors Px, - @{bin}/tail ix, - @{bin}/who Px, - @{sbin}/lvm Px, - @{sbin}/ss Px, - @{sbin}/xtables-nft-multi ix, + @{bin}/{,e}grep rix, + @{bin}/df rix, + @{bin}/cat rix, + @{bin}/tail rix, + @{bin}/{m,g,}awk rix, + @{bin}/free rix, + @{bin}/ss rix, + @{bin}/who rix, + @{bin}/lvm rix, + @{bin}/xtables-nft-multi rix, + @{bin}/sensors rix, + @{bin}/getconf rix, + @{bin}/ps rix, - /var/lib/monitorix/www/cgi/monitorix.cgi ix, - - /etc/monitorix/{,**} r, - - /var/lib/monitorix/ rw, - /var/lib/monitorix/** rwk, + /etc/monitorix/monitorix.conf r, + /etc/monitorix/conf.d/ r, + /etc/monitorix/conf.d/@{int2}-*.conf r, /var/log/monitorix w, /var/log/monitorix-* w, - /srv/http/monitorix/ rw, - /srv/http/monitorix/** rwk, + owner @{run}/monitorix.pid w, + + /var/lib/monitorix/*.rrd* rwk, + /var/lib/monitorix/www/** rw, + /var/lib/monitorix/www/cgi/monitorix.cgi rwix, / r, /tmp/ r, + /etc/shadow r, - owner @{run}/monitorix.pid w, + /dev/tty r, @{run}/utmp rk, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/class/hwmon/ r, - @{sys}/devices/**/thermal*/{,**} r, - @{sys}/devices/**/hwmon*/{,**} r, - @{PROC}/ r, - @{PROC}/@{pid}/net/dev r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/diskstats r, - @{PROC}/interrupts r, - @{PROC}/loadavg r, @{PROC}/swaps r, + @{PROC}/diskstats r, + @{PROC}/loadavg r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, + @{PROC}/interrupts r, @{PROC}/sys/fs/dentry-state r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inode-nr r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/net/ip6_tables_names r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/class/hwmon/ r, + @{sys}/devices/**/thermal*/{,**} r, + @{sys}/devices/**/hwmon*/{,**} r, + + /etc/sensors3.conf r, + /etc/sensors.d/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd deleted file mode 100644 index de742b2c9..000000000 --- a/apparmor.d/profiles-m-r/motd +++ /dev/null @@ -1,102 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /etc/update-motd.d/* -profile motd @{exec_path} { - include - include - include - - capability net_admin, - - network inet6 stream, - network inet6 stream, - - @{exec_path} mr, - @{bin}/ r, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/cloud-id rix, - @{bin}/systemctl rCx -> systemctl, - @{bin}/hostname rPx, - @{bin}/snap rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{bin}/wget rCx -> wget, - - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - /etc/wgetrc r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - /var/lib/cloud/instances/nocloud/cloud-config.txt r, - - /tmp/tmp.@{rand10} rw, - - @{run}/cloud-init/cloud.cfg r, - @{run}/motd.d/{,*} r, - @{run}/motd.dynamic.new rw, - @{run}/reboot-required r, - - @{PROC}/@{pids}/mounts r, - @{PROC}/1/environ r, - @{PROC}/cmdline r, - - /dev/tty@{int} rw, - - profile wget { - include - include - include - - capability net_admin, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - - /etc/wgetrc r, - - /tmp/tmp.@{rand10} rw, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - - @{run}/systemd/private rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/mount b/apparmor.d/profiles-m-r/mount similarity index 100% rename from apparmor.d/groups/filesystem/mount rename to apparmor.d/profiles-m-r/mount diff --git a/apparmor.d/groups/filesystem/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs similarity index 69% rename from apparmor.d/groups/filesystem/mount-cifs rename to apparmor.d/profiles-m-r/mount-cifs index a6c8d01e3..78651ba23 100644 --- a/apparmor.d/groups/filesystem/mount-cifs +++ b/apparmor.d/profiles-m-r/mount-cifs @@ -7,52 +7,42 @@ abi , include -@{exec_path} = @{sbin}/mount.cifs +@{exec_path} = @{bin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include - include include + # To mount anything. capability sys_admin, - capability setpcap, - capability dac_read_search, - network inet dgram, + # (#FIXME#) + capability setpcap, + network inet stream, - network inet6 dgram, network inet6 stream, network netlink raw, - mount fstype=cifs -> @{HOME}/*/, - mount fstype=cifs -> @{HOME}/*/*/, - mount fstype=cifs -> @{MOUNTDIRS}/, - mount fstype=cifs -> @{MOUNTS}/, - mount fstype=cifs -> @{MOUNTS}/*/, - mount fstype=cifs -> @{MOUNTS}/*/*/, - - umount @{HOME}/*/, - umount @{HOME}/*/*/, - umount @{MOUNTDIRS}/, - umount @{MOUNTS}/, - umount @{MOUNTS}/*/, - umount @{MOUNTS}/*/*/, - @{exec_path} mr, @{bin}/systemd-ask-password rPUx, /etc/fstab r, - /etc/sync-credentials r, owner @{HOME}/.smbcredentials r, # Mount points - @{HOME}/*/ r, - @{HOME}/*/*/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, @{MOUNTS}/*/ r, - @{MOUNTS}/*/*/ r, + + # Allow to mount smb/cifs disks only under the /media/ dirs + mount fstype=cifs -> @{MOUNTDIRS}/, + mount fstype=cifs -> @{MOUNTS}/, + mount fstype=cifs -> @{MOUNTS}/*/, + + umount @{MOUNTDIRS}/, + umount @{MOUNTS}/, + umount @{MOUNTS}/*/, include if exists } diff --git a/apparmor.d/groups/filesystem/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs similarity index 96% rename from apparmor.d/groups/filesystem/mount-nfs rename to apparmor.d/profiles-m-r/mount-nfs index f670b62d7..26f3e2d57 100644 --- a/apparmor.d/groups/filesystem/mount-nfs +++ b/apparmor.d/profiles-m-r/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/mount.nfs +@{exec_path} = @{bin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{sbin}/start-statd rix, + @{bin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/groups/filesystem/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs similarity index 100% rename from apparmor.d/groups/filesystem/mount-zfs rename to apparmor.d/profiles-m-r/mount-zfs diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy deleted file mode 100644 index 3a5dfffb6..000000000 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/mpris-proxy -profile mpris-proxy @{exec_path} { - include - include - include - include - - #aa:dbus own bus=session name=org.mpris.MediaPlayer2 - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index a66fc287f..9a138ff50 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -24,10 +24,10 @@ profile mpsyt @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/filesystem/mtools b/apparmor.d/profiles-m-r/mtools similarity index 100% rename from apparmor.d/groups/filesystem/mtools rename to apparmor.d/profiles-m-r/mtools diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index bc20a0f9a..b30da1c13 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,11 +13,9 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 588f4b6b1..409834fbc 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/multipath +@{exec_path} = @{bin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index bbb6a87a6..14bb16caf 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/multipathd +@{exec_path} = @{bin}/multipathd profile multipathd @{exec_path} { include include @@ -20,8 +20,7 @@ profile multipathd @{exec_path} { network netlink raw, - unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), - unix type=stream addr=@/org/kernel/linux/storage/multipathd, + unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index a85eb6790..48ed42d84 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 86792860c..8d17ef3d6 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index e0bd8d976..9d7663ebb 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index a91aba241..28006f479 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,7 +115,19 @@ profile mutt @{exec_path} { profile pager { include - include + include + + @{pager_path} mr, + + /usr/share/terminfo/** r, + /usr/share/file/misc/magic.mgc r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, # This is the file that holds the message owner /{var/,}tmp/mutt* rw, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index a09008ac3..f5722ed3d 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,54 +6,62 @@ abi , include -@{exec_path} = @{sbin}/needrestart +@{exec_path} = @{bin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include + include + include + include include + include capability checkpoint_restore, capability dac_read_search, + capability kill, capability sys_ptrace, - ptrace read, + ptrace (read), + + mqueue r type=posix /, @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/locale rix, + @{bin}/python3.@{int} rix, + @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/who rPx, + @{bin}/unix_chkpwd rPx, + @{bin}/whiptail rPx, + @{bin}/who rix, @{lib}/needrestart/* rPx, - @{python_path} rix, - @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rix, - @{etc_ro}/needrestart/hook.d/* rPx, - @{etc_ro}/needrestart/notify.d/* rPx, - @{etc_ro}/needrestart/restart.d/* rPx, + @{bin}/networkd-dispatcher r, + @{bin}/gettext.sh r, + /usr/share/needrestart/{,**} r, + /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, + /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, + /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - @{efi}/ r, - @{efi}/* r, - /opt/*/** r, - @{bin}/* r, - @{lib}/** r, - @{sbin}/** r, - @{att}/@{lib}/** r, - /usr/share/** r, - /var/lib/*/** r, + /boot/ r, + /boot/intel-ucode.img r, + /boot/vmlinuz* r, - @{run}/systemd/sessions/* r, + owner /var/lib/juju/agents/{,**} r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /tmp/@{word10}/ rw, + owner @{run}/sshd.pid r, @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @@ -61,14 +69,11 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, - deny mqueue type=posix /, - profile systemctl { include include @@ -76,7 +81,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability sys_resource, capability net_admin, - signal send set=(cont term) peer=systemd-tty-ask-password-agent, + signal send set=term peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index b70a49be8..5f3912105 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/needrestart/apt-pinvoke -profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { +profile needrestart-apt-pinvoke @{exec_path} { include include include @@ -19,13 +19,11 @@ profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dbus-send rix, - @{sbin}/needrestart rPx, + @{bin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, - /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook deleted file mode 100644 index c8c9a12c4..000000000 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/hook.d/* -profile needrestart-hook @{exec_path} { - include - include - include - - @{exec_path} mr, - @{sh_path} rix, - - @{bin}/dpkg-query px, - - /tmp/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c826cd74..75b150042 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,23 +12,20 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, + @{bin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, - @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, - /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - @{efi}/amd-ucode.img r, - @{efi}/intel-ucode.img r, - @{efi}/early_ucode.cpio r, + /boot/intel-ucode.img r, + /boot/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify deleted file mode 100644 index 82465ceb2..000000000 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ /dev/null @@ -1,35 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/notify.d/* -profile needrestart-notify @{exec_path} { - include - include - - capability dac_read_search, - capability sys_ptrace, - - ptrace read, - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/fold ix, - @{bin}/gettext.sh r, - @{bin}/mail Px, - @{bin}/notify-send Px, - @{bin}/sed ix, - - /etc/needrestart/notify.conf r, - - @{PROC}/@{pid}/environ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart deleted file mode 100644 index 964ff1a74..000000000 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ /dev/null @@ -1,33 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{etc_ro}/needrestart/restart.d/* -profile needrestart-restart @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/systemctl Cx -> systemctl, - @{sh_path} r, - - /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 3828f9228..f7e9d76a1 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -14,21 +14,13 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/bzip2 rix, - @{bin}/{,e}grep rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/lzop rix, + @{bin}/grep rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rPx, - @{bin}/xz rix, + @{bin}/which{,.debianutils} rix, - @{efi}/amd-ucode.img r, - @{efi}/intel-ucode.img r, - @{efi}/vmlinuz* r, + /boot/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo index c7c9160d7..e3edb99c3 100644 --- a/apparmor.d/profiles-m-r/nemo +++ b/apparmor.d/profiles-m-r/nemo @@ -21,12 +21,7 @@ profile nemo @{exec_path} { @{exec_path} mr, - @{open_path} rPx -> child-open, - - @{bin}/gdk-pixbuf-thumbnailer rPx, - /usr/share/nemo/** r, - /usr/share/thumbnailers/{,*.thumbnailer} r, # Full access to user's data / r, diff --git a/apparmor.d/groups/cap/netcap b/apparmor.d/profiles-m-r/netcap similarity index 100% rename from apparmor.d/groups/cap/netcap rename to apparmor.d/profiles-m-r/netcap diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index a23a095e9..e19884997 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,18 +13,12 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/profiles-m-r/newgidmap similarity index 91% rename from apparmor.d/groups/shadow/newgidmap rename to apparmor.d/profiles-m-r/newgidmap index 6fa555504..4a7196fc2 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/profiles-m-r/newgidmap @@ -18,8 +18,6 @@ profile newgidmap @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/utils/newgrp b/apparmor.d/profiles-m-r/newgrp similarity index 96% rename from apparmor.d/groups/utils/newgrp rename to apparmor.d/profiles-m-r/newgrp index 1452f34fc..ebd15d4b6 100644 --- a/apparmor.d/groups/utils/newgrp +++ b/apparmor.d/profiles-m-r/newgrp @@ -23,10 +23,10 @@ profile newgrp @{exec_path} { @{bin}/@{shells} rUx, - @{etc_ro}/login.defs r, - /etc/{passwd,group,shadow,gshadow} r, + /etc/login.defs r, + owner @{PROC}/@{pid}/loginuid r, include if exists diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/profiles-m-r/newuidmap similarity index 91% rename from apparmor.d/groups/shadow/newuidmap rename to apparmor.d/profiles-m-r/newuidmap index 6a53bf5c1..549eb06ef 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/profiles-m-r/newuidmap @@ -18,8 +18,6 @@ profile newuidmap @{exec_path} { @{exec_path} mr, - @{etc_ro}/login.defs r, - @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld similarity index 94% rename from apparmor.d/groups/filesystem/nfsdcld rename to apparmor.d/profiles-m-r/nfsdcld index 23ecc576e..be122a3cb 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/profiles-m-r/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/nfsdcld +@{exec_path} = @{bin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/profiles-m-r/nft similarity index 96% rename from apparmor.d/groups/firewall/nft rename to apparmor.d/profiles-m-r/nft index 2392829c8..292b22043 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/profiles-m-r/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/nft +@{exec_path} = @{bin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/groups/utils/nologin b/apparmor.d/profiles-m-r/nologin similarity index 93% rename from apparmor.d/groups/utils/nologin rename to apparmor.d/profiles-m-r/nologin index 795a1aa35..3ee32cf34 100644 --- a/apparmor.d/groups/utils/nologin +++ b/apparmor.d/profiles-m-r/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/nologin +@{exec_path} = @{bin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g similarity index 95% rename from apparmor.d/groups/filesystem/ntfs-3g rename to apparmor.d/profiles-m-r/ntfs-3g index e4749177c..d94d7a0f2 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/profiles-m-r/ntfs-3g @@ -34,8 +34,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, - mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver - umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/groups/filesystem/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe similarity index 100% rename from apparmor.d/groups/filesystem/ntfs-3g-probe rename to apparmor.d/profiles-m-r/ntfs-3g-probe diff --git a/apparmor.d/groups/filesystem/ntfscat b/apparmor.d/profiles-m-r/ntfscat similarity index 100% rename from apparmor.d/groups/filesystem/ntfscat rename to apparmor.d/profiles-m-r/ntfscat diff --git a/apparmor.d/groups/filesystem/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone similarity index 95% rename from apparmor.d/groups/filesystem/ntfsclone rename to apparmor.d/profiles-m-r/ntfsclone index c6443bf7a..c239e81af 100644 --- a/apparmor.d/groups/filesystem/ntfsclone +++ b/apparmor.d/profiles-m-r/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ntfsclone +@{exec_path} = @{bin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster similarity index 100% rename from apparmor.d/groups/filesystem/ntfscluster rename to apparmor.d/profiles-m-r/ntfscluster diff --git a/apparmor.d/groups/filesystem/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp similarity index 100% rename from apparmor.d/groups/filesystem/ntfscmp rename to apparmor.d/profiles-m-r/ntfscmp diff --git a/apparmor.d/groups/filesystem/ntfscp b/apparmor.d/profiles-m-r/ntfscp similarity index 96% rename from apparmor.d/groups/filesystem/ntfscp rename to apparmor.d/profiles-m-r/ntfscp index f3bc38b6a..2e36046ba 100644 --- a/apparmor.d/groups/filesystem/ntfscp +++ b/apparmor.d/profiles-m-r/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ntfscp +@{exec_path} = @{bin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt similarity index 100% rename from apparmor.d/groups/filesystem/ntfsdecrypt rename to apparmor.d/profiles-m-r/ntfsdecrypt diff --git a/apparmor.d/groups/filesystem/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate similarity index 100% rename from apparmor.d/groups/filesystem/ntfsfallocate rename to apparmor.d/profiles-m-r/ntfsfallocate diff --git a/apparmor.d/groups/filesystem/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix similarity index 100% rename from apparmor.d/groups/filesystem/ntfsfix rename to apparmor.d/profiles-m-r/ntfsfix diff --git a/apparmor.d/groups/filesystem/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo similarity index 100% rename from apparmor.d/groups/filesystem/ntfsinfo rename to apparmor.d/profiles-m-r/ntfsinfo diff --git a/apparmor.d/groups/filesystem/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel similarity index 93% rename from apparmor.d/groups/filesystem/ntfslabel rename to apparmor.d/profiles-m-r/ntfslabel index 5d4089a44..471aefaa1 100644 --- a/apparmor.d/groups/filesystem/ntfslabel +++ b/apparmor.d/profiles-m-r/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ntfslabel +@{exec_path} = @{bin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsls b/apparmor.d/profiles-m-r/ntfsls similarity index 100% rename from apparmor.d/groups/filesystem/ntfsls rename to apparmor.d/profiles-m-r/ntfsls diff --git a/apparmor.d/groups/filesystem/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove similarity index 100% rename from apparmor.d/groups/filesystem/ntfsmove rename to apparmor.d/profiles-m-r/ntfsmove diff --git a/apparmor.d/groups/filesystem/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover similarity index 100% rename from apparmor.d/groups/filesystem/ntfsrecover rename to apparmor.d/profiles-m-r/ntfsrecover diff --git a/apparmor.d/groups/filesystem/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize similarity index 93% rename from apparmor.d/groups/filesystem/ntfsresize rename to apparmor.d/profiles-m-r/ntfsresize index 3eac37d70..5c7d5c835 100644 --- a/apparmor.d/groups/filesystem/ntfsresize +++ b/apparmor.d/profiles-m-r/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ntfsresize +@{exec_path} = @{bin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit similarity index 100% rename from apparmor.d/groups/filesystem/ntfssecaudit rename to apparmor.d/profiles-m-r/ntfssecaudit diff --git a/apparmor.d/groups/filesystem/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate similarity index 100% rename from apparmor.d/groups/filesystem/ntfstruncate rename to apparmor.d/profiles-m-r/ntfstruncate diff --git a/apparmor.d/groups/filesystem/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete similarity index 94% rename from apparmor.d/groups/filesystem/ntfsundelete rename to apparmor.d/profiles-m-r/ntfsundelete index 9f68cba7a..4d96d1dbd 100644 --- a/apparmor.d/groups/filesystem/ntfsundelete +++ b/apparmor.d/profiles-m-r/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ntfsundelete +@{exec_path} = @{bin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap similarity index 100% rename from apparmor.d/groups/filesystem/ntfsusermap rename to apparmor.d/profiles-m-r/ntfsusermap diff --git a/apparmor.d/groups/filesystem/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe similarity index 100% rename from apparmor.d/groups/filesystem/ntfswipe rename to apparmor.d/profiles-m-r/ntfswipe diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 893770a4b..9e5944bff 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} flags=(attach_disconnected) { +profile nvidia-settings @{exec_path} { include include include @@ -21,18 +21,8 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/config r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + @{PROC}/devices r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index eb42bd59b..143808f76 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,11 +21,12 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index fc51b5b9e..e4846d58e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -43,17 +43,17 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu index 9d9ed2a94..b0c4d88c6 100644 --- a/apparmor.d/profiles-m-r/obamenu +++ b/apparmor.d/profiles-m-r/obamenu @@ -13,7 +13,7 @@ profile obamenu @{exec_path} { include @{exec_path} r, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/ r, diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index d283466f5..7b11aaac5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/bluetooth/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing similarity index 100% rename from apparmor.d/groups/bluetooth/obex-folder-listing rename to apparmor.d/profiles-m-r/obex-folder-listing diff --git a/apparmor.d/groups/bluetooth/obexautofs b/apparmor.d/profiles-m-r/obexautofs similarity index 87% rename from apparmor.d/groups/bluetooth/obexautofs rename to apparmor.d/profiles-m-r/obexautofs index 980349086..e50fadddf 100644 --- a/apparmor.d/groups/bluetooth/obexautofs +++ b/apparmor.d/profiles-m-r/obexautofs @@ -36,13 +36,20 @@ profile obexautofs @{exec_path} { profile fusermount { include - include + include + + capability sys_admin, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexautofs} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + @{PROC}/@{pid}/mounts r, + + /dev/fuse rw, include if exists } diff --git a/apparmor.d/groups/bluetooth/obexctl b/apparmor.d/profiles-m-r/obexctl similarity index 100% rename from apparmor.d/groups/bluetooth/obexctl rename to apparmor.d/profiles-m-r/obexctl diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/profiles-m-r/obexd similarity index 74% rename from apparmor.d/groups/bluetooth/obexd rename to apparmor.d/profiles-m-r/obexd index 3ea17a4e5..3da9b4f5d 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/profiles-m-r/obexd @@ -10,9 +10,8 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include - include + include include network bluetooth stream, @@ -23,12 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + peer=(name=:*, label=bluetoothd), @{exec_path} mr, @@ -37,8 +31,6 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, - @{run}/systemd/users/@{uid} r, - include if exists } diff --git a/apparmor.d/groups/bluetooth/obexfs b/apparmor.d/profiles-m-r/obexfs similarity index 82% rename from apparmor.d/groups/bluetooth/obexfs rename to apparmor.d/profiles-m-r/obexfs index e486349d3..5a9d0dfbf 100644 --- a/apparmor.d/groups/bluetooth/obexfs +++ b/apparmor.d/profiles-m-r/obexfs @@ -27,17 +27,26 @@ profile obexfs @{exec_path} { /dev/fuse rw, + profile fusermount { include - include + include + + # To mount anything: + capability sys_admin, network bluetooth stream, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + + /dev/fuse rw, + mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/, mount fstype={fuse,fuse.obexfs} -> @{HOME}/*/*/, - umount @{HOME}/*/, - umount @{HOME}/*/*/, + @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/groups/bluetooth/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd similarity index 100% rename from apparmor.d/groups/bluetooth/obexpush-atd rename to apparmor.d/profiles-m-r/obexpush-atd diff --git a/apparmor.d/groups/bluetooth/obexpushd b/apparmor.d/profiles-m-r/obexpushd similarity index 100% rename from apparmor.d/groups/bluetooth/obexpushd rename to apparmor.d/profiles-m-r/obexpushd diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 73447e33e..7b5521802 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,15 +38,8 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, - @{sys}/devices/@{pci}/drm/card@{int}/ r, - @{sys}/devices/@{pci}/drm/card@{int}/*/ r, - @{sys}/devices/@{pci}/mem_info_vram_total r, - @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index d6426f717..c92d4d849 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,19 +7,17 @@ abi , include -@{exec_path} = @{sbin}/on_ac_power +@{exec_path} = @{bin}/on_ac_power profile on-ac-power @{exec_path} { include @{exec_path} r, @{sh_path} rix, - @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, @{sys}/class/power_supply/ r, - @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler deleted file mode 100644 index 2593b78ac..000000000 --- a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/open-iscsi/net-interface-handler -profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { - include - - @{exec_path} mr, - @{sh_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 899290792..d136ee08f 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, @@ -75,7 +75,7 @@ profile openbox @{exec_path} { /etc/xdg/autostart/{,*} r, # Silencer - deny @{lib}/@{python_name}/** w, + deny @{lib}/python3/** w, deny owner @{user_lib_dirs}/python*/site-packages/ r, # file_inherit diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index f9e5b2058..c058003ff 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -15,35 +15,30 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, - mount options=(rprivate, rw) -> /, - mount options=(rw, nosuid, nodev) -> /var/lib/os-prober/mount/, - umount /var/lib/os-prober/mount/, - mqueue (read getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{sbin}/blkid rPx, - @{sbin}/btrfs rPx, + @{bin}/blkid rPx, + @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{sbin}/dmraid rPUx, + @{bin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{sbin}/grub-probe rPx, + @{bin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{sbin}/lvm rPx, + @{bin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{sbin}/multipath rPx, + @{bin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -51,7 +46,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, @@ -63,9 +58,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - @{efi}/ r, - @{efi}/EFI/ r, - @{efi}/EFI/**/ r, + /boot/{efi/,} r, + /boot/{efi/,}EFI/ r, + /boot/{efi/,}EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index d0bb4a1ed..ef3ea4bee 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,16 +17,11 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, - owner /tmp/ w, - owner /tmp/.tmp@{rand6}/{,**} rw, - owner /tmp/.tmp-ouch@{rand6}/{,**} rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/mountinfo r, include if exists } diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e5b54c34e..6847476e3 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include - include #aa:only apt include include include include + include #aa:only apt include include @@ -38,7 +38,12 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** + #aa:dbus own bus=system name=org.freedesktop.PackageKit + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @@ -51,7 +56,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, + @{bin}/ischroot rix, + @{bin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, @@ -63,8 +69,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, - @{bin}/ischroot rPx, - @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, @{bin}/update-desktop-database rPx, @@ -74,11 +78,10 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, - #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - @{efi}/** rwl -> @{efi}/**, + /boot/** rwl -> /boot/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 947fb2f4e..e2846f8e6 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,24 +7,61 @@ abi , include -@{exec_path} = @{sbin}/pam-auth-update +@{exec_path} = @{bin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include + include + include - @{exec_path} mrix, + @{exec_path} mr, + @{bin}/perl r, - @{bin}/cp ix, - @{bin}/md5sum ix, - @{bin}/stty ix, + @{bin}/md5sum rix, + @{bin}/cp rix, - /usr/share/pam{,-configs}/{,*} r, + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, /etc/pam.d/* rw, - /etc/shadow r, - - /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, + /usr/share/pam{,-configs}/{,*} r, + + + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/pam-auth-update rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + # The following is needed when debconf uses GUI frontends. + include + include + include + include + capability dac_read_search, + @{bin}/lsb_release rPx -> lsb_release, + @{bin}/hostname rix, + owner @{PROC}/@{pid}/mounts r, + @{HOME}/.Xauthority r, + + /etc/shadow r, + + include if exists + } include if exists } diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper index fc767e5b3..510c2abad 100644 --- a/apparmor.d/profiles-m-r/pam-tmpdir-helper +++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pam-tmpdir-helper @{lib}/pam-tmpdir/pam-tmpdir-helper +@{exec_path} = @{bin}/pam-tmpdir-helper profile pam-tmpdir-helper @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/pam/mappings b/apparmor.d/profiles-m-r/pam/mappings new file mode 100644 index 000000000..cbcb539ed --- /dev/null +++ b/apparmor.d/profiles-m-r/pam/mappings @@ -0,0 +1,72 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# See more at: https://gitlab.com/apparmor/apparmor/wikis/Pam_apparmor_example + +# This file contains the mappings from users to roles for the binaries +# confined with AppArmor and configured for use with libpam-apparmor. Users +# without a mapping will not be able to login. +# +# The default hat is a confined user. The hat contains only the permissions +# necessary to transition to the user's login shell. All other permissions have +# been moved into the default_user profile. +^DEFAULT { + include + include + + capability dac_override, + capability setgid, + capability setuid, + + /etc/default/su r, + @{etc_ro}/environment r, + + @{shells_path} rPx -> user_default, + + include if exists +} + +# USER is a confined user. The hat contains only the permissions necessary +# to transition to gray's login shell. All other permissions have been +# moved into the confined_user profile. +^USER { + include + include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + @{shells_path} rPx -> user_confined, + + /etc/default/su r, + @{etc_ro}/environment r, + + include if exists +} + +# Don't confine members whose primary group is 'admin' who are not specifically +# confined. Systems without this special primary group may want to define an +# unconfined 'root' hat in this manner (depending on site policy). +^root { + include + include + include + + capability dac_override, + capability audit_write, + capability setgid, + capability setuid, + + @{shells_path} rUx, + + /etc/default/su r, + @{etc_ro}/environment r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 1ae7f5478..4a98dbae8 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/parted +@{exec_path} = @{bin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 79e4b0ffb..6a0a6c9cf 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/partprobe +@{exec_path} = @{bin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{sbin}/dmidecode rPx, + @{bin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 30f92c964..0736f98c4 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/{,e}grep ix, + @{bin}/grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which{,.debianutils} rix, + @{bin}/which ix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, @@ -53,13 +53,13 @@ profile pass @{exec_path} { # Pass extensions @{bin}/oathtool ix, # pass-otp - @{python_path} Px -> pass-import, # pass-import, pass-audit + @{bin}/python3.@{int} Px -> pass-import, # pass-import, pass-audit @{bin}/qrencode PUx, # pass-otp @{bin}/tomb PUx, # pass-tomb /usr/share/terminfo/** r, - owner @{user_passwordstore_dirs}/{,**} rw, + owner @{user_password_store_dirs}/{,**} rw, owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -88,7 +88,7 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_passwordstore_dirs}/{,**/} r, + owner @{user_password_store_dirs}/{,**/} r, owner /dev/shm/pass.@{rand}/{,*} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, @@ -142,11 +142,10 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_passwordstore_dirs}/ rw, - owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_password_store_dirs}/ rw, + owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature - owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index 8d55dd156..bb2bc9107 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,16 +24,16 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/pass rPx, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{lib}/gcc/**/collect2 rix, @{lib}/python{2.[4-7],3,3.@{int}}/** w, # TODO: Test deny /usr/share/file/misc/magic.mgc r, - owner @{user_passwordstore_dirs}/{,**} rw, + owner @{user_password_store_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index c0aafeaf9..4e64e5fb9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,7 +26,9 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - owner /var/lib/passim/{,**} rw, + /var/lib/passim/{,**} r, + /var/lib/passim/data/{,**} rw, + owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/shadow/passwd b/apparmor.d/profiles-m-r/passwd similarity index 100% rename from apparmor.d/groups/shadow/passwd rename to apparmor.d/profiles-m-r/passwd diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2923f70cd..e736299fa 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,9 +10,13 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include + include + include + include include - include + include + include + include include include @@ -20,7 +24,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{sh_path} rix, + @{bin}/dash rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index d5bcc4293..984b566cf 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/pcscd +@{exec_path} = @{bin}/pcscd profile pcscd @{exec_path} { include include @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace read peer=@{p_systemd_user}, - ptrace read peer=gsd-smartcard, - ptrace read peer=keepassxc, - ptrace read peer=pkcs11-register, - ptrace read peer=rngd, - ptrace read peer=scdaemon, - ptrace read peer=veracrypt, + ptrace (read) peer=@{p_systemd_user}, + ptrace (read) peer=gsd-smartcard, + ptrace (read) peer=keepassxc, + ptrace (read) peer=pkcs11-register, + ptrace (read) peer=rngd, + ptrace (read) peer=scdaemon, + ptrace (read) peer=veracrypt, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 76b9942fb..2a7b63038 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pidof -profile pidof @{exec_path} flags=(attach_disconnected) { +profile pidof @{exec_path} { include include @@ -28,7 +28,7 @@ profile pidof @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - /dev/tty@{int} rw, + owner /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index b60d929e2..a955a9c6d 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,11 +10,9 @@ include profile pinentry-gnome3 @{exec_path} { include include - include include - include - signal receive set=int, + signal (receive) set=(int) peer=gpg-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index d07a64a5a..a0244956d 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,12 +11,16 @@ include profile pinentry-gtk @{exec_path} { include include + include + include include - include + include @{exec_path} mr, - @{PROC}/@{pid}/cmdline r, + /usr/share/gtk-@{int}.@{int}/{,**} r, + + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner /dev/tty@{int} r, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 66729769f..3c5ec0a94 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,8 +17,6 @@ profile pinentry-qt @{exec_path} { include include - ptrace read peer=gpg-agent, - @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index d775cafe5..989f6ec8b 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include - include @{exec_path} mr, + /etc/{,opensc/}opensc.conf r, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/profiles-m-r/pkexec similarity index 94% rename from apparmor.d/groups/polkit/pkexec rename to apparmor.d/profiles-m-r/pkexec index 8c6d868da..c7bfbcefa 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/profiles-m-r/pkexec @@ -21,13 +21,13 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, - @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, /etc/default/locale r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent similarity index 95% rename from apparmor.d/groups/polkit/pkttyagent rename to apparmor.d/profiles-m-r/pkttyagent index 436447aef..de0eeef33 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/profiles-m-r/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace read, - signal (send, receive), + ptrace (read), + signal (send,receive), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 324b08f17..111b157c5 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate deleted file mode 100644 index 5a10cc9e2..000000000 --- a/apparmor.d/profiles-m-r/pollinate +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/pollinate -profile pollinate @{exec_path} { - include - include - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/curl rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-query rpx, - @{bin}/hostname rix, - @{bin}/logger rix, - @{bin}/systemd-detect-virt rPx, - @{bin}/xxd rix, - - /etc/cloud/build.info r, - /etc/default/pollinate r, - /etc/lsb-release r, - /etc/pollinate/{,**} r, - - owner /var/cache/pollinate/seeded w, - - owner /tmp/pollinate.@{rand12}/{,**} rw, - - @{PROC}/uptime r, - - /dev/urandom w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest index 0bbd727ae..ba9d813c2 100644 --- a/apparmor.d/profiles-m-r/popularity-contest +++ b/apparmor.d/profiles-m-r/popularity-contest @@ -21,6 +21,7 @@ profile popularity-contest @{exec_path} { ptrace (read), @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/env rix, @@ -41,7 +42,7 @@ profile popularity-contest @{exec_path} { /var/lib/ r, /var/lib/dpkg/info/{,*.list} r, /var/log/ r, - /var/log/popularity-contest.@{int} w, + /var/log/popularity-contest.[0-9]* w, /var/log/popularity-contest.new w, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index e4e923159..fe4e35724 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -13,7 +13,6 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability net_admin, @@ -28,20 +27,17 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, - @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, + @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 8a6a2982e..c6d309a94 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,29 +8,28 @@ abi , include @{name} = proton-mail "Proton Mail" -@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(attach_disconnected) { +profile protonmail @{exec_path} flags=(complain) { include + include + include include - include network inet stream, network inet dgram, network inet6 dgram, network netlink raw, - ptrace read peer=protonmail//&xdg-settings, + ptrace read peer=xdg-settings, @{exec_path} mrix, - #aa:stack X xdg-settings - @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, - @{open_path} Px -> child-open, + @{bin}/xdg-settings Px, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -39,6 +38,7 @@ profile protonmail @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists + } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index a9bd819e3..4de73d718 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -5,19 +5,17 @@ # To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_passwordstore_dirs}/** r, +# deny owner @{user_password_store_dirs}/** r, abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { +profile protonmail-bridge-core @{exec_path} { include - include include include - include network inet dgram, network inet6 dgram, @@ -27,16 +25,13 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/pass Cx -> pass, - - @{lib}/protonmail/bridge/bridge-gui ix, + @{bin}/pass rCx -> pass, /etc/lsb-release r, /etc/machine-id r, - /etc/os-release r, - owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, - owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, + owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -45,12 +40,15 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/ r, @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny owner @{user_passwordstore_dirs}/** r, + deny @{bin}/pass x, + deny owner @{user_password_store_dirs}/** r, profile pass { include @@ -72,13 +70,12 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, - owner @{user_passwordstore_dirs}/ r, - owner @{user_passwordstore_dirs}/.gpg-id r, - owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, - owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_passwordstore_dirs}/**/ r, + owner @{user_password_store_dirs}/ r, + owner @{user_password_store_dirs}/.gpg-id r, + owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_password_store_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/profiles-m-r/ps similarity index 98% rename from apparmor.d/groups/procps/ps rename to apparmor.d/profiles-m-r/ps index 7663cbf5d..1d9ae50cb 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/profiles-m-r/ps @@ -34,7 +34,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem index 08b286b5a..da5753161 100644 --- a/apparmor.d/profiles-m-r/ps-mem +++ b/apparmor.d/profiles-m-r/ps-mem @@ -17,7 +17,7 @@ profile ps-mem @{exec_path} { ptrace (read), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, diff --git a/apparmor.d/groups/cap/pscap b/apparmor.d/profiles-m-r/pscap similarity index 100% rename from apparmor.d/groups/cap/pscap rename to apparmor.d/profiles-m-r/pscap diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 2ff7b4e71..33435fa8d 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,7 +18,6 @@ profile psi @{exec_path} { include include include - include include include include @@ -35,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -55,6 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index f72147cc6..32c05e55b 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,7 +18,6 @@ profile psi-plus @{exec_path} { include include include - include include include include @@ -35,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx, + @{bin}/lsb_release rPx -> lsb_release, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, @@ -55,6 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, + owner @{tmp}/etilqs_@{hex16} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/utils/pstree b/apparmor.d/profiles-m-r/pstree similarity index 100% rename from apparmor.d/groups/utils/pstree rename to apparmor.d/profiles-m-r/pstree diff --git a/apparmor.d/groups/shadow/pwck b/apparmor.d/profiles-m-r/pwck similarity index 91% rename from apparmor.d/groups/shadow/pwck rename to apparmor.d/profiles-m-r/pwck index 456a15af4..0c9e1ac0a 100644 --- a/apparmor.d/groups/shadow/pwck +++ b/apparmor.d/profiles-m-r/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/pwck +@{exec_path} = @{bin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include @@ -16,8 +16,7 @@ profile pwck @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - @{etc_ro}/login.defs r, - + /etc/login.defs r, /etc/.pwd.lock wk, /etc/passwd rw, /etc/passwd.@{int} rw, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile deleted file mode 100644 index 105264ec2..000000000 --- a/apparmor.d/profiles-m-r/pycompile +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean -profile pycompile @{exec_path} flags=(attach_disconnected,complain) { - include - include - include - include - - capability dac_override, - capability dac_read_search, - - @{exec_path} mr, - @{python_path} rix, - - @{bin}/dpkg rCx -> dpkg, - - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, - - /usr/share/python3/{,**} r, - - / r, - @{bin}/ r, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - @{bin}/dpkg-query rpx, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e0d430443..a5fcbb91e 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,8 +10,10 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include + include include include + include include include include @@ -27,7 +29,7 @@ profile qbittorrent @{exec_path} { include include - signal send set=(term, kill) peer=qbittorrent//python, + signal send set=(term, kill) peer=qbittorrent//python3, network inet dgram, network inet6 dgram, @@ -66,7 +68,7 @@ profile qbittorrent @{exec_path} { @{exec_path} mr, @{open_path} rPx -> child-open, - @{python_path} rCx -> python, # For "search engine" + @{bin}/python3.@{int} rCx -> python, # For "search engine" # Allowed apps to open @{bin}/ebook-viewer rPx, @@ -127,9 +129,9 @@ profile qbittorrent @{exec_path} { network inet6 stream, network netlink raw, - @{python_path} r, + @{bin}/python3.@{int} r, - owner @{user_share_dirs}/{,data/}qBittorrent/nova@{int}/{,**} rw, + owner @{user_share_dirs}/{,data/}qBittorrent/nova[0-9]/{,**} rw, owner @{user_torrents_dirs}/** r, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index 6816079ac..fa67bad97 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include - include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f8fd84d3f..7e63560ec 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,39 +6,41 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin +@{exec_path} = @{bin}/qemu-ga profile qemu-ga @{exec_path} { include + include + + capability mknod, + capability net_admin, + capability sys_ptrace, + + network inet stream, + network inet6 stream, + network netlink raw, + + ptrace (read) peer=@{p_systemd}, + + unix type=stream addr=@@{udbus}/bus/shutdown/system, + + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl rix, /etc/qemu/qemu-ga.conf r, - owner @{run}/qga.state rw, - owner @{run}/qga.state.@{rand6} rw, + owner @{run}/qga.state* rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, - @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/max_map_count r, + owner @{PROC}/@{pid}/net/dev r, /dev/vport@{int}p@{int} rw, - profile systemctl { - include - include - - capability net_admin, - - unix type=stream addr=@@{udbus}/bus/shutdown/system, - - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 73b8f7488..89395f8b5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,7 +18,6 @@ profile quiterss @{exec_path} { include include include - include include include @@ -48,6 +47,7 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, + owner /var/tmp/etilqs_@{hex16} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 81f43b3e6..47dd9beab 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/rdmsr +@{exec_path} = @{bin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 80e58fd7c..f59880046 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,47 +10,41 @@ include profile remmina @{exec_path} { include include - include + include include include + include + include include - include + include + include + include include include include - include include include - include - include include - include include network inet stream, network inet6 stream, - network inet dgram, - network inet6 dgram, network netlink raw, - #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.remmina.Remmina #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - @{exec_path} rm, - - @{open_path} rPx -> child-open-browsers, + @{exec_path} r, /usr/share/remmina/{,**} r, /usr/share/themes/{,**} r, - /etc/fstab r, + /etc/timezone r, /etc/ssh/ssh_config r, /etc/ssh/ssh_config.d/{,*} r, - /etc/timezone r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, - owner @{HOME}/@{XDG_SSH_DIR}/known_hosts r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw, owner @{user_cache_dirs}/remmina/{,**} rw, @@ -64,9 +58,6 @@ profile remmina @{exec_path} { owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - include if exists } diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo index 5ad84fb15..a1fd7b3b3 100644 --- a/apparmor.d/profiles-m-r/repo +++ b/apparmor.d/profiles-m-r/repo @@ -27,7 +27,7 @@ profile repo @{exec_path} { @{bin}/curl rix, @{bin}/env rix, @{bin}/git rix, - @{python_path} rix, + @{bin}/python3.@{int} rix, @{bin}/uname rix, @{lib}/git{,-core}/git* rix, diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 38d482326..7b28a1d22 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/resize2fs +@{exec_path} = @{bin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index 8e39c7620..c050ce970 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/resolvconf +@{exec_path} = @{bin}/resolvconf profile resolvconf @{exec_path} { include include @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - @{lib}/resolvconf/{,**} r, + /usr/lib/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c65298b27..041a03e07 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/rfkill +@{exec_path} = @{bin}/rfkill profile rfkill @{exec_path} { include @@ -15,8 +15,8 @@ profile rfkill @{exec_path} { /dev/rfkill rw, - @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, + @{sys}/devices/@{pci}/rfkill[0-9]/{name,type} r, + @{sys}/devices/platform/**/rfkill/rfkill[0-9]/{name,type} r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2e548d40c..8ae73c5d0 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,12 +7,11 @@ abi , include -@{exec_path} = @{sbin}/rngd +@{exec_path} = @{bin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include include - include capability dac_read_search, capability net_admin, @@ -25,6 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, + /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index c5e5ac051..b4ae4b211 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,32 +7,33 @@ abi , include -@{exec_path} = @{sbin}/rsyslogd +# Debugging the syslogger can be difficult if it can't write to the file +# that the kernel is logging denials to. In these cases, you can do the +# following: +# watch -n 1 'dmesg | tail -5' + +@{exec_path} = @{bin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include - capability dac_override, - capability dac_read_search, - capability setgid, + capability chown, # For creating new log files and changing their owner/group + capability net_admin, # For remote logs + capability setgid, # For downgrading privileges capability setuid, capability sys_nice, - capability sys_tty_config, capability syslog, - network inet dgram, - network inet6 dgram, - - signal receive set=hup peer=@{p_systemd}, - @{exec_path} mr, - @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, + /etc/CA/*.crt r, + /etc/CA/*.key r, + /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, @@ -45,7 +46,6 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index 68837a52d..d3a88d78a 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -23,6 +23,11 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.RealtimeKit1 + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, # When applying policies to processes diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 733573d6b..9417c93b1 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/rtkitctl +@{exec_path} = @{bin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index e5d44e13a..c20b305e1 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,6 +4,12 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only +# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile +# Possible confinement depending of profile architecture: +# - As rix, +# - As rCx -> run-parts, +# - As rPx -> foo-run-parts, + abi , include @@ -19,7 +25,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{sbin}/anacron rix, + @{bin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -32,7 +38,6 @@ profile run-parts @{exec_path} { /etc/anacrontab r, /etc/conf.d/snapper{,**} r, /etc/default/* r, - /etc/profile.d/{,**} r, /etc/snapper/configs/root r, # Crontab @@ -107,24 +112,36 @@ profile run-parts @{exec_path} { # Motd /etc/update-motd.d/ r, - /etc/update-motd.d/* rPx, + /etc/update-motd.d/* rCx -> motd, # Kernel - /etc/kernel/{,header_}postinst.d/ r, - /etc/kernel/{,header_}postinst.d/* rPx, + /etc/kernel/header_postinst.d/ r, + /etc/kernel/header_postinst.d/dkms rCx -> kernel, + + /etc/kernel/postinst.d/ r, + /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, + /etc/kernel/postinst.d/dkms rCx -> kernel, + /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, + /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, + /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, + /etc/kernel/postinst.d/zz-shim rCx -> kernel, + /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, + /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/* rPx, + /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, + /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, + /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/* rPx, + /etc/kernel/preinst.d/intel-microcode rCx -> kernel, + /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/* rPx, + /etc/kernel/prerm.d/dkms rCx -> kernel, - # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPUx, /root/ r, @@ -134,12 +151,108 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, - - @{run}/motd.dynamic.new w, + owner @{sys}/class/power_supply/ r, /dev/tty@{int} rw, + profile motd { + include + include + + @{sh_path} rix, + @{bin}/{e,}grep rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/sort rix, + @{bin}/tr rix, + @{bin}/uname rix, + + @{bin}/snap rPUx, + @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, + @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, + @{lib}/update-notifier/update-motd-reboot-required rix, + /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, + /usr/share/update-notifier/notify-updates-outdated rPx, + + / r, + /etc/default/motd-news r, + /etc/lsb-release r, + /etc/update-motd.d/* r, + + /var/cache/motd-news rw, + /var/lib/update-notifier/updates-available r, + /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + + @{run}/motd.d/{,*} r, + + @{PROC}/@{pids}/mounts r, + + /dev/tty@{int} rw, + + include if exists + } + + profile kernel { + include + include + include + + capability sys_module, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which{,.debianutils} rix, + + @{bin}/apt-config rPx, + @{bin}/dkms rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{bin}/update-grub rPUx, + @{bin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper deleted file mode 100644 index 94b3816c9..000000000 --- a/apparmor.d/profiles-m-r/runit-helper +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/runit-helper/runit-helper -profile runit-helper @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/mkdir rix, - - @{run}/runit/ rw, - @{run}/runit/supervise/ w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 4bd569955..9931c07fb 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/runuser +@{exec_path} = @{bin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index 3e6791ddc..004c29d64 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,7 +10,9 @@ include profile rustdesk @{exec_path} { include include + include include + include include include include @@ -34,7 +36,7 @@ profile rustdesk @{exec_path} { @{bin}/ls rix, @{bin}/sudo rCx -> sudo, - @{python_path} rCx -> python, + @{bin}/python3.@{int} rCx -> python, @{sh_path} rCx -> shell, /etc/gdm{,3}/custom.conf r, @@ -62,7 +64,7 @@ profile rustdesk @{exec_path} { include @{bin}/rustdesk rPx, - @{python_path} rPx -> rustdesk//python, + @{bin}/python3.@{int} rPx -> rustdesk//python, include if exists } @@ -74,11 +76,11 @@ profile rustdesk @{exec_path} { capability dac_read_search, capability dac_override, - @{python_path} r, + @{bin}/python3.@{int} r, @{sh_path} rix, @{bin}/chmod rix, - @{bin}/uname rix, + @{bin}/uname rPx, /usr/share/rustdesk/files/pynput_service.py rix, /usr/share/[rR]ust[dD]esk/files/{,**} r, diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader index 3552b6dc0..de55bf829 100644 --- a/apparmor.d/profiles-s-z/YACReader +++ b/apparmor.d/profiles-s-z/YACReader @@ -39,8 +39,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index e6c231df3..38336fbc7 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include include diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs index aaf34d49c..dab3593b6 100644 --- a/apparmor.d/profiles-s-z/s3fs +++ b/apparmor.d/profiles-s-z/s3fs @@ -38,7 +38,10 @@ profile s3fs @{exec_path} { profile fusermount { include - include + include + + capability dac_read_search, + capability sys_admin, network inet stream, network inet6 stream, @@ -49,11 +52,19 @@ profile s3fs @{exec_path} { umount @{MOUNTS}/, umount @{MOUNTS}/*/, + @{bin}/fusermount{,3} mr, + + /etc/fuse.conf r, + @{MOUNTS}/ r, @{MOUNTS}/*/ r, owner @{tmp}/s3fstmp.* rw, + @{PROC}/@{pids}/mounts r, + + /dev/fuse rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index a4fdbac88..4c5d62597 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include - include capability dac_read_search, capability linux_immutable, @@ -25,9 +24,6 @@ profile sbctl @{exec_path} { /{boot,efi}/EFI/{,**} rw, /{boot,efi}/vmlinuz-linux* rw, @{lib}/fwupd/efi/{,**} rw, - @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, - - @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @@ -35,6 +31,8 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + /dev/pts/@{int} rw, + # File Inherit deny network inet stream, deny network inet6 stream, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 9c3f6d9df..51016373d 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index ca2d43a65..fd839099e 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,12 +18,19 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, - @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, + @{sys}/devices/**/hwmon*/{,**/} r, + @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, + @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, + @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, + @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/**/hwmon*/{,**} r, + @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, + @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, + @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, # file_inherit deny @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index d21cf6f56..e3eca4e22 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/sensors-detect +@{exec_path} = @{bin}/sensors-detect profile sensors-detect @{exec_path} { include include @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4fd9dff69..4817f330a 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,7 +7,6 @@ abi , include @{name} = {S,s}ession -@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,9 +15,10 @@ include profile session-desktop @{exec_path} { include include + include + include include include - include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 019e89e23..72c9b8a93 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,7 +16,6 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, - @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 7fdfddcbb..6c9a3fe62 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/setvtrgb +@{exec_path} = @{bin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 05ab2273f..0009d52cb 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/sfdisk +@{exec_path} = @{bin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index 4e68816d7..ecc6abcdb 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/sgdisk +@{exec_path} = @{bin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 53f3d20b1..b905e8f3a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,24 +8,20 @@ abi , include @{name} = signal-desktop{,-beta} -@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} flags=(attach_disconnected) { +profile signal-desktop @{exec_path} { include include - include + include + include include - include include - include - include - include + include include - include network inet dgram, network inet6 dgram, @@ -33,19 +29,31 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - ptrace read peer=signal-desktop//&xdg-settings, - @{exec_path} mrix, - @{lib_dirs}/chrome_crashpad_handler rix, - @{lib_dirs}/chrome-sandbox rPx, + @{bin}/getconf rix, + @{open_path} rPx -> child-open-strict, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - @{open_path} rPx -> child-open-strict, + + audit @{lib_dirs}/chrome-sandbox rPx, + @{lib_dirs}/chrome_crashpad_handler rix, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/vmstat r, + + /dev/tty rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan deleted file mode 100644 index a005708db..000000000 --- a/apparmor.d/profiles-s-z/simple-scan +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/simple-scan -profile simple-scan @{exec_path} { - include - include - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - @{open_path} rPx -> child-open-help, - - /usr/share/snmp/{,**} r, - - /etc/sane.d/{,**} r, - - @{sys}/bus/scsi/devices/ r, - @{sys}/devices/virtual/dmi/id/board_name r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/board_version r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - @{PROC}/scsi/scsi r, - - /dev/video@{int} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 1890510ae..9f395735e 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,6 +12,7 @@ include profile sing-box @{exec_path} { include include + include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp deleted file mode 100644 index 740af9b7b..000000000 --- a/apparmor.d/profiles-s-z/slurp +++ /dev/null @@ -1,25 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/slurp -profile slurp @{exec_path} { - include - include - include - - @{exec_path} mr, - - /usr/share/icons/{,**} r, - - # often used in combination with grim screen cature tool - owner /dev/shm/grim-@{rand6} rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index d025d160b..4af40c8ab 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/smartctl +@{exec_path} = @{bin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index 60a77a782..d0f9c28fd 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{sbin}/smartd +@{exec_path} = @{bin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/profiles-s-z/snap similarity index 52% rename from apparmor.d/groups/snap/snap rename to apparmor.d/profiles-s-z/snap index 9530b8594..aa1f6b2b8 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/profiles-s-z/snap @@ -6,34 +6,24 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{bin_dirs}/snap -profile snap @{exec_path} flags=(attach_disconnected) { +profile snap @{exec_path} { include include include include include include - include - capability chown, - capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, - capability sys_ptrace, - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, network netlink raw, - ptrace read peer=snap.*, - unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -42,34 +32,22 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents member=GetMountPoint peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mrix, - @{sh_path} mr, @{bin}/mount rix, @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rCx -> run, # Start snap from the cli - @{bin}/unsquashfs rCx -> unsquashfs, - @{bin}/xdg-settings rCx -> xdg-settings, - @{bin_dirs}/xdelta3 ix, - @{lib_dirs}/** mr, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -81,16 +59,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { /var/cache/snapd/names r, @{DESKTOP_HOME}/snap/{,**} rw, + @{HOME}/snap/{,**} rw, /snap/{,**} rw, - @{HOME}/ r, - @{HOME}/.snap.mkdir-new/ rw, - @{HOME}/.snap/{,**} rw, - @{HOME}/snap/{,**} rw, - - @{user_pkg_dirs}/** r, - - owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -102,27 +73,21 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, @{run}/snapd.socket rw, - @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, - @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, /dev/ttyS@{int} rw, - /apparmor/.null rw, - - # file_inherit, safe to deny - deny owner @{user_share_dirs}/gvfs-metadata/* r, - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny @{user_share_dirs}/gvfs-metadata/* r, profile gpg { include @@ -139,78 +104,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include if exists } - profile xdg-settings { - include - include - - @{bin}/xdg-settings mr, - - @{sh_path} r, - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat ix, - @{bin}/cut rix, - @{bin}/head ix, - @{bin}/mkdir ix, - @{bin}/mktemp ix, - @{bin}/mv ix, - @{bin}/readlink ix, - @{bin}/realpath rix, - @{bin}/rm ix, - @{bin}/sed ix, - @{bin}/sleep ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/tr ix, - @{bin}/uname ix, - @{bin}/wc ix, - - @{bin}/xdg-mime Px, - - include if exists - } - - profile run { - include - - unix bind type=stream addr=@@{udbus}/bus/systemd-run/, - - @{bin}/systemd-run mr, - - owner @{run}/user/@{uid}/systemd/private rw, - - include if exists - } - profile systemctl { include include include - capability net_admin, - network unix stream, - network (send receive) netlink raw, - @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } - profile unsquashfs { - include - - @{bin}/unsquashfs mr, - - /**.snap r, - - owner /tmp/read-file@{int}/unpack/{,**} w, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/profiles-s-z/snap-bootstrap similarity index 53% rename from apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd rename to apparmor.d/profiles-s-z/snap-bootstrap index b18bd6bd5..95cc306fc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd +++ b/apparmor.d/profiles-s-z/snap-bootstrap @@ -6,13 +6,13 @@ abi , include -@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator -profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { +@{exec_path} = @{lib}/snapd/snap-bootstrap +profile snap-bootstrap @{exec_path} { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/snap/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper similarity index 100% rename from apparmor.d/groups/snap/snap-device-helper rename to apparmor.d/profiles-s-z/snap-device-helper diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns similarity index 88% rename from apparmor.d/groups/snap/snap-discard-ns rename to apparmor.d/profiles-s-z/snap-discard-ns index 0ccb3f1c7..f1f6f9d67 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/profiles-s-z/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { @@ -20,7 +20,6 @@ profile snap-discard-ns @{exec_path} { umount @{run}/snapd/ns/*.mnt, @{exec_path} mr, - @{lib_dirs}/**.so* mr, / r, @{run}/ r, diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/profiles-s-z/snap-failure similarity index 89% rename from apparmor.d/groups/snap/snap-failure rename to apparmor.d/profiles-s-z/snap-failure index bed3a2d12..a4f89f558 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/profiles-s-z/snap-failure @@ -6,14 +6,13 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { include @{exec_path} mr, - @{lib_dirs}/**.so* mr, @{bin}/systemctl rCx -> systemctl, @{lib_dirs}/snapd/snapd rPx, diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/profiles-s-z/snap-repair similarity index 53% rename from apparmor.d/groups/procps/pidof rename to apparmor.d/profiles-s-z/snap-repair index 3413eb6c3..fe9be759a 100644 --- a/apparmor.d/groups/procps/pidof +++ b/apparmor.d/profiles-s-z/snap-repair @@ -1,18 +1,18 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{bin}/pidof -profile pidof @{exec_path} { +@{exec_path} = @{lib}/snapd/snap-repair +profile snap-repair @{exec_path} { include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp similarity index 64% rename from apparmor.d/groups/snap/snap-seccomp rename to apparmor.d/profiles-s-z/snap-seccomp index 90c1724be..6b0917f8a 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -6,19 +6,18 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} flags=(attach_disconnected) { +profile snap-seccomp @{exec_path} { include include include - capability dac_read_search, - network netlink raw, @{exec_path} mr, + @{lib_dirs}/**.so* mr, @{bin}/getent rix, @@ -27,11 +26,7 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, - /apparmor/.null rw, - - # file_inherit, safe to deny - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns similarity index 70% rename from apparmor.d/groups/snap/snap-update-ns rename to apparmor.d/profiles-s-z/snap-update-ns index 5d08a4240..3ce5bfdd4 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { @@ -18,46 +18,30 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> @{efi}/, + mount -> /boot/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, - umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, umount /snap/**, - umount /tmp/.snap/**, - umount /usr/share/xml/iso-codes/, umount /var/lib/dhcp/, + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, - @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - - /usr/share/xml/ r, - /usr/share/xml/iso-codes/ rw, + /usr/share/xml/iso-codes/ w, /var/lib/snapd/mount/{,*} r, / r, /tmp/ r, - @{lib}/ r, - /usr/ r, - /usr/local/ r, - /usr/local/share/ r, - /usr/local/share/doc/ rw, - /usr/local/share/fonts/ rw, - /usr/share/ r, - /usr/share/drirc.d w, - /usr/share/X11/ r, - /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, owner /var/ rw, - owner /var/lib/ rw, - owner /var/lib/snapd/ rw, owner /var/snap/ rw, owner /var/snap/**/ rw, @@ -68,7 +52,6 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/profiles-s-z/snapd similarity index 64% rename from apparmor.d/groups/snap/snapd rename to apparmor.d/profiles-s-z/snapd index 87e535b3f..63a1568b5 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { @@ -34,6 +34,7 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, + capability sys_resource, network inet stream, network inet6 stream, @@ -46,45 +47,40 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace read peer=@{p_systemd}, - ptrace read peer=snap{,.*}, + ptrace (read) peer=snap, + ptrace (read) peer=@{p_systemd}, - signal send set=kill peer=snapd//journalctl, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/timedate1 - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.freedesktop.timedate1), + peer=(name=org.freedesktop.login1, label=systemd-logind), @{exec_path} mrix, - @{sh_path} rix, - @{sbin}/adduser rPx, - @{sbin}/apparmor_parser rPx, - @{bin}/cp rix, - @{bin}/getent rix, - @{sbin}/groupadd rPx, - @{bin}/gzip rix, + @{bin}/adduser rPx, + @{bin}/groupadd rPx, @{bin}/hostnamectl rPx, - @{bin}/journalctl rCx -> journalctl, + @{bin}/ssh-keygen rPx, + @{bin}/useradd rPx, + + @{sh_path} rix, + @{bin}/apparmor_parser rPx, + @{bin}/cp rix, + @{bin}/gzip rix, + @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, - @{sbin}/runuser rCx -> runuser, - @{bin}/ssh-keygen rPx, + @{bin}/runuser rCx -> runuser, @{bin}/sync rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/tar rix, @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -97,24 +93,21 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/ rw, - /usr/share/dbus-1/{system,session}.d/snapd* rw, + /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy* rw, + /usr/share/polkit-1/actions/{,**/} r, - @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, /etc/dbus-1/system.d/{,**/} r, + /etc/environment r, /etc/fstab r, /etc/mime.types r, /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, - /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} rw, + /etc/systemd/user/{,**/} r, /etc/systemd/user/**/*snap* rw, /etc/systemd/user/*snap* rw, /etc/udev/rules.d/{,*snap*} rw, @@ -134,8 +127,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - @{efi}/ r, - @{efi}/grub/grubenv r, + /boot/ r, + /boot/grub/grubenv r, / r, /home/ r, @@ -149,11 +142,9 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, - @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, - @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, @@ -161,15 +152,17 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/*.slice/ r, - @{sys}/fs/cgroup/*.slice/{,**/} r, - @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, - @{sys}/fs/cgroup/cgroup.controllers r, + @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/ r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, @@ -182,62 +175,10 @@ profile snapd @{exec_path} { /dev/loop-control rw, - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - network netlink raw, - - ptrace read peer=@{p_systemd}, - - /etc/systemd/system/{,**/} r, - /etc/systemd/system/snap* rw, - /etc/systemd/user/{,**/} rw, - /etc/systemd/user/**/*snap* rw, - /etc/systemd/user/*snap* rw, - - @{run}/systemd/notify rw, - - include if exists - } - - profile journalctl { - include - include - - capability net_admin, - capability sys_resource, - - network netlink raw, - - signal receive set=kill peer=snapd, - - @{bin}/journalctl mr, - - /etc/machine-id r, - /var/lib/dbus/machine-id r, - - /{run,var}/log/journal/ r, - /{run,var}/log/journal/@{hex32}/{,*} r, - - @{run}/systemd/notify w, - - include if exists - } - profile runuser { include - @{sbin}/runuser mr, - - @{sh_path} ix, - @{bin}/gzip ix, - @{bin}/tar ix, - - owner @{HOME}/snap/*/{,**} r, + @{bin}/runuser mr, include if exists } diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener similarity index 85% rename from apparmor.d/groups/snap/snapd-aa-prompt-listener rename to apparmor.d/profiles-s-z/snapd-aa-prompt-listener index 37730ba6f..5620fc975 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener @@ -6,14 +6,13 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { include @{exec_path} mrix, - @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui similarity index 84% rename from apparmor.d/groups/snap/snapd-aa-prompt-ui rename to apparmor.d/profiles-s-z/snapd-aa-prompt-ui index 99dc98efe..14354cfb9 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui @@ -6,14 +6,13 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { include @{exec_path} mrix, - @{lib_dirs}/**.so* mr, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor similarity index 86% rename from apparmor.d/groups/snap/snapd-apparmor rename to apparmor.d/profiles-s-z/snapd-apparmor index 47b939fa0..6d873982b 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { @@ -15,7 +15,7 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{sbin}/apparmor_parser rPx, + @{bin}/apparmor_parser rPx, @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, diff --git a/apparmor.d/groups/procps/free b/apparmor.d/profiles-s-z/snapd-core-fixup similarity index 51% rename from apparmor.d/groups/procps/free rename to apparmor.d/profiles-s-z/snapd-core-fixup index 56075ae1c..0e33aaea0 100644 --- a/apparmor.d/groups/procps/free +++ b/apparmor.d/profiles-s-z/snapd-core-fixup @@ -1,19 +1,18 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include -@{exec_path} = @{bin}/free -profile free @{exec_path} { +@{exec_path} = @{lib}/snapd/snapd.core-fixup.sh +profile snapd-core-fixup @{exec_path} { include - include @{exec_path} mr, - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker new file mode 100644 index 000000000..e70a5c499 --- /dev/null +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -0,0 +1,184 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} +profile spectre-meltdown-checker @{exec_path} { + include + include + + # Needed to read the /dev/cpu/@{int}/msr device + capability sys_rawio, + + # Needed to read system logs + capability syslog, + + # Used by readlink + capability sys_ptrace, + ptrace (read), + + @{exec_path} r, + + @{bin}/ r, + @{bin}/{,@{multiarch}-}objdump rix, + @{bin}/{,@{multiarch}-}readelf rix, + @{bin}/{,@{multiarch}-}strings rix, + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,g,m}awk rix, + @{bin}/base64 rix, + @{bin}/basename rix, + @{bin}/bunzip2 rix, + @{bin}/cat rix, + @{bin}/ccache rCx -> ccache, + @{bin}/cut rix, + @{bin}/date rix, + @{bin}/dd rix, + @{bin}/dirname rix, + @{bin}/dmesg rix, + @{bin}/find rix, + @{bin}/gunzip rix, + @{bin}/gzip rix, + @{bin}/head rix, + @{bin}/id rix, + @{bin}/iucode_tool rix, + @{bin}/kmod rCx -> kmod, + @{bin}/lzop rix, + @{bin}/mktemp rix, + @{bin}/mount rix, + @{bin}/nproc rix, + @{bin}/od rix, + @{bin}/perl rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/rdmsr rix, + @{bin}/readlink rix, + @{bin}/rm rix, + @{bin}/sed rix, + @{bin}/seq rix, + @{bin}/sort rix, + @{bin}/stat rix, + @{bin}/tail rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/unzip rix, + @{bin}/xargs rix, + @{bin}/xz rix, + @{bin}/zstd rix, + + # To fetch MCE.db from the MCExtractor project + @{bin}/wget rCx -> mcedb, + @{bin}/sqlite3 rCx -> mcedb, + owner @{tmp}/mcedb-* rw, + owner @{tmp}/smc-* rw, + owner @{tmp}/{,smc-}intelfw-*/ rw, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, + owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, + + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{config,kernel}-* rw, + + owner /dev/cpu/@{int}/cpuid r, + owner /dev/cpu/@{int}/msr rw, + owner /dev/kmsg r, + + /boot/ r, + /boot/{config,vmlinuz,System.map}-* r, + + @{sys}/devices/system/cpu/vulnerabilities/* r, + @{sys}/module/kvm_intel/parameters/ept r, + + @{PROC}/ r, + @{PROC}/config.gz r, + @{PROC}/cmdline r, + @{PROC}/kallsyms r, + @{PROC}/modules r, + + # find and denoise + @{PROC}/@{pids}/{status,exe} r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/*/ r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + + # For shell pwd + /root/ r, + /etc/ r, + + profile ccache { + include + + @{bin}/ccache mr, + + @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, + @{bin}/{,@{multiarch}-}g++-[0-9]* rix, + + /media/ccache/*/** rw, + + /etc/debian_version r, + + include if exists + } + + profile pgrep { + include + include + + include if exists + } + + profile mcedb { + include + include + include + include + + deny capability net_admin, + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + @{bin}/sqlite3 mr, + + /etc/wgetrc r, + owner @{HOME}/.wget-hsts rwk, + owner @{HOME}/.mcedb rw, + + /tmp/ r, + owner @{tmp}/{,smc-}mcedb-* rwk, + owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, + + /usr/share/publicsuffix/public_suffix_list.* r, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + owner @{sys}/module/cpuid/** r, + owner @{sys}/module/msr/** r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 0267d6889..13ed65c09 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,21 +20,15 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, - @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, - owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner /dev/shm/sem.@{rand6} rw, - owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, - include if exists } diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest index 7e9728fc9..f31818354 100644 --- a/apparmor.d/profiles-s-z/speedtest +++ b/apparmor.d/profiles-s-z/speedtest @@ -21,7 +21,7 @@ profile speedtest @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 2af3f99ae..04837d871 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,19 +9,21 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include + include include include + include include include + include include include include - include - include - include + include include + include + include include - include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -36,6 +38,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, @@ -44,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, - /dev/udmabuf rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 33957504c..bebfbe419 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,12 +6,11 @@ abi , include -@{exec_path} = @{sbin}/spice-vdagentd +@{exec_path} = @{bin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include - include capability sys_nice, @@ -25,6 +24,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, + /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl deleted file mode 100644 index be31bb0d0..000000000 --- a/apparmor.d/profiles-s-z/spotdl +++ /dev/null @@ -1,40 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 tpaau-17DB -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/spotdl -profile spotdl @{exec_path} { - include - include - include - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - @{exec_path} mr, - @{python_path} r, - - @{bin}/ffmpeg rPx, - @{bin}/ffprobe rPx, - - owner @{user_music_dirs}/{,**} rwk, - - owner @{HOME}/.spotdl/** rw, - - owner @{user_cache_dirs}/spotdl/{,**} rw, - owner @{user_config_dirs}/spotdl/{,**} rw, - - owner @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b04432e39..41219a4f8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,8 +8,7 @@ abi , include @{name} = spotify -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ +@{lib_dirs} = /opt/spotify/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -17,18 +16,7 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include - include - include - include - include include - include - include - include - include - include - include network inet dgram, network inet6 dgram, @@ -36,30 +24,17 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell - #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys - - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Secret - member=RetrieveSecret - peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{open_path} rPx -> child-open-strict, - /usr/local/lib/spotify-adblock.so mr, - /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, - owner @{HOME}/.tmp rw, - owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, @@ -67,15 +42,18 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, + @{PROC}/@{pid}/net/unix r, owner @{PROC}/@{pid}/clear_refs w, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/tty rw, + deny @{sys}/bus/ r, + deny @{sys}/bus/*/devices/ r, + deny @{sys}/class/*/ r, + deny @{sys}/devices/@{pci}/usb@{int}/** r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index 2ce6b6b4d..3b55547be 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/ss +@{exec_path} = @{bin}/ss profile ss @{exec_path} { include include @@ -24,8 +24,8 @@ profile ss @{exec_path} { /etc/iproute2/{,**} r, - owner @{tmp}/*.ss rw, - owner @{HOME}/*.ss rw, + owner @{tmp}/*.ss rw, + owner @{HOME}/*.ss rw, @{sys}/fs/cgroup/{,**/} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/profiles-s-z/steam similarity index 93% rename from apparmor.d/groups/steam/steam rename to apparmor.d/profiles-s-z/steam index e3fcb1931..252c89869 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/profiles-s-z/steam @@ -21,12 +21,10 @@ abi , include -@{domain} = org.chromium.Chromium -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh @@ -41,7 +39,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include capability sys_ptrace, @@ -70,7 +67,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -112,7 +109,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, - @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -178,7 +174,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, - owner @{tmp}/steam@{rand6} rwk, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -193,7 +188,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, # For network interfaces + @{run}/udev/data/n@{int} r, @{sys}/ r, @{sys}/bus/ r, @@ -246,6 +241,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, + /dev/uinput w, deny /opt/** r, @@ -279,7 +275,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, @@ -296,8 +292,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, - @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, - @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -308,15 +302,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, - /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, - owner @{HOME}/ r, - owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -326,8 +317,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{share_dirs}/public/** k, @{tmp}/ r, - owner @{tmp}/.com.valvesoftware.Steam.@{rand6} rw, - owner @{tmp}/.com.valvesoftware.Steam.@{rand6}/{,**} rw, owner @{tmp}/#@{int} rw, owner @{tmp}/dumps/ rw, owner @{tmp}/dumps/** rwk, @@ -335,7 +324,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw, - owner /dev/shm/.com.valvesoftware.Steam.@{rand6} rw, owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw, owner /dev/shm/u@{uid}-Shm_@{hex6} rw, owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw, @@ -353,9 +341,10 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, - @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, @@ -371,8 +360,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, - @{att}/dev/dri/renderD128 rw, - include if exists } @@ -383,7 +370,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, - capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/groups/steam/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize similarity index 91% rename from apparmor.d/groups/steam/steam-fossilize rename to apparmor.d/profiles-s-z/steam-fossilize index a5dd65b7c..e3e7f87e2 100644 --- a/apparmor.d/groups/steam/steam-fossilize +++ b/apparmor.d/profiles-s-z/steam-fossilize @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,13 +39,11 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pid}/statm r, + @{PROC}/@{pids}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/steam/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native similarity index 95% rename from apparmor.d/groups/steam/steam-game-native rename to apparmor.d/profiles-s-z/steam-game-native index ba06d56a4..ca80801d7 100644 --- a/apparmor.d/groups/steam/steam-game-native +++ b/apparmor.d/profiles-s-z/steam-game-native @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton similarity index 74% rename from apparmor.d/groups/steam/steam-game-proton rename to apparmor.d/profiles-s-z/steam-game-proton index 1b094c2a3..ab82925a5 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -6,8 +6,7 @@ abi , include -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -36,24 +35,18 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, @{bin}/bwrap mrix, - @{sh_path} rix, - @{bin}/cat rix, - @{bin}/env rix, @{bin}/chmod rix, @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{sbin}/ldconfig rix, - @{bin}/ln rix, + @{bin}/ldconfig rix, @{bin}/localedef rix, - @{bin}/mkdir rix, + @{bin}/python3.@{int} rix, @{bin}/readlink rix, - @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, - @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -61,17 +54,9 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, - # TODO stack with steam ? rpx -> steam-game-proton&//steam, - @{runtime_dirs}/run.sh rix, - @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, - @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, - @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, - @{app_dirs}/** mrix, - @{run}/host/@{sbin}/ldconfig rix, + @{run}/host/@{bin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, @@ -87,7 +72,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, - owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, diff --git a/apparmor.d/groups/steam/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui similarity index 95% rename from apparmor.d/groups/steam/steam-gameoverlayui rename to apparmor.d/profiles-s-z/steam-gameoverlayui index 278b47e98..0cd837135 100644 --- a/apparmor.d/groups/steam/steam-gameoverlayui +++ b/apparmor.d/profiles-s-z/steam-gameoverlayui @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -49,8 +49,6 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, - owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, - owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/groups/steam/steam-launch b/apparmor.d/profiles-s-z/steam-launch similarity index 66% rename from apparmor.d/groups/steam/steam-launch rename to apparmor.d/profiles-s-z/steam-launch index 321c9c9c5..977248c96 100644 --- a/apparmor.d/groups/steam/steam-launch +++ b/apparmor.d/profiles-s-z/steam-launch @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -22,37 +22,23 @@ profile steam-launch @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, @{bin}/cmp rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/env rix, @{bin}/id rix, @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/rmdir rix, @{lib}/steam/steam rix, @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, - @{lib_dirs}/** mr, - - @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, - @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, /usr/ r, /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, - owner @{share_dirs}/logs/ r, - owner @{share_dirs}/logs/* rwk, - - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, - owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, - - owner @{PROC}/@{pid}/fd/@{int} rw, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher similarity index 94% rename from apparmor.d/groups/steam/steam-launcher rename to apparmor.d/profiles-s-z/steam-launcher index e73b30d1a..0bd8c67d3 100644 --- a/apparmor.d/groups/steam/steam-launcher +++ b/apparmor.d/profiles-s-z/steam-launcher @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime similarity index 91% rename from apparmor.d/groups/steam/steam-runtime rename to apparmor.d/profiles-s-z/steam-runtime index 543324c0f..2a3e839ff 100644 --- a/apparmor.d/groups/steam/steam-runtime +++ b/apparmor.d/profiles-s-z/steam-runtime @@ -6,8 +6,7 @@ abi , include -@{runtime_name} = sniper soldier -@{runtime} = SteamLinuxRuntime_@{runtime_name} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -51,17 +50,16 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, - owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/steamapps/appmanifest_* rw, @@ -80,7 +78,6 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote similarity index 94% rename from apparmor.d/groups/steam/steam-runtime-steam-remote rename to apparmor.d/profiles-s-z/steam-runtime-steam-remote index b7d5f2b15..93a93e892 100644 --- a/apparmor.d/groups/steam/steam-runtime-steam-remote +++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter similarity index 93% rename from apparmor.d/groups/steam/steamerrorreporter rename to apparmor.d/profiles-s-z/steamerrorreporter index d438c604d..27fe69be9 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/profiles-s-z/steamerrorreporter @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{runtime} = SteamLinuxRuntime_sniper @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -34,6 +34,8 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, + owner @{PROC}/@{pid}/status r, + include if exists } diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index ae22e1f1d..6a337a66b 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,7 +21,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include @@ -69,8 +68,9 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/kdsingleapp-*-strawberry w, - owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, + owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, + owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/profiles-s-z/su similarity index 61% rename from apparmor.d/groups/utils/su rename to apparmor.d/profiles-s-z/su index e5293021c..02a212150 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/profiles-s-z/su @@ -8,26 +8,25 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} flags=(attach_disconnected) { +profile su @{exec_path} { include include include - include #aa:only RBAC capability chown, # pseudo-terminal - signal send set=(term kill), - signal receive set=(int quit term), - signal receive set=(cont hup) peer=sudo, + signal (send) set=(term,kill), + signal (receive) set=(int,quit,term), + signal (receive) set=(cont,hup) peer=sudo, + + unix (bind) type=dgram, @{exec_path} mr, - @{bin}/@{shells} Ux, #aa:exclude RBAC - @{sbin}/nologin Px, + @{bin}/@{shells} rUx, + @{bin}/nologin rPx, @{etc_ro}/default/su r, - /etc/default/locale r, - /etc/environment r, @{HOME}/.xauth@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index b2074ba04..1e6748235 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,9 +21,15 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace read, + ptrace (read), - signal send set=(winch, hup, term), + signal (send,receive) peer=cockpit-bridge, + signal (send) peer=@{p_systemd}, + signal (send) set=(cont,hup,winch) peer=su, + signal (send) set=(winch) peer=child-pager, + signal (send) set=(winch) peer=journalctl, + signal (send) set=(winch) peer=pacman, + signal (send) set=(winch, hup, term) peer=rpm, @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/profiles-s-z/sulogin similarity index 80% rename from apparmor.d/groups/utils/sulogin rename to apparmor.d/profiles-s-z/sulogin index 2af869dab..556808aeb 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/profiles-s-z/sulogin @@ -6,15 +6,12 @@ abi , include -@{exec_path} = @{sbin}/sulogin +@{exec_path} = @{bin}/sulogin profile sulogin @{exec_path} { include - include include - capability checkpoint_restore, capability sys_admin, - capability sys_tty_config, @{exec_path} mr, @@ -25,6 +22,9 @@ profile sulogin @{exec_path} { @{PROC}/consoles r, + /dev/ r, + /dev/tty@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f812fc570..c0b940478 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,8 +6,7 @@ abi , include -@{name} = super{p,P}roductivity Super?Productivity -@{domain} = org.chromium.Chromium +@{name} = super{p,P}roductivity @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -16,15 +15,8 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include - include - include - include - include - include - include + include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/utils/swaplabel b/apparmor.d/profiles-s-z/swaplabel similarity index 93% rename from apparmor.d/groups/utils/swaplabel rename to apparmor.d/profiles-s-z/swaplabel index 16abf153d..05dc5783a 100644 --- a/apparmor.d/groups/utils/swaplabel +++ b/apparmor.d/profiles-s-z/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/swaplabel +@{exec_path} = @{bin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/profiles-s-z/swapon similarity index 92% rename from apparmor.d/groups/utils/swapon rename to apparmor.d/profiles-s-z/swapon index dd4aec8e2..83d2c6a3b 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/profiles-s-z/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/swapon @{sbin}/swapoff +@{exec_path} = @{bin}/swapon @{bin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg deleted file mode 100644 index a3ed158b1..000000000 --- a/apparmor.d/profiles-s-z/swayimg +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/swayimg -profile swayimg @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - owner @{user_config_dirs}/swayimg/** r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index eecb98b28..e1b9ab7de 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,7 +12,6 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, - capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 369046b6b..783e58237 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,10 +14,10 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /var/log/swtpm/libvirt/qemu/*-swtpm.log w, /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 5795ddfcc..08ee1532e 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, - owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, - owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, + owner @{tmp}/swtpm_setup.certs.*/ w, + owner @{tmp}/swtpm_setup.certs.*/*.cert rw, + owner @{tmp}/.swtpm_setup.pidfile* rw, include if exists } diff --git a/apparmor.d/groups/utils/sync b/apparmor.d/profiles-s-z/sync similarity index 100% rename from apparmor.d/groups/utils/sync rename to apparmor.d/profiles-s-z/sync diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index fc30c5fd6..821a3fd63 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, @@ -25,6 +25,8 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, + @{PROC}/@{pids}/maps r, + include if exists } diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d504b0c15..f668f5a00 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,10 +10,7 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include - include - include include - include include network inet dgram, @@ -27,21 +24,22 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - @{HOME}/ r, - @{HOME}/** rwk, + /usr/share/mime/{,**} r, + + /etc/mime.types r, + + owner @{HOME}/ r, + owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, + owner @{user_config_dirs}/syncthing/{,**} rwk, + owner @{user_state_dirs}/syncthing/{,**} rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, - @{PROC}/bus/pci/devices r, - @{PROC}/modules r, - @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/statm r, include if exists } diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/profiles-s-z/sysctl similarity index 92% rename from apparmor.d/groups/procps/sysctl rename to apparmor.d/profiles-s-z/sysctl index 9275c7054..849aeb687 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{sbin}/sysctl +@{exec_path} = @{bin}/sysctl profile sysctl @{exec_path} { include include @@ -22,9 +22,7 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - @{lib}/sysctl.d/{,**} r, - - /etc/ufw/sysctl.conf r, # Add support for ufw + /usr/lib/sysctl.d/{,**} r, @{PROC}/sys/ r, @{PROC}/sys/** rw, @@ -33,6 +31,8 @@ profile sysctl @{exec_path} { deny network inet6 stream, deny network inet stream, + /etc/ufw/sysctl.conf r, # Add support for ufw + include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa deleted file mode 100644 index 9dcc199bc..000000000 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/sysstat/sa{1,2} @{lib}/sysstat/debian-sa{1,2} -profile sysstat-sa @{exec_path} { - include - include - - @{exec_path} mr, - @{bin}/ r, - - @{sh_path} rix, - @{bin}/date ix, - @{bin}/find ix, - @{bin}/{,e}grep ix, - @{bin}/rm ix, - @{bin}/sar.sysstat ix, - @{bin}/xargs ix, - @{lib}/sysstat/sadc Px, - - /etc/sysstat/sysstat r, - - /var/log/sysstat/ r, - /var/log/sysstat/** rw, - - @{tmp}/#@{int} rw, - - @{PROC}/@{pid}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc deleted file mode 100644 index 7d9143938..000000000 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ /dev/null @@ -1,52 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/sysstat/sadc -profile sysstat-sadc @{exec_path} { - include - include - - capability sys_admin, - - @{exec_path} mr, - - /etc/sensors.d/{,**} r, - /etc/sensors3.conf r, - - /var/log/sysstat/{,**} rwk, - - @{sys}/bus/i2c/devices/ r, - @{sys}/class/fc_host/ r, - @{sys}/class/hwmon/ r, - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/hwmon@{int}/ r, - @{sys}/devices/**/name r, - @{sys}/devices/**/net/*/duplex r, - @{sys}/devices/**/net/*/speed r, - @{sys}/devices/virtual/net/*/duplex r, - @{sys}/devices/virtual/net/*/speed r, - - @{PROC}/@{pid}/net/* r, - @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/pressure/cpu r, - @{PROC}/pressure/io r, - @{PROC}/pressure/memory r, - @{PROC}/sys/fs/dentry-state r, - @{PROC}/sys/fs/file-nr r, - @{PROC}/sys/fs/inode-state r, - @{PROC}/sys/kernel/pty/nr r, - @{PROC}/tty/driver/serial r, - @{PROC}/uptime r, - @{PROC}/vmstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer index 84f6d52d3..4db5c6f92 100644 --- a/apparmor.d/profiles-s-z/system-config-printer +++ b/apparmor.d/profiles-s-z/system-config-printer @@ -28,7 +28,7 @@ profile system-config-printer @{exec_path} flags=(complain) { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, @{lib}/cups/*/* rPUx, /usr/share/hplip/query.py rPUx, diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet index 71892b04e..0197e3c3b 100644 --- a/apparmor.d/profiles-s-z/system-config-printer-applet +++ b/apparmor.d/profiles-s-z/system-config-printer-applet @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py profile system-config-printer-applet @{exec_path} { include - include include include @@ -20,7 +19,7 @@ profile system-config-printer-applet @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{python_path} r, + @{bin}/python3.@{int} r, /usr/share/system-config-printer/{,**} r, diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 8a33649a0..bc2779d51 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,33 +10,75 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, + @{bin}/perl r, - @{bin}/tempfile ix, - @{lib}/tasksel/tasksel-debconf ix, - @{lib}/tasksel/tests/* Cx -> tasksel-tests, + @{sh_path} rix, + @{bin}/tempfile rix, + @{lib}/tasksel/tasksel-debconf rix, + + @{lib}/tasksel/tests/* rCx -> tasksel-tests, + + # Think what to do about this (#FIXME#) + /usr/share/debconf/frontend rPx, + #/usr/share/debconf/frontend rCx -> frontend, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query px, + @{bin}/dpkg-query rpx, # - @{bin}/apt-cache Px, - @{bin}/debconf-apt-progress Px, + @{bin}/apt-cache rPx, - /usr/share/tasksel/{,**} r, + @{bin}/debconf-apt-progress rPx, + + /usr/share/tasksel/** r, + + /usr/share/debconf/confmodule r, + + owner @{tmp}/file* w, profile tasksel-tests flags=(complain) { include - @{sh_path} rix, @{lib}/tasksel/tests/* r, + @{sh_path} rix, include if exists } + profile frontend flags=(complain) { + include + include + include + include + + /usr/share/debconf/frontend r, + @{bin}/perl r, + + @{bin}/tasksel rPx, + + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + + # The following is needed when debconf uses dialog/whiptail frontend. + @{bin}/whiptail rPx, + owner @{tmp}/file* w, + + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /usr/share/debconf/templates/adequate.templates r, + + /etc/shadow r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index c1544af72..d967f4229 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram +@{exec_path} = @{bin}/telegram-desktop profile telegram-desktop @{exec_path} { include include @@ -35,11 +35,10 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mrix, + @{exec_path} mr, @{sh_path} rix, @{open_path} rPx -> child-open-strict, - @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e8a2533b9..e5a8f80d9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include - include + include include + include include include include @@ -26,15 +27,10 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=StartTransientUnit - peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), - @{exec_path} mr, @{bin}/ r, - @{python_path} rix, + @{bin}/python3.@{int} rix, # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio deleted file mode 100644 index 52e9e53e6..000000000 --- a/apparmor.d/profiles-s-z/texstudio +++ /dev/null @@ -1,48 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/texstudio -profile texstudio @{exec_path} { - include - include - include - include - include - include - include - - @{exec_path} mr, - - @{bin}/pdflatex ix, - @{bin}/pdftex ix, - @{bin}/kpsewhich ix, - @{bin}/gsettings ix, - @{bin}/which{,.debianutils} ix, - - /usr/share/texmf-dist/{,**} r, - /usr/share/doc/texstudio/{,**} r, - /usr/share/hunspell/{,**} r, - /usr/share/texstudio/{,**} r, - /usr/share/poppler/{,**} r, - - /etc/texmf/{,**} r, - /etc/machine-id r, - - /var/lib/texmf/{,**} r, - - owner @{user_config_dirs}/texstudio/{,**} rwlk, - owner /tmp/qtsingleapp-TeXstu-** rw, - owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, - - ## silencer - deny owner /usr/share/hunspell/en_US-large.ign w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index bb0a1c37b..33f6fe6dc 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,15 +10,9 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 4c27ee2ca..fe30e6da8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,12 +8,12 @@ abi , include -@{exec_path} = @{sbin}/thermald +@{exec_path} = @{bin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, @@ -24,7 +24,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/** rw, + owner @{run}/thermald/thd_preference.conf rw, + owner @{run}/thermald/thd_preference.conf.save w, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index da163c2ae..9a50dafa0 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} flags=(attach_disconnected) { +profile thunderbird @{exec_path} { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, - @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + @{lib_dirs}/glxtest rPx, + @{lib_dirs}/vaapitest rPx, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @@ -37,9 +37,6 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { # Desktop integration @{open_path} rPx -> child-open, - # Extensions - @{bin}/SysTray-X rPUx, - /usr/share/lightning/{,**} r, owner /var/mail/** rwk, @@ -59,7 +56,6 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { owner @{tmp}/nsemail{,-@{int}}.eml rw, owner @{tmp}/nsma{,-@{int}} rw, owner @{tmp}/pid-@{pid}/{,**} w, - owner @{tmp}/remote-settings-startup-bundle- rw, /dev/urandom w, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 53fdb1ffd..626896a09 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,19 +11,15 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { +profile thunderbird-glxtest @{exec_path} { include include include - include include - - network netlink raw, + include @{exec_path} mr, - / r, - owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 1592d3aee..153ded880 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -7,49 +7,49 @@ abi , include -@{exec_path} = @{sbin}/tlp +@{exec_path} = @{bin}/tlp profile tlp @{exec_path} flags=(attach_disconnected) { include include - include - include - include include + include + include include include capability dac_read_search, + capability net_admin, capability sys_nice, capability sys_rawio, capability sys_tty_config, network netlink raw, + ptrace read peer=unconfined, + @{exec_path} mr, @{sh_path} rix, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{sbin}/ethtool rix, + @{bin}/ethtool rix, @{bin}/flock rix, - @{bin}/{,e}grep rix, - @{sbin}/hdparm rPx, + @{bin}/grep rix, + @{bin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, - @{sbin}/iw rPx, + @{bin}/iw rPx, @{bin}/logger rix, @{bin}/mktemp rix, @{bin}/readlink rix, @{bin}/rm rix, - @{bin}/sed rix, @{bin}/sort rix, @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/uname rix, - @{bin}/timeout rix, + @{bin}/uname rpx, /usr/share/tlp/tlp-readconfs rix, / r, @@ -68,23 +68,11 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, - @{sys}/bus/pci/drivers/*/ r, - @{sys}/bus/platform/devices/ r, - @{sys}/class/drm/ r, - @{sys}/class/net/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/{,**/}power/control w, - @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w, - @{sys}/devices/@{pci}/class r, - @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/devices/virtual/dmi/id/product_version r, - @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, @{sys}/module/*/parameters/power_save rw, @@ -109,8 +97,6 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include - @{run}/tlp/lock_tlp rw, # file_inherit - include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index df4258b8c..0b35cff02 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,14 +21,13 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, - signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/{m,g,}awk rix, + @{bin}/awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -42,13 +41,14 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, + @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, + @{bin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -65,25 +65,24 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, - @{sbin}/losetup rix, - @{sbin}/btrfs rPx, - @{sbin}/cryptsetup rPUx, - @{sbin}/e2fsck rPx, - @{sbin}/fsck rPx, + @{bin}/btrfs rPx, + @{bin}/cryptsetup rPUx, + @{bin}/e2fsc rPUx, + @{bin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{sbin}/mkfs.* rPUx, + @{bin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{sbin}/resize2fs rPx, + @{bin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{sbin}/tune2fs rPx, + @{bin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{sbin}/zramctl rPx, + @{bin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/procps/top b/apparmor.d/profiles-s-z/top similarity index 100% rename from apparmor.d/groups/procps/top rename to apparmor.d/profiles-s-z/top diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index ad258189c..c7c914387 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{sbin}/getcap rix, + @{bin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d1e429d45..64ab228ba 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,11 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include + include include include - include - include include network netlink raw, @@ -68,10 +67,6 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -83,11 +78,8 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, - owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat index b4666bb96..ee4de1e45 100644 --- a/apparmor.d/profiles-s-z/tpacpi-bat +++ b/apparmor.d/profiles-s-z/tpacpi-bat @@ -13,6 +13,7 @@ profile tpacpi-bat @{exec_path} { include @{exec_path} mr, + @{bin}/perl r, @{sh_path} rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 9c4a8e673..2a39981df 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,13 +9,15 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include + include include + include + include include include include include include - include include include include @@ -57,7 +59,6 @@ profile transmission @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids deleted file mode 100644 index 2ae7f66ef..000000000 --- a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids +++ /dev/null @@ -1,19 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/u-d-c-print-pci-ids -profile u-d-c-print-pci-ids @{exec_path} { - include - - @{exec_path} mr, - @{sh_path} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf deleted file mode 100644 index 47826d336..000000000 --- a/apparmor.d/profiles-s-z/ucf +++ /dev/null @@ -1,62 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucf -profile ucf @{exec_path} { - include - include - include - include - - @{exec_path} rix, - @{sh_path} rix, - - @{bin}/{,e}grep rix, - @{bin}/{m,g,}awk rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/getopt rix, - @{bin}/id rix, - @{bin}/md5sum rix, - @{bin}/mkdir rix, - @{bin}/mv rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/stat rix, - @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/dpkg-query rpx, - @{bin}/dpkg-divert rPx, - @{pager_path} rCx -> child-pager, - - # For md5sum - /usr/share/** r, - - # For writing new config files - /etc/** rw, #aa:lint ignore=too-wide - - # For shell pwd - / r, - /root/ r, - - owner /var/lib/ucf/** rw, - - owner /tmp/tmp.@{rand10} r, - - deny capability sys_admin, # optional: no audit - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq deleted file mode 100644 index b6ca3e7b1..000000000 --- a/apparmor.d/profiles-s-z/ucfq +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucfq -profile ucfq @{exec_path} { - include - - @{exec_path} mr, - - @{bin}/md5sum rix, - - /etc/ r, - /etc/default/ r, - /etc/default/grub r, - - /var/lib/ucf/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr deleted file mode 100644 index 4cc149a28..000000000 --- a/apparmor.d/profiles-s-z/ucfr +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/ucfr -profile ucfr @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/{,e}grep ix, - @{bin}/{m,g,}awk ix, - @{bin}/basename ix, - @{bin}/dirname ix, - @{bin}/getopt ix, - @{bin}/id ix, - @{bin}/readlink ix, - @{bin}/sed ix, - - /usr/share/ucf/{,**} r, - - /etc/ucf.conf r, - - / r, - - /var/lib/ucf/ r, - /var/lib/ucf/registry r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id deleted file mode 100644 index f12ed105f..000000000 --- a/apparmor.d/profiles-s-z/udev-ata_id +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/ata_id -profile udev-ata_id @{exec_path} { - include - include - - capability sys_rawio, - - @{exec_path} mr, - - /etc/udev/udev.conf r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached deleted file mode 100644 index e42b10c26..000000000 --- a/apparmor.d/profiles-s-z/udev-bcache-export-cached +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/bcache-export-cached -profile udev-bcache-export-cached @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{sbin}/bcache-super-show rix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface deleted file mode 100644 index 7e3ba52f9..000000000 --- a/apparmor.d/profiles-s-z/udev-bridge-network-interface +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/bridge-network-interface -profile udev-bridge-network-interface @{exec_path} { - include - - @{exec_path} mr, - @{sh_path} r, - - /etc/default/bridge-utils r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id deleted file mode 100644 index 552159867..000000000 --- a/apparmor.d/profiles-s-z/udev-cdrom_id +++ /dev/null @@ -1,24 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/cdrom_id -profile udev-cdrom_id @{exec_path} { - include - - capability sys_rawio, - - @{exec_path} mr, - - /etc/udev/udev.conf r, - - /dev/sr@{int} r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id deleted file mode 100644 index 453e0093a..000000000 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/fido_id -profile udev-fido_id @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/udev/udev.conf r, - /etc/udev/udev.conf.d/{,**} r, - - @{sys}/devices/@{pci}/report_descriptor r, - @{sys}/devices/platform/**/report_descriptor r, - @{sys}/devices/virtual/**/report_descriptor r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm deleted file mode 100644 index bca98163b..000000000 --- a/apparmor.d/profiles-s-z/udev-hdparm +++ /dev/null @@ -1,28 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/hdparm -profile udev-hdparm @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/sed rix, - @{bin}/udevadm rPx, - - /etc/hdparm.conf r, - - @{PROC}/cmdline r, - @{PROC}/mdstat r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache deleted file mode 100644 index e02e070a8..000000000 --- a/apparmor.d/profiles-s-z/udev-probe-bcache +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{lib}/udev/probe-bcache -profile udev-probe-bcache @{exec_path} { - include - include - - capability sys_rawio, - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/profiles-s-z/udiskie similarity index 80% rename from apparmor.d/groups/filesystem/udiskie rename to apparmor.d/profiles-s-z/udiskie index 53b726c23..014955032 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/profiles-s-z/udiskie @@ -11,15 +11,19 @@ include profile udiskie @{exec_path} { include include - include + include + include include - include + include + include include - include include + include + include + include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info similarity index 92% rename from apparmor.d/groups/filesystem/udiskie-info rename to apparmor.d/profiles-s-z/udiskie-info index b59b91472..855c5b54c 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/profiles-s-z/udiskie-info @@ -13,10 +13,9 @@ profile udiskie-info @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount similarity index 92% rename from apparmor.d/groups/filesystem/udiskie-mount rename to apparmor.d/profiles-s-z/udiskie-mount index 3ec9e422a..a57a6091f 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/profiles-s-z/udiskie-mount @@ -13,10 +13,9 @@ profile udiskie-mount @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount similarity index 92% rename from apparmor.d/groups/filesystem/udiskie-umount rename to apparmor.d/profiles-s-z/udiskie-umount index 01271bdc6..8fe075f94 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/profiles-s-z/udiskie-umount @@ -13,10 +13,9 @@ profile udiskie-umount @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, - @{bin}/ r, - @{sbin}/ r, + /usr/bin/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udisksctl b/apparmor.d/profiles-s-z/udisksctl similarity index 100% rename from apparmor.d/groups/filesystem/udisksctl rename to apparmor.d/profiles-s-z/udisksctl diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/profiles-s-z/udisksd similarity index 79% rename from apparmor.d/groups/filesystem/udisksd rename to apparmor.d/profiles-s-z/udisksd index 91d4a8569..9155adf84 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -19,7 +19,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability fowner, capability fsetid, - capability ipc_lock, capability net_admin, capability setgid, capability setuid, @@ -49,8 +48,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> @{efi}/, - # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -59,32 +56,36 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionUnixUser,GetConnectionUnixProcessID} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, @{sh_path} rix, @{bin}/umount rix, - @{sbin}/dmidecode rPx, - @{sbin}/dumpe2fs rPx, + @{bin}/dmidecode rPx, + @{bin}/dumpe2fs rPx, @{bin}/eject rPx, - @{sbin}/fsck.fat rPx, - @{sbin}/lvm rPUx, - @{sbin}/mke2fs rPx, - @{sbin}/mkfs.* rPx, + @{bin}/fsck.fat rPx, + @{bin}/lvm rPUx, + @{bin}/mke2fs rPx, + @{bin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{sbin}/sfdisk rPx, - @{sbin}/sgdisk rPx, + @{bin}/sfdisk rPx, + @{bin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, @@ -112,24 +113,23 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI - @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) + @{run}/udev/data/+platform:* r, + @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, @{sys}/class/nvme-subsystem/ r, @{sys}/class/nvme/ r, - @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}@{int}/{,**/}uevent w, - @{sys}/devices/@{pci}/{ata,usb,mmc}@{int}/{,**/}remove rw, - @{sys}/devices/@{pci}/uevent rw, + @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, + @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/profiles-s-z/ufw similarity index 55% rename from apparmor.d/groups/firewall/ufw rename to apparmor.d/profiles-s-z/ufw index 39517ee6c..b7e5f0c79 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/profiles-s-z/ufw @@ -7,10 +7,10 @@ abi , include -@{exec_path} = @{sbin}/ufw +@{exec_path} = @{bin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { include - include + include include include @@ -29,15 +29,14 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{python_path} rix, - @{sbin}/ r, - @{bin}/cat rix, - @{bin}/env r, - @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rPx, - @{sbin}/sysctl rCx -> sysctl, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rix, + @{bin}/ r, + @{bin}/cat ix, + @{bin}/env r, + @{bin}/python3.@{int} ix, + @{bin}/sysctl ix, + @{bin}/xtables-legacy-multi ix, + @{bin}/xtables-nft-multi ix, + @{lib}/ufw/ufw-init ix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -57,33 +56,6 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, - profile kmod flags=(attach_disconnected) { - include - include - - capability sys_module, - - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - include if exists - } - - profile sysctl { - include - include - - capability net_admin, - - @{sbin}/sysctl mr, - - /etc/ufw/sysctl.conf r, - - @{PROC}/sys/net/ipv{4,6}/** rw, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/utils/umount b/apparmor.d/profiles-s-z/umount similarity index 100% rename from apparmor.d/groups/utils/umount rename to apparmor.d/profiles-s-z/umount diff --git a/apparmor.d/groups/filesystem/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2 similarity index 91% rename from apparmor.d/groups/filesystem/umount.udisks2 rename to apparmor.d/profiles-s-z/umount.udisks2 index 752a1d5d3..4e842c7fb 100644 --- a/apparmor.d/groups/filesystem/umount.udisks2 +++ b/apparmor.d/profiles-s-z/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/umount.udisks2 +@{exec_path} = @{bin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/utils/uname b/apparmor.d/profiles-s-z/uname similarity index 100% rename from apparmor.d/groups/utils/uname rename to apparmor.d/profiles-s-z/uname diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index 8827bca14..c4b30b884 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{sbin}/ss rix, + @{bin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 7407a9f99..85b99b8ab 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,14 +7,13 @@ abi , include -@{exec_path} = @{sbin}/unix_chkpwd +@{exec_path} = @{bin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include include capability audit_write, - capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 2d641f994..6b5607ed1 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,21 +18,25 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{archive_path} rix, @{bin}/{,e}grep rix, + @{bin}/bzip2 rix, @{bin}/cat rix, + @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, + @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, + @{bin}/xz rix, @{bin}/xzcat rix, + @{bin}/zstd rix, - @{efi}/ r, - owner @{efi}/initrd.img-* r, + /boot/ r, + owner /boot/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..a83e985d7 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -12,8 +12,6 @@ profile update-alternatives @{exec_path} { include include - capability dac_override, - @{exec_path} mr, @{bin}/* w, diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index df9c08fe4..b87f60ec4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-ca-certificates +@{exec_path} = @{bin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include @@ -33,7 +33,6 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, - @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, @@ -46,7 +45,7 @@ profile update-ca-certificates @{exec_path} { /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt{,.new} rw, /etc/ssl/certs/*.pem rw, - /etc/ssl/certs/@{hex}.@{d} rw, + /etc/ssl/certs/@{hex}.[0-9] rw, /var/lib/ca-certificates/ rwk, /var/lib/ca-certificates/** rw, diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog deleted file mode 100644 index feac2d3c5..000000000 --- a/apparmor.d/profiles-s-z/update-catalog +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-catalog -profile update-catalog @{exec_path} { - include - include - - @{exec_path} mr, - - /etc/sgml/ r, - /etc/sgml/* r, - - /var/lib/sgml-base/*catalog rw, - /var/lib/sgml-base/*catalog.new rw, - /var/lib/sgml-base/*catalog.old w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found index 9801f8737..f1bf99bf8 100644 --- a/apparmor.d/profiles-s-z/update-command-not-found +++ b/apparmor.d/profiles-s-z/update-command-not-found @@ -20,7 +20,7 @@ profile update-command-not-found @{exec_path} { @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{lib}/ r, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 8f848b0ad..9bef23a77 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-cracklib +@{exec_path} = @{bin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,12 +16,12 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/cracklib-format rix, - @{sbin}/cracklib-packer rPx, + @{bin}/cracklib-format rix, + @{bin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index e9d92e421..c0e64f0f9 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/@{int} w, + owner @{PROC}/@{pid}/fd/2 w, /var/lib/dlocate/dpkg-list w, @@ -39,6 +39,7 @@ profile update-dlocatedb @{exec_path} { include /usr/share/dlocate/updatedb r, + @{bin}/perl r, /etc/default/dlocate r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir deleted file mode 100644 index dc2a0d7aa..000000000 --- a/apparmor.d/profiles-s-z/update-info-dir +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-info-dir -profile update-info-dir @{exec_path} { - include - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/cp ix, - @{bin}/find ix, - @{bin}/install-info Px, - @{bin}/rm ix, - - /etc/environment r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 50f11caea..6948f2812 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-initramfs +@{exec_path} = @{bin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -22,20 +22,17 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, + @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, - @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, - @{bin}/ischroot rPx, @{bin}/linux-version rPx, - @{sbin}/mkinitramfs rPx, - - /etc/initramfs/post-update.d/* rPUx, + @{bin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, @@ -50,9 +47,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{efi}/ r, - owner @{efi}/initrd.img-* rw, - owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, + owner /boot/ r, + owner /boot/initrd.img-* rw, + owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index 901dae9a0..d2e36ead0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-pciids +@{exec_path} = @{bin}/update-pciids profile update-pciids @{exec_path} { include include @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 31a03ef7b..e5ffca44f 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,24 +7,28 @@ abi , include -@{exec_path} = @{sbin}/update-secureboot-policy +@{exec_path} = @{bin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, - @{bin}/{,m,g}awk ix, - @{bin}/dpkg-trigger Px, - @{bin}/find ix, - @{bin}/id ix, - @{bin}/od ix, - @{bin}/sort ix, - @{bin}/touch ix, - @{bin}/wc ix, + @{sh_path} rix, + @{bin}/{,m,g}awk rix, + @{bin}/dpkg-trigger rPx, + @{bin}/find rix, + @{bin}/id rix, + @{bin}/od rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/wc rix, + /usr/share/debconf/frontend rPx, / r, + /usr/share/debconf/confmodule r, + /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells deleted file mode 100644 index 5922c1a14..000000000 --- a/apparmor.d/profiles-s-z/update-shells +++ /dev/null @@ -1,38 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{sbin}/update-shells -profile update-shells @{exec_path} { - include - - @{exec_path} mr, - - @{sh_path} r, - @{bin}/basename ix, - @{bin}/chmod ix, - @{bin}/chown ix, - @{bin}/dirname ix, - @{bin}/dpkg-realpath rix, - @{bin}/mv ix, - @{bin}/sync ix, - @{bin}/readlink ix, - - /usr/share/debianutils/shells r, - /usr/share/debianutils/shells.d/{,**} r, - /usr/share/dpkg/sh/dpkg-error.sh r, - - /etc/shells r, - /etc/shells.tmp w, - - /var/lib/shells.state r, - /var/lib/shells.state.tmp w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 70b9bc6e2..2ce61cebf 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-smart-drivedb +@{exec_path} = @{bin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 518a8d7df..7a951b7e7 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,13 +19,13 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{sbin}/on_ac_power rPx, + @{bin}/on_ac_power rPx, # For shell pwd / r, - @{efi}/ r, - @{efi}/**/ r, + /boot/ r, + /boot/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny @{efi}/ r, + deny /efi/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/apparmor.d/groups/procps/uptime b/apparmor.d/profiles-s-z/uptime similarity index 93% rename from apparmor.d/groups/procps/uptime rename to apparmor.d/profiles-s-z/uptime index 3da204a38..904ebe415 100644 --- a/apparmor.d/groups/procps/uptime +++ b/apparmor.d/profiles-s-z/uptime @@ -15,8 +15,6 @@ profile uptime @{exec_path} { @{exec_path} mr, - @{run}/systemd/sessions/@{int} r, - @{PROC}/uptime r, @{PROC}/loadavg r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/usb/usb-devices b/apparmor.d/profiles-s-z/usb-devices similarity index 96% rename from apparmor.d/groups/usb/usb-devices rename to apparmor.d/profiles-s-z/usb-devices index 59ff12feb..c67b78faf 100644 --- a/apparmor.d/groups/usb/usb-devices +++ b/apparmor.d/profiles-s-z/usb-devices @@ -22,7 +22,6 @@ profile usb-devices @{exec_path} { @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, - @{bin}/sed rix, @{bin}/cut rix, @{bin}/find rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/usb/usbguard b/apparmor.d/profiles-s-z/usbguard similarity index 100% rename from apparmor.d/groups/usb/usbguard rename to apparmor.d/profiles-s-z/usbguard diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt similarity index 86% rename from apparmor.d/groups/usb/usbguard-applet-qt rename to apparmor.d/profiles-s-z/usbguard-applet-qt index 558b9093c..a76398dd9 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/profiles-s-z/usbguard-applet-qt @@ -10,21 +10,22 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include + include + include + include include + include include - include + include include + include + include # Needed? ptrace (read), @{exec_path} mr, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -36,6 +37,11 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, + /usr/share/hwdata/pnp.ids r, + + /var/lib/dbus/machine-id r, + /etc/machine-id r, + include if exists } diff --git a/apparmor.d/groups/usb/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon similarity index 100% rename from apparmor.d/groups/usb/usbguard-daemon rename to apparmor.d/profiles-s-z/usbguard-daemon diff --git a/apparmor.d/groups/usb/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus similarity index 100% rename from apparmor.d/groups/usb/usbguard-dbus rename to apparmor.d/profiles-s-z/usbguard-dbus diff --git a/apparmor.d/groups/usb/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier similarity index 100% rename from apparmor.d/groups/usb/usbguard-notifier rename to apparmor.d/profiles-s-z/usbguard-notifier diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/profiles-s-z/useradd similarity index 95% rename from apparmor.d/groups/shadow/useradd rename to apparmor.d/profiles-s-z/useradd index b10487cf2..d27a34207 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/useradd +@{exec_path} = @{bin}/useradd profile useradd @{exec_path} { include include @@ -25,12 +25,12 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{sbin}/usermod rPx, + @{bin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, /etc/default/useradd r, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/profiles-s-z/userdel similarity index 96% rename from apparmor.d/groups/shadow/userdel rename to apparmor.d/profiles-s-z/userdel index 589c726d0..05df64874 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/profiles-s-z/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/userdel +@{exec_path} = @{bin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include @@ -26,7 +26,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw, /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w, diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/profiles-s-z/usermod similarity index 96% rename from apparmor.d/groups/shadow/usermod rename to apparmor.d/profiles-s-z/usermod index b59260a25..c0f8f0e45 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/profiles-s-z/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/usermod +@{exec_path} = @{bin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include @@ -28,7 +28,7 @@ profile usermod @{exec_path} flags=(attach_disconnected) { @{bin}/nscd rix, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/subuid r, /etc/{passwd,shadow,gshadow,group} rw, diff --git a/apparmor.d/groups/utils/users b/apparmor.d/profiles-s-z/users similarity index 100% rename from apparmor.d/groups/utils/users rename to apparmor.d/profiles-s-z/users diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/profiles-s-z/uuidd similarity index 79% rename from apparmor.d/groups/utils/uuidd rename to apparmor.d/profiles-s-z/uuidd index 52f52b4a2..4d75a70ed 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -6,24 +6,19 @@ abi , include -@{exec_path} = @{sbin}/uuidd +@{exec_path} = @{bin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include - capability dac_override, - network inet dgram, @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, - owner /var/lib/libuuid/clock-cont.txt rwk, - - @{att}/@{run}/uuidd/request rw, @{run}/uuidd/request rw, - @{run}/uuidd/uuidd.pid rwk, + @{att}/@{run}/uuidd/request rw, include if exists } diff --git a/apparmor.d/groups/utils/uuidgen b/apparmor.d/profiles-s-z/uuidgen similarity index 100% rename from apparmor.d/groups/utils/uuidgen rename to apparmor.d/profiles-s-z/uuidgen diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 88a6cd406..8858a80f1 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/v2ray b/apparmor.d/profiles-s-z/v2ray index 046151222..5a9238355 100644 --- a/apparmor.d/profiles-s-z/v2ray +++ b/apparmor.d/profiles-s-z/v2ray @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/v2ray profile v2ray @{exec_path} flags=(attach_disconnected) { include - include + include network inet dgram, network inet stream, diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl deleted file mode 100644 index ddb86b9a2..000000000 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Roman Beslik -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/v4l2-ctl -profile v4l2-ctl @{exec_path} { - include - include - include - include - - @{exec_path} mr, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi index eaf6ca24b..25f4a979f 100644 --- a/apparmor.d/profiles-s-z/vcsi +++ b/apparmor.d/profiles-s-z/vcsi @@ -16,7 +16,7 @@ profile vcsi @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/ffmpeg rPx, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index b9b92a721..6612846cd 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{sbin}/dmsetup rPx, - @{bin}/{,e}grep rix, + @{bin}/dmsetup rPx, + @{bin}/grep rix, @{bin}/kmod rix, - @{sbin}/ldconfig rix, - @{sbin}/losetup rCx -> losetup, + @{bin}/ldconfig rix, + @{bin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{sbin}/losetup mr, + @{bin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index 4f4432650..b4b63fe74 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,7 +8,6 @@ abi , include @{name} = vesktop -@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -34,6 +33,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, + owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 7cf741dc2..283eab051 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -25,10 +25,10 @@ profile vidcutter @{exec_path} { include @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr index 396f1e4f8..50ada1d64 100644 --- a/apparmor.d/profiles-s-z/vipw-vigr +++ b/apparmor.d/profiles-s-z/vipw-vigr @@ -18,7 +18,7 @@ profile vipw-vigr @{exec_path} { @{sh_path} rix, @{editor_path} rCx -> editor, - @{etc_ro}/login.defs r, + /etc/login.defs r, /etc/{passwd,shadow,gshadow,group}{,.edit} rw, /etc/{passwd,shadow,gshadow,group}.@{pid} rw, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 92dc977d9..bce236989 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,18 +12,12 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include - include - include - include - include include include include include include include - include include include include @@ -34,25 +28,24 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.virt-manager.virt-manager - @{exec_path} rix, @{sh_path} rix, - @{python_path} rix, - @{lib}/@{python_name}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, + @{bin}/python3.@{int} r, + @{lib}/python3.@{int}/site-packages/__pycache__/guestfs.cpython-@{int}.pyc.@{int} w, @{bin}/ r, @{bin}/env rix, @{bin}/getfacl rix, @{bin}/setfacl rix, - @{sbin}/libvirtd rPx, + @{bin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, @{open_path} rPx -> child-open, + /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, @@ -85,7 +78,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, - @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -93,16 +85,18 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, + /dev/media@{int} r, + /dev/video@{int} rw, + # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 05866296d..d572ce9b8 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,13 @@ include profile vlc @{exec_path} { include include + include include + include + include + include + include include - include - include include include include @@ -22,11 +25,8 @@ profile vlc @{exec_path} { include include include - include include include - include - include include include @@ -36,6 +36,9 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc + #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + @{exec_path} mrix, @{open_path} rPx -> child-open-help, @@ -82,6 +85,7 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, + /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 8fe33af50..2b6af3561 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,12 +41,6 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, - @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/groups/procps/w b/apparmor.d/profiles-s-z/w similarity index 97% rename from apparmor.d/groups/procps/w rename to apparmor.d/profiles-s-z/w index 2445034e9..b23a7bc23 100644 --- a/apparmor.d/groups/procps/w +++ b/apparmor.d/profiles-s-z/w @@ -16,7 +16,7 @@ profile w @{exec_path} { capability sys_ptrace, - ptrace read, + ptrace (read), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar index b8d1d5326..8499a1ad6 100644 --- a/apparmor.d/profiles-s-z/waybar +++ b/apparmor.d/profiles-s-z/waybar @@ -26,13 +26,11 @@ profile waybar @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/waybar/{,**} r, - @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/system/cpu/present r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/dmi/id/uevent r, + @{sys}/devices/system/cpu/present r, @{PROC}/@{pid}/net/dev r, @{PROC}/spl/kstat/zfs/arcstats r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat deleted file mode 100644 index 00fe0a8c5..000000000 --- a/apparmor.d/profiles-s-z/wechat +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = wechat -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/wechat/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{lib_dirs}/wechat -profile wechat @{exec_path} flags=(attach_disconnected) { - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/ip rix, - @{bin}/lsblk Px, - @{bin}/mkdir rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} Px -> child-open-strict, - - owner @{HOME}/.xwechat/{,**} rwk, - owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage deleted file mode 100755 index 335860d07..000000000 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ /dev/null @@ -1,82 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 EricLin -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{name} = wechat-appimage -@{domain} = org.chromium.Chromium -@{lib_dirs} = /opt/wechat-appimage/ -@{config_dirs} = @{user_config_dirs}/@{name} -@{cache_dirs} = @{user_cache_dirs}/@{name} - -@{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat -profile wechat-appimage @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - - network netlink raw, - network netlink dgram, - network inet stream, - network inet dgram, - network inet6 dgram, - network inet6 stream, - - mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, - - umount @{tmp}/.mount_wechat@{word6}/, - - @{exec_path} r, - - @{sh_path} rix, - @{bin}/dirname rix, - @{bin}/fusermount{,3} Cx -> fusermount, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk Px, - @{bin}/mkdir rix, - @{bin}/readlink rix, - @{bin}/xdg-user-dir rix, - @{bin}/ip rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - @{open_path} Px -> child-open-strict, - - @{bin}/fusermount{,3} Cx -> fusermount, - @{bin}/dirname rix, - @{bin}/readlink rix, - - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{tmp}/.mount_wechat@{word6}/AppRun ix, - - /etc/machine-id r, - - @{HOME}/.xwechat/{,**} rwk, - - owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - - /dev/fuse rw, - /dev/tty rw, - - profile fusermount { - include - include - - mount fstype=fuse.wechat-appimage.AppImage options=(ro nodev nosuid) -> @{tmp}/.mount_wechat@{word6}/, - - umount @{tmp}/.mount_wechat@{word6}/, - - @{lib_dirs}/wechat-appimage.AppImage r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 94da6c60e..9d563111a 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,7 +7,6 @@ abi , include @{name} = wechat-universal -@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -15,10 +14,12 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include + include include - include include - include + include + include + include network netlink raw, network netlink dgram, @@ -29,21 +30,20 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{bin}/bwrap rix, - @{bin}/ln ix, - @{bin}/lsblk Px, - @{bin}/mkdir ix, - @{bin}/sed ix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{lib}/wechat-appimage.AppImage ix, - @{open_path} Px -> child-open-strict, + @{sh_path} rix, + @{lib}/wechat-universal/common.sh ix, + @{bin}/sed ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/lsblk Px, + @{bin}/bwrap rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} rPx -> child-open-strict, /etc/lsb-release r, - /etc/machine-id r, - owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, + owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 0b83e44c8..861908a6b 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,17 +6,15 @@ abi , include -@{domain} = org.chromium.Chromium - @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include include diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 3febd0b0b..43fa8ff09 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/{,e}grep rix, + @{bin}/grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index 41541ea84..cc4ae2959 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{sbin}/smartctl rPx, + @{bin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/groups/utils/whereis b/apparmor.d/profiles-s-z/whereis similarity index 97% rename from apparmor.d/groups/utils/whereis rename to apparmor.d/profiles-s-z/whereis index 36e457998..32d4ffa51 100644 --- a/apparmor.d/groups/utils/whereis +++ b/apparmor.d/profiles-s-z/whereis @@ -15,7 +15,6 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, - @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index c4de427ff..855db3f4b 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{,.debianutils} +@{exec_path} = @{bin}/which{.debianutils,} profile which @{exec_path} flags=(attach_disconnected) { include include @@ -17,9 +17,7 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, - @{sbin}/ r, @{bin}/**/ r, - @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, @@ -33,7 +31,6 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, - deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a42a63312..a7b98ebee 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} { +profile whiptail @{exec_path} flags=(complain) { include include @@ -16,10 +16,10 @@ profile whiptail @{exec_path} { @{exec_path} mr, - /usr/share/terminfo/** r, - /etc/newt/palette.* r, + owner @{tmp}/gpm* w, + include if exists } diff --git a/apparmor.d/groups/utils/who b/apparmor.d/profiles-s-z/who similarity index 81% rename from apparmor.d/groups/utils/who rename to apparmor.d/profiles-s-z/who index d9ca9e164..3da07f89d 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/profiles-s-z/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/{,gnu}who +@{exec_path} = @{bin}/who profile who @{exec_path} { include include @@ -18,10 +18,6 @@ profile who @{exec_path} { @{exec_path} mr, - @{run}/systemd/sessions/* r, - - # file_inherit - deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois deleted file mode 100644 index a1549db03..000000000 --- a/apparmor.d/profiles-s-z/whois +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whois -profile whois @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{exec_path} mr, - - /etc/whois.conf r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie deleted file mode 100644 index 8a2c83904..000000000 --- a/apparmor.d/profiles-s-z/whoopsie +++ /dev/null @@ -1,43 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whoopsie -profile whoopsie @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 dgram, - network netlink raw, - - @{exec_path} mr, - - /var/crash/ r, - - /var/lib/whoopsie/ rw, - /var/lib/whoopsie/whoopsie-id rw, - /var/lib/whoopsie/whoopsie-id.@{rand6} rw, - - /var/crash/*.@{uid}.crash r, - owner /var/crash/*.@{uid}.uploaded rw, - - owner @{run}/lock/whoopsie/ rw, - owner @{run}/lock/whoopsie/lock rwk, - - @{sys}/devices/virtual/dmi/id/product_uuid r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences deleted file mode 100644 index 3b720d0da..000000000 --- a/apparmor.d/profiles-s-z/whoopsie-preferences +++ /dev/null @@ -1,34 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/whoopsie-preferences -profile whoopsie-preferences @{exec_path} { - include - include - include - - #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences - - @{exec_path} mr, - - @{bin}/systemctl Cx -> systemctl, - - /etc/whoopsie w, - /etc/whoopsie.@{rand6} rw, - - profile systemctl { - include - include - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/profiles-s-z/wireplumber similarity index 68% rename from apparmor.d/groups/freedesktop/wireplumber rename to apparmor.d/profiles-s-z/wireplumber index 90eb46dc4..87b4e27ca 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/profiles-s-z/wireplumber @@ -9,36 +9,28 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include + include include include include - include include - include - include + include include - include include - include + include network bluetooth raw, network bluetooth seqpacket, network bluetooth stream, network netlink raw, - #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} - #aa:dbus own bus=session name=org.pipewire.Telephony + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0 dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/midi{,server@{int}} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}, label="@{p_bluetoothd}"), - @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, @@ -49,8 +41,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_state_dirs}/ w, - owner @{desktop_state_dirs}/wireplumber/{,**} rw, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -58,37 +50,29 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, - owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - - /dev/shm/lttng-ust-wait-@{int} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/status r, - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/udmabuf rw, + /dev/media@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index a07d6bad1..c29543d6b 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,6 +11,7 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b6764ba0e..136caa781 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/wpa_action +@{exec_path} = @{bin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,7 +17,7 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{sbin}/wpa_cli rPx, + @{bin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index eb4efeee9..c9987fa01 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{sbin}/wpa_cli +@{exec_path} = @{bin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - @{sbin}/wpa_action rPx, + /{usr/,}{s,}/wpa_action rPx, /etc/inputrc r, @@ -21,7 +21,7 @@ profile wpa-cli @{exec_path} { owner @{HOME}/.wpa_cli_history-@{int}.tmp rw, owner @{run}/wpa_supplicant/ r, - owner @{tmp}/wpa_ctrl_@{pid}-@{d} rw, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] rw, include if exists } diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui index f833c812e..fd10713cc 100644 --- a/apparmor.d/profiles-s-z/wpa-gui +++ b/apparmor.d/profiles-s-z/wpa-gui @@ -17,7 +17,7 @@ profile wpa-gui @{exec_path} { @{exec_path} mr, - owner @{tmp}/wpa_ctrl_@{pid}-@{d} w, + owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w, owner /dev/shm/#@{int} rw, @{run}/wpa_supplicant/ r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index b20c6f1b4..23f77f840 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/wpa_supplicant +@{exec_path} = @{bin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include @@ -42,7 +42,6 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, - owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 6ef05cc0f..7de522fc8 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/wrmsr +@{exec_path} = @{bin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index b72cff3c4..22713e3bf 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,14 +9,9 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include - include include include - # wsdd can create its own chroot as a built-in security mechanism. - # This is used by default in the systemd wsdd-server service. - capability sys_chroot, - network inet dgram, network inet stream, network inet6 dgram, @@ -26,15 +21,13 @@ profile wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{python_path} rix, + @{bin}/python3.@{int} rix, /etc/machine-id r, owner /var/lib/libuuid/clock.txt rw, - @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/wsdd w, - owner @{run}/user/@{uid}/*/wsdd w, + owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar deleted file mode 100644 index 37933679d..000000000 --- a/apparmor.d/profiles-s-z/wttrbar +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 odomingao -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/wttrbar -profile wttrbar @{exec_path} { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - @{exec_path} mr, - - owner /tmp/wttrbar--wttr.in.json rw, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 4d2766101..003770008 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,7 +28,18 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{archive_path} rix, + @{bin}/7z rix, + @{lib}/p7zip/7z rix, + @{bin}/unrar-nonfree rix, + @{bin}/zip rix, + @{bin}/unzip rix, + @{bin}/tar rix, + @{bin}/xz rix, + @{bin}/bzip2 rix, + @{bin}/cpio rix, + @{bin}/gzip rix, + @{bin}/zstd rix, + # For deb packages @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, @@ -40,10 +51,13 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - #aa:lint ignore=too-wide - # Full access to user's data - @{MOUNTS}/** rw, - owner @{HOME}/** rw, + / r, + /home/ r, + #owner @{HOME}/ r, + #owner @{HOME}/** rw, + @{MOUNTS}/ r, + @{MOUNTS}/** rw, + /tmp/ r, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index b2f94975f..f40b4fa6b 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -9,15 +9,13 @@ include @{exec_path} = @{bin}/xbrlapi profile xbrlapi @{exec_path} flags=(attach_disconnected) { include - include + include network inet stream, network inet6 stream, @{exec_path} mr, - owner @{HOME}/.xsession-errors w, - include if exists } diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 9abc02350..0801ac188 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/xinit profile xinit @{exec_path} { include - include include signal (receive) set=(usr1) peer=xorg, @@ -35,7 +34,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp deleted file mode 100644 index 0d6c4d65f..000000000 --- a/apparmor.d/profiles-s-z/xournalpp +++ /dev/null @@ -1,45 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 valoq -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/xournalpp -profile xournalpp @{exec_path} { - include - include - include - include - include - include - include - include - - @{exec_path} mr, - - @{open_path} rPx -> child-open-browsers, - - /usr/share/xournalpp/** r, - - /etc/machine-id r, - /etc/pipewire/jack.conf.d/ r, - - owner @{user_config_dirs}/xournalpp/{,**} rw, - owner @{user_cache_dirs}/xournalpp/{,**} rw, - - @{sys}/devices/virtual/dmi/id/bios_vendor r, - @{sys}/devices/virtual/dmi/id/board_vendor r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{int}D@{int}[cp] w, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/xray b/apparmor.d/profiles-s-z/xray index 79c3104dc..7e86ada2c 100644 --- a/apparmor.d/profiles-s-z/xray +++ b/apparmor.d/profiles-s-z/xray @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/xray profile xray @{exec_path} flags=(attach_disconnected) { include - include + include network inet dgram, network inet stream, @@ -22,7 +22,6 @@ profile xray @{exec_path} flags=(attach_disconnected) { /etc/xray/{,*} r, /usr/share/xray/**.dat r, - /usr/share/v2ray/**.dat r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 4273e803d..41ac0b973 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,6 +1,5 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik -# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,31 +10,28 @@ include profile xsane-gimp @{exec_path} { include include - include + include + + signal (receive) set=(term, kill) peer=gimp, network inet dgram, network inet6 dgram, network netlink raw, - signal receive set=(term, kill) peer=gimp, - @{exec_path} mr, - @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, - + @{system_share_dirs}/snmp/mibs/{,**} r, # network /etc/sane.d/{,**} r, - owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - - @{sys}/bus/scsi/devices/ r, @{sys}/devices/@{pci}/{model,type,vendor} r, - - @{PROC}/scsi/scsi r, @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, + # SCSI + @{sys}/bus/scsi/devices/ r, + @{PROC}/scsi/scsi r, + include if exists } diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d0b1c1988..781e24768 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,11 +13,13 @@ profile youtube-dl @{exec_path} { include include include - include + include + include include include include include + include network inet dgram, network inet6 dgram, @@ -28,7 +30,7 @@ profile youtube-dl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, @@ -36,7 +38,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer index 100ae9985..46b0c6c06 100644 --- a/apparmor.d/profiles-s-z/youtube-viewer +++ b/apparmor.d/profiles-s-z/youtube-viewer @@ -24,6 +24,7 @@ profile youtube-viewer @{exec_path} { network netlink raw, @{exec_path} r, + @{bin}/perl r, @{sh_path} rix, @{bin}/infocmp rix, diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp index ffa78eda3..551a8edf4 100644 --- a/apparmor.d/profiles-s-z/yt-dlp +++ b/apparmor.d/profiles-s-z/yt-dlp @@ -24,7 +24,7 @@ profile yt-dlp @{exec_path} { network netlink raw, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, @{bin}/file rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index a76bf0d89..81ccfc284 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -24,10 +24,10 @@ profile ytdl @{exec_path} { signal (receive) set=(term, kill), @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/ r, - @{sbin}/ldconfig rix, + @{bin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index 893cead5b..bb160a5e5 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/{,e}grep rix, + @{bin}/grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, @@ -46,7 +46,6 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap index f4dc9fc77..59a8d772e 100644 --- a/apparmor.d/profiles-s-z/zenmap +++ b/apparmor.d/profiles-s-z/zenmap @@ -20,7 +20,7 @@ profile zenmap @{exec_path} { signal (send) set=(term, kill) peer=nmap, @{exec_path} r, - @{python_path} r, + @{bin}/python3.@{int} r, @{bin}/nmap rPx, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e6033d9d2..2cb997fd7 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,7 +31,6 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, - @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 42181500b..8ac23a07c 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{sbin}/update-grub rPx, + @{bin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils deleted file mode 100644 index 9fed4fefc..000000000 --- a/apparmor.d/tunables/alias.d/coreutils +++ /dev/null @@ -1,112 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has -# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we -# provide aliases for all the coreutils names to their gnu* counterpart. - - alias /{,usr/}bin/dd -> /usr/bin/gnudd, - alias /{,usr/}bin/tee -> /usr/bin/gnutee, - alias /{,usr/}bin/paste -> /usr/bin/gnupaste, - alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, - alias /{,usr/}bin/env -> /usr/bin/gnuenv, - alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, - alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, - alias /{,usr/}bin/shred -> /usr/bin/gnushred, - alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, - alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, - alias /{,usr/}bin/stty -> /usr/bin/gnustty, - alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, - alias /{,usr/}bin/pr -> /usr/bin/gnupr, - alias /{,usr/}bin/nice -> /usr/bin/gnunice, - alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, - alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, - alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, - alias /{,usr/}bin/logname -> /usr/bin/gnulogname, - alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, - alias /{,usr/}bin/chown -> /usr/bin/gnuchown, - alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, - alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, - alias /{,usr/}bin/true -> /usr/bin/gnutrue, - alias /{,usr/}bin/groups -> /usr/bin/gnugroups, - alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, - alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, - alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, - alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, - alias /{,usr/}bin/rm -> /usr/bin/gnurm, - alias /{,usr/}bin/cat -> /usr/bin/gnucat, - alias /{,usr/}bin/tac -> /usr/bin/gnutac, - alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, - alias /{,usr/}bin/seq -> /usr/bin/gnuseq, - alias /{,usr/}bin/cut -> /usr/bin/gnucut, - alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, - alias /{,usr/}bin/split -> /usr/bin/gnusplit, - alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, - alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, - alias /{,usr/}bin/who -> /usr/bin/gnuwho, - alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, - alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, - alias /{,usr/}bin/ls -> /usr/bin/gnuls, - alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, - alias /{,usr/}bin/arch -> /usr/bin/gnuarch, - alias /{,usr/}bin/head -> /usr/bin/gnuhead, - alias /{,usr/}bin/date -> /usr/bin/gnudate, - alias /{,usr/}bin/wc -> /usr/bin/gnuwc, - alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, - alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, - alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, - alias /{,usr/}bin/du -> /usr/bin/gnudu, - alias /{,usr/}bin/cp -> /usr/bin/gnucp, - alias /{,usr/}bin/tty -> /usr/bin/gnutty, - alias /{,usr/}bin/sync -> /usr/bin/gnusync, - alias /{,usr/}bin/fold -> /usr/bin/gnufold, - alias /{,usr/}bin/users -> /usr/bin/gnuusers, - alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, - alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, - alias /{,usr/}bin/sort -> /usr/bin/gnusort, - alias /{,usr/}bin/[ -> /usr/bin/gnu[, - alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, - alias /{,usr/}bin/od -> /usr/bin/gnuod, - alias /{,usr/}bin/tr -> /usr/bin/gnutr, - alias /{,usr/}bin/join -> /usr/bin/gnujoin, - alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, - alias /{,usr/}bin/false -> /usr/bin/gnufalse, - alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, - alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, - alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, - alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, - alias /{,usr/}bin/factor -> /usr/bin/gnufactor, - alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, - alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, - alias /{,usr/}bin/basename -> /usr/bin/gnubasename, - alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, - alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, - alias /{,usr/}bin/ln -> /usr/bin/gnuln, - alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, - alias /{,usr/}bin/echo -> /usr/bin/gnuecho, - alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, - alias /{,usr/}bin/dir -> /usr/bin/gnudir, - alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, - alias /{,usr/}bin/touch -> /usr/bin/gnutouch, - alias /{,usr/}bin/mv -> /usr/bin/gnumv, - alias /{,usr/}bin/sum -> /usr/bin/gnusum, - alias /{,usr/}bin/stat -> /usr/bin/gnustat, - alias /{,usr/}bin/yes -> /usr/bin/gnuyes, - alias /{,usr/}bin/install -> /usr/bin/gnuinstall, - alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, - alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, - alias /{,usr/}bin/tail -> /usr/bin/gnutail, - alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, - alias /{,usr/}bin/comm -> /usr/bin/gnucomm, - alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, - alias /{,usr/}bin/uname -> /usr/bin/gnuuname, - alias /{,usr/}bin/test -> /usr/bin/gnutest, - alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, - alias /{,usr/}bin/link -> /usr/bin/gnulink, - alias /{,usr/}bin/df -> /usr/bin/gnudf, - alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, - alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, - alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, - alias /{,usr/}bin/id -> /usr/bin/gnuid, - alias /{,usr/}bin/nl -> /usr/bin/gnunl, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f5376..f1be9acbe 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,7 +11,30 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Define the XDG Base Directory +# Extra user personal directories +@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" +@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" +@{XDG_BOOKS_DIR}="Books" +@{XDG_GAMES_DIR}=".games" +@{XDG_PROJECTS_DIR}="Projects" +@{XDG_WORK_DIR}="Work" +@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" +@{XDG_SYNC_DIR}="Sync" +@{XDG_TORRENTS_DIR}="Torrents" +@{XDG_VM_DIR}=".vm" +@{XDG_VM_SHARES_DIR}="VM_Shares" +@{XDG_IMG_DIR}="images" +@{XDG_GAMESSTUDIO_DIR}="unity3d" + +# User personal keyrings +@{XDG_GPG_DIR}=".gnupg" +@{XDG_SSH_DIR}=".ssh" +@{XDG_PASSWORD_STORE_DIR}=".password-store" + +# User personal private directories +@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" + +# Definition of local user configuration directories @{XDG_CACHE_DIR}=".cache" @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @@ -19,59 +42,28 @@ @{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" -# Define extended user directories not defined in the XDG standard but commonly -# used in profiles -@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" -@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" -@{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}="Games" -@{XDG_PROJECTS_DIR}="Projects" -@{XDG_WORK_DIR}="Work" -@{XDG_MAIL_DIR}="Mail" ".{m,M}ail" -@{XDG_SYNC_DIR}="Sync" -@{XDG_TORRENTS_DIR}="Torrents" -@{XDG_GAMESSTUDIO_DIR}="unity3d" - -# Define user directories for virtual machines, shared folders and disk images -@{XDG_VM_DIR}=".vm" -@{XDG_VMSHARE_DIR}=".vmshare" -@{XDG_IMG_DIR}=".img" - -# Define user build directories and artifacts output -@{XDG_BUILD_DIR}=".build" -@{XDG_PKG_DIR}=".pkg" - -# Define user personal keyrings -@{XDG_GPG_DIR}=".gnupg" -@{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORDSTORE_DIR}=".password-store" - -# Define user personal private directories -@{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" - -# Full path of the XDG Base Directory +# Full path of the user configuration directories @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} + +# User build directories and output +@{user_build_dirs}="/tmp/build/" +@{user_pkg_dirs}="/tmp/pkg/" +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} +@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} -@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} -@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} -@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} -@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} -@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} -@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/base b/apparmor.d/tunables/multiarch.d/base deleted file mode 100644 index 9661b1e51..000000000 --- a/apparmor.d/tunables/multiarch.d/base +++ /dev/null @@ -1,93 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Base variables, upstreamed in apparmor 4.1 - -# Any digit -@{d}=[0-9] - -# Any letter -@{l}=[a-zA-Z] - -# Single alphanumeric character -@{c}=[0-9a-zA-Z] - -# Word character: matches any letter, digit or underscore. -@{w}=[a-zA-Z0-9_] - -# Single hexadecimal character -@{h}=[0-9a-fA-F] - -# Integer up to 10 digits (0-9999999999) -@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} - -# hexadecimal, alphanumeric and word up to 64 characters -@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} -@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} -@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} - -# Unsigned integer over 8 bits (0...255) -@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] - -# Unsigned integer over 16 bits (0...65,535 5 digits) -@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} - -# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) -@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). -@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} - -# Any x digits characters -@{int2}=@{d}@{d} -@{int4}=@{int2}@{int2} -@{int6}=@{int4}@{int2} -@{int8}=@{int4}@{int4} -@{int9}=@{int8}@{d} -@{int10}=@{int8}@{int2} -@{int12}=@{int8}@{int4} -@{int15}=@{int8}@{int4}@{int2}@{d} -@{int16}=@{int8}@{int8} -@{int32}=@{int16}@{int16} -@{int64}=@{int32}@{int32} - -# Any x hexadecimal characters -@{hex2}=@{h}@{h} -@{hex4}=@{hex2}@{hex2} -@{hex6}=@{hex4}@{hex2} -@{hex8}=@{hex4}@{hex4} -@{hex9}=@{hex8}@{h} -@{hex10}=@{hex8}@{hex2} -@{hex12}=@{hex8}@{hex4} -@{hex15}=@{hex8}@{hex4}@{hex2}@{h} -@{hex16}=@{hex8}@{hex8} -@{hex32}=@{hex16}@{hex16} -@{hex38}=@{hex32}@{hex6} -@{hex64}=@{hex32}@{hex32} - -# Any x alphanumeric characters -@{rand2}=@{c}@{c} -@{rand4}=@{rand2}@{rand2} -@{rand6}=@{rand4}@{rand2} -@{rand8}=@{rand4}@{rand4} -@{rand9}=@{rand8}@{c} -@{rand10}=@{rand8}@{rand2} -@{rand12}=@{rand8}@{rand4} -@{rand15}=@{rand8}@{rand4}@{rand2}@{c} -@{rand16}=@{rand8}@{rand8} -@{rand32}=@{rand16}@{rand16} -@{rand64}=@{rand32}@{rand32} - -# Any x word characters -@{word2}=@{w}@{w} -@{word4}=@{word2}@{word2} -@{word6}=@{word4}@{word2} -@{word8}=@{word4}@{word4} -@{word9}=@{word8}@{w} -@{word10}=@{word8}@{word2} -@{word12}=@{word8}@{word4} -@{word15}=@{word8}@{word4}@{word2}@{w} -@{word16}=@{word8}@{word8} -@{word32}=@{word16}@{word16} -@{word64}=@{word32}@{word32} diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index d7f7450aa..956e8c253 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -311,24 +311,24 @@ @{video_ext} += 3[gG]2 # 3g2 # Subtitles -@{subtitles_ext} = [aA][qQ][tT] # aqt -@{subtitles_ext} += [aA][sS][sS] # ass -@{subtitles_ext} += [gG][sS][uU][bB] # gsub -@{subtitles_ext} += [uU][sS][fF] # usf -@{subtitles_ext} += [pP][aA][cC] # pac -@{subtitles_ext} += [pP][jJ][sS] # pjs -@{subtitles_ext} += [pP][sS][bB] # psb -@{subtitles_ext} += [rR][tT] # rt -@{subtitles_ext} += [sS][bB][vV] # sbv -@{subtitles_ext} += [sS][mM][iI] # smi -@{subtitles_ext} += [sS][rR][tT] # srt -@{subtitles_ext} += [sS][sS][aA] # ssa -@{subtitles_ext} += [sS][sS][fF] # ssf -@{subtitles_ext} += [sS][tT][lL] # stl -@{subtitles_ext} += [sS][uU][bB] # sub -@{subtitles_ext} += [tT][t][mM][lL] # ttml -@{subtitles_ext} += [tT][t][xX][tT] # ttxt -@{subtitles_ext} += [vV][tT][t] # vtt +@{suntitles_ext} = [aA][qQ][tT] # aqt +@{suntitles_ext} += [aA][sS][sS] # ass +@{suntitles_ext} += [gG][sS][uU][bB] # gsub +@{suntitles_ext} += [uU][sS][fF] # usf +@{suntitles_ext} += [pP][aA][cC] # pac +@{suntitles_ext} += [pP][jJ][sS] # pjs +@{suntitles_ext} += [pP][sS][bB] # psb +@{suntitles_ext} += [rR][tT] # rt +@{suntitles_ext} += [sS][bB][vV] # sbv +@{suntitles_ext} += [sS][mM][iI] # smi +@{suntitles_ext} += [sS][rR][tT] # srt +@{suntitles_ext} += [sS][sS][aA] # ssa +@{suntitles_ext} += [sS][sS][fF] # ssf +@{suntitles_ext} += [sS][tT][lL] # stl +@{suntitles_ext} += [sS][uU][bB] # sub +@{suntitles_ext} += [tT][t][mM][lL] # ttml +@{suntitles_ext} += [tT][t][xX][tT] # ttxt +@{suntitles_ext} += [vV][tT][t] # vtt # Images @{image_ext} = [aA][pP][nN][gG] # apng @@ -645,7 +645,4 @@ @{text_ext} += 3[dD][mM] # 3dm @{text_ext} += 3[dD][mM][lL] # 3dml -# Dpkg maintainer's scripts -@{dpkg_script_ext} = config templates preinst postinst prerm postrm - # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cca544370..83aec3ce3 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -38,9 +38,8 @@ @{open_path} += @{lib}/gio-launch-desktop @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop -# Editors +# Editor @{editor_path} = @{bin}/@{editor_names} -@{editor_ui_path} = @{bin}/@{editor_ui_names} # Pager @{pager_path} = @{bin}/@{pager_names} @@ -66,13 +65,4 @@ # Help @{help_path} = @{bin}/@{help_names} -# Terminal emulator -@{terminal_path} = @{bin}/@{terminal_names} - -# Backup -@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor - -# Archives -@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z - # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d4fefb0b0..2d1fccb32 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,72 +8,12 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_sd}=unconfined -@{p_sdu}=unconfined -@{p_systemd_user}=unconfined @{p_systemd}=unconfined +@{p_systemd_user}=unconfined # Name of the dbus daemon profiles -@{p_dbus_accessibility}=dbus-accessibility -#aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,unconfined} -@{p_dbus_session}={dbus-session,unconfined} - -#aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session - -@{p_accounts_daemon}=accounts-daemon -@{p_apt_news}=apt_news -@{p_at_spi2_registryd}=at-spi2-registryd -@{p_avahi_daemon}=avahi-daemon -@{p_bluetoothd}=bluetoothd -@{p_colord}=colord -@{p_e2scrub_all}=e2scrub_all -@{p_e2scrub}=e2scrub -@{p_file_roller}=file-roller -@{p_fprintd}=fprintd -@{p_fwupd}=fwupd -@{p_fwupdmgr}=fwupdmgr -@{p_geoclue}=geoclue -@{p_gnome_shell}=gnome-shell -@{p_gsd_media_keys}=gsd-media-keys -@{p_irqbalance}=irqbalance -@{p_logrotate}=logrotate -@{p_ModemManager}=ModemManager -@{p_nm_priv_helper}=nm-priv-helper -@{p_packagekitd}=packagekitd -@{p_pcscd}=pcscd -@{p_polkitd}=polkitd -@{p_power_profiles_daemon}=power-profiles-daemon -@{p_rsyslogd}=rsyslogd -@{p_rtkit_daemon}=rtkit-daemon -@{p_snap}=snap -@{p_systemd_coredump}=systemd-coredump -@{p_systemd_homed}=systemd-homed -@{p_systemd_hostnamed}=systemd-hostnamed -@{p_systemd_importd}=systemd-importd -@{p_systemd_initctl}=systemd-initctl -@{p_systemd_journal_remote}=systemd-journal-remote -@{p_systemd_journald}=systemd-journald -@{p_systemd_localed}=systemd-localed -@{p_systemd_logind}=systemd-logind -@{p_systemd_networkd}=systemd-networkd -@{p_systemd_oomd}=systemd-oomd -@{p_systemd_resolved}=systemd-resolved -@{p_systemd_rfkill}=systemd-rfkill -@{p_systemd_timedated}=systemd-timedated -@{p_systemd_timesyncd}=systemd-timesyncd -@{p_systemd_userdbd}=systemd-userdbd -@{p_upowerd}=upowerd -@{p_xdg_desktop_portal}=xdg-desktop-portal - -# Profiles Patterns -# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution - -# Notification -@{pp_notification}={plasmashell,gjs-console} -@{pp_app_indicator}={plasmashell,gnome-shell} -@{pp_dbusmenu}={plasmashell,nautilus} +@{p_dbus_accessibility}=dbus-accessibility # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index a7cbaf831..e8f523b6a 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -22,7 +22,7 @@ @{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir @{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep -@{coreutils} += sort split stat stdbuf stty sum tac tail tee test timeout touch tr true +@{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes # Python interpreters @@ -32,9 +32,8 @@ # Open @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop -# Editors -@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano -@{editor_ui_names} = gnome-text-editor gedit mousepad +# Editor +@{editor_names} = sensible-editor vim{,.*} nvim nano # Pager @{pager_names} = sensible-pager pager less more nvimpager @@ -76,7 +75,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader +@{document_viewers_names} = evince okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto @@ -85,18 +84,9 @@ @{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice wps +@{offices_names} = libreoffice soffice # Help @{help_names} = yelp -# Terminal emulator -@{terminal_names} = kgx terminator konsole ptyxis - -# Backup -@{backup_names} = deja-dup borg - -# Archives -@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd - # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index b29be3f0c..cc4192d28 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -2,6 +2,98 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Base variables +# -------------- + +# Any digit +@{d}=[0-9] + +# Any letter +@{l}=[a-zA-Z] + +# Single alphanumeric character +@{c}=[0-9a-zA-Z] + +# Word character: matches any letter, digit or underscore. +@{w}=[a-zA-Z0-9_] + +# Single hexadecimal character +@{h}=[0-9a-fA-F] + +# Integer up to 10 digits (0-9999999999) +@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},} + +# hexadecimal, alphanumeric and word up to 64 characters +@{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} +@{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},} +@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} + +# Unsigned integer over 8 bits (0...255) +@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5] + +# Unsigned integer over 16 bits (0...65,535 5 digits) +@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}} + +# Unsigned integer over 32 bits (0...4,294,967,295 10 digits) +@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits). +@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}} + +# Any x digits characters +@{int2}=@{d}@{d} +@{int4}=@{int2}@{int2} +@{int6}=@{int4}@{int2} +@{int8}=@{int4}@{int4} +@{int9}=@{int8}@{d} +@{int10}=@{int8}@{int2} +@{int12}=@{int8}@{int4} +@{int15}=@{int8}@{int4}@{int2}@{d} +@{int16}=@{int8}@{int8} +@{int32}=@{int16}@{int16} +@{int64}=@{int32}@{int32} + +# Any x hexadecimal characters +@{hex2}=@{h}@{h} +@{hex4}=@{hex2}@{hex2} +@{hex6}=@{hex4}@{hex2} +@{hex8}=@{hex4}@{hex4} +@{hex9}=@{hex8}@{h} +@{hex10}=@{hex8}@{hex2} +@{hex12}=@{hex8}@{hex4} +@{hex15}=@{hex8}@{hex4}@{hex2}@{h} +@{hex16}=@{hex8}@{hex8} +@{hex32}=@{hex16}@{hex16} +@{hex38}=@{hex32}@{hex6} +@{hex64}=@{hex32}@{hex32} + +# Any x alphanumeric characters +@{rand2}=@{c}@{c} +@{rand4}=@{rand2}@{rand2} +@{rand6}=@{rand4}@{rand2} +@{rand8}=@{rand4}@{rand4} +@{rand9}=@{rand8}@{c} +@{rand10}=@{rand8}@{rand2} +@{rand12}=@{rand8}@{rand4} +@{rand15}=@{rand8}@{rand4}@{rand2}@{c} +@{rand16}=@{rand8}@{rand8} +@{rand32}=@{rand16}@{rand16} +@{rand64}=@{rand64}@{rand64} + +# Any x word characters +@{word2}=@{w}@{w} +@{word4}=@{word2}@{word2} +@{word6}=@{word4}@{word2} +@{word8}=@{word4}@{word4} +@{word9}=@{word8}@{w} +@{word10}=@{word8}@{word2} +@{word12}=@{word8}@{word4} +@{word15}=@{word8}@{word4}@{word2}@{w} +@{word16}=@{word8}@{word8} +@{word32}=@{word16}@{word16} +@{word64}=@{word32}@{word32} + + # System Paths # ------------ @@ -14,23 +106,18 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}bin -@{sbin}=/{,usr/}sbin #aa:only apt zypper -@{sbin}=/{,usr/}{,s}bin #aa:only pacman +@{bin}=/{,usr/}{,s}bin @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files -# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ -# Common places for EFI -@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- # Common architecture names -@{arch}=x86_64 x64 amd64 i386 i686 +@{arch}=x86_64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet @@ -39,7 +126,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} +@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -48,27 +135,25 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} -#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* +@{multiarch}+=*-suse-linux* #aa:only opensuse # System Internal # --------------- # Shortcut for PCI device -@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} -@{pci_bus}=pci@{hex4}:@{hex2} +@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} +@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges -# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Default attachment path when re-attached path disconnected path is ignored. -# Disabled on abi3 and Ubuntu 25.04+ -# See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}="" +# Attachment path for attach_disconnected.path flag. +# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +@{att}=/ +alias // -> /, # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 07450efff..885913da3 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,12 +5,11 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -18,7 +17,6 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ -@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -26,7 +24,6 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ -@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} @@ -34,6 +31,5 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} -@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 52be8b920..00231cbce 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} -@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} @{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go index ccd6e9cca..58aee3716 100644 --- a/cmd/aa-log/main.go +++ b/cmd/aa-log/main.go @@ -15,15 +15,15 @@ import ( "github.com/roddhjav/apparmor.d/pkg/logs" ) -const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] Review AppArmor generated messages in a colorful way. It supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -55,7 +55,7 @@ func aaLog(logger string, path string, profile string) error { case "systemd": file, err = logs.GetJournalctlLogs(path, since, !slices.Contains(logs.LogFiles, path)) default: - err = fmt.Errorf("logger %s not supported", logger) + err = fmt.Errorf("Logger %s not supported.", logger) } if err != nil { return err diff --git a/cmd/aa/main.go b/cmd/aa/main.go index b0737de77..5f7dd6396 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,9 +8,6 @@ import ( "flag" "fmt" "os" - "os/exec" - "regexp" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -18,14 +15,12 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. - -e, --enforce Switch the given profile(s) to enforce mode. - -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -36,19 +31,12 @@ Options: // Command line options var ( - help bool - path string - systemd bool - enforce bool - complain bool - lint bool - format bool - tree bool -) - -var ( - regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) - regProfileHeader = regexp.MustCompile(` {\n`) + help bool + path string + systemd bool + lint bool + format bool + tree bool ) type kind uint8 @@ -72,10 +60,6 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") - flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") - flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") - flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -127,7 +111,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - fmt.Printf(rules.String() + "\n") + profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1) } return profile, nil } @@ -168,95 +152,17 @@ func aaFormat(files paths.PathList) error { return nil } -func aaLint(files paths.PathList) error { - for _, file := range files { - fmt.Printf("wip: %v\n", file) - } - return nil -} - -func setFlag(profile string, flag string) (string, error) { - f := aa.DefaultTunables() - if _, err := f.Parse(profile); err != nil { - return profile, err - } - - flags := f.GetDefaultProfile().Flags - switch flag { - case "enforce": - if len(flags) == 0 || slices.Contains(flags, "enforce") { - return profile, nil // Nothing to do - } - idx := slices.Index(flags, "complain") - if idx == -1 { - return profile, nil // No complain flag, nothing to do - } - flags = slices.Delete(flags, idx, idx+1) - - case "complain": - if slices.Contains(flags, "complain") { - return profile, nil // Nothing to do - } - flags = append(flags, "complain") - - default: - return profile, fmt.Errorf("unknown flag: %s", flag) - } - strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" - - // Remove all flags definition, then the new flags - profile = regFlags.ReplaceAllLiteralString(profile, "") - if len(flags) > 0 { - profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) - } - return profile, nil -} - -func aaSetFlag(files paths.PathList, flag string) error { - for _, file := range files { - profile, err := file.ReadFileAsString() - if err != nil { - return err - } - profile, err = setFlag(profile, flag) - if err != nil { - return err - } - if err = file.WriteFile([]byte(profile)); err != nil { - return err - } - if err = reloadProfile(file); err != nil { - return err - } - } - return nil -} - func aaTree() error { return nil } -func reloadProfile(file *paths.Path) error { - cmd := exec.Command("apparmor_parser", "--replace", file.String()) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - if err := cmd.Run(); err != nil { - return fmt.Errorf("apparmor_parser failed: %w", err) - } - return nil -} - func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - if aa.MagicRoot.Join(arg).Exist() { - res = append(res, aa.MagicRoot.Join(arg)) - } else { - return nil, fmt.Errorf("file %s not found", path) - } + return nil, fmt.Errorf("file %s not found", path) case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -284,26 +190,7 @@ func main() { var err error var files paths.PathList switch { - case enforce: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "enforce") - - case complain: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaSetFlag(files, "complain") - case lint: - files, err = pathsFromArgs() - if err != nil { - logging.Fatal("%s", err.Error()) - } - err = aaLint(files) case format: files, err = pathsFromArgs() diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 455621e5b..3f2dd9f43 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -5,6 +5,8 @@ package main import ( + "slices" + "github.com/roddhjav/apparmor.d/pkg/prebuild" "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" "github.com/roddhjav/apparmor.d/pkg/prebuild/cli" @@ -16,9 +18,6 @@ func init() { // Define the default ABI prebuild.ABI = 4 - // Define the default version - prebuild.Version = 4.1 - // Define the tasks applied by default prepare.Register( "synchronise", // Initialize a new clean apparmor.d build directory @@ -32,40 +31,26 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 - "base-strict", // Use base-strict as base abstraction + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 ) - // Matrix of ABI/Apparmor version to integrate with + // Compatibility with AppArmor 3 switch prebuild.Distribution { case "arch": case "ubuntu": - switch prebuild.Release["VERSION_CODENAME"] { - case "jammy": + if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) { prebuild.ABI = 3 - prebuild.Version = 3.0 - case "noble": - prebuild.ABI = 4 - prebuild.Version = 4.0 - case "questing": - prebuild.ABI = 4 - prebuild.Version = 5.0 } case "debian": - switch prebuild.Release["VERSION_CODENAME"] { - case "bullseye", "bookworm": - prebuild.ABI = 3 - prebuild.Version = 3.0 - } + prebuild.ABI = 3 case "whonix": prebuild.ABI = 3 - prebuild.Version = 3.0 - // Hide rewritten Whonix profiles + // Hide rewrittem Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox /etc/apparmor.d/tunables/homsanitycheck @@ -82,6 +67,5 @@ func init() { } func main() { - cli.Configure() cli.Prebuild() } diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go new file mode 100644 index 000000000..d3c28f025 --- /dev/null +++ b/cmd/prebuild/main_test.go @@ -0,0 +1,56 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2023-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package main + +import ( + "os" + "os/exec" + "testing" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +func chdirGitRoot() { + cmd := exec.Command("git", "rev-parse", "--show-toplevel") + out, err := cmd.Output() + if err != nil { + panic(err) + } + root := string(out[0 : len(out)-1]) + if err := os.Chdir(root); err != nil { + panic(err) + } +} + +func Test_main(t *testing.T) { + tests := []struct { + name string + dist string + }{ + { + name: "Build for Archlinux", + dist: "arch", + }, + { + name: "Build for Ubuntu", + dist: "ubuntu", + }, + { + name: "Build for Debian", + dist: "debian", + }, + { + name: "Build for OpenSUSE Tumbleweed", + dist: "opensuse", + }, + } + chdirGitRoot() + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + prebuild.Distribution = tt.dist + main() + }) + } +} diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 8fc1d019d..20725a133 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "just", all edit will be lost. +# This file is generated by "make", all edit will be lost. diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 840f3196b..4e659173c 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,6 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +systemctl is-active -q apparmor && systemctl reload apparmor ||: exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 840f3196b..4e659173c 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,6 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service || true +systemctl is-active -q apparmor && systemctl reload apparmor ||: exit 0 diff --git a/debian/control b/debian/control index 85c4d3786..3d15800b8 100644 --- a/debian/control +++ b/debian/control @@ -6,18 +6,19 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, - just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git -Standards-Version: 4.6.0 +Standards-Version: 4.5.0 Rules-Requires-Root: no Package: apparmor.d Architecture: any -Depends: apparmor-profiles +Depends: + apparmor-profiles, + ${shlibs:Depends} Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 2000 profiles) - apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine +Description: Full set of AppArmor profiles (~ 1500 profiles) + apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. diff --git a/debian/rules b/debian/rules index d78e652ca..a30a693df 100755 --- a/debian/rules +++ b/debian/rules @@ -9,9 +9,5 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -override_dh_auto_build: - just complain - -override_dh_auto_install: - just destdir="${CURDIR}/debian/apparmor.d" install - +# do not run 'make check' by default as it can be long for dev package +override_dh_auto_test: diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index d60841581..339d88036 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,7 +15,6 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release -BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -26,14 +25,14 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -just complain +%make_build %install -just destdir="%{buildroot}" install +%make_install %posttrans -apparmor_parser --purge-cache -%restart_on_update apparmor +rm -f /var/cache/apparmor/* 2>/dev/null +systemctl is-active -q apparmor && systemctl reload apparmor ||: %files %license LICENSE diff --git a/dists/build.sh b/dists/build.sh index e33c48695..523bf8ca4 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: just [ dpkg | pkg | rpm ] +# Usage: make [ dpkg | pkg | rpm ] set -eu -o pipefail @@ -16,11 +16,11 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) - dch --newversion="$VERSION-1" --urgency=medium --distribution="$(lsb_release -sc)" --controlmaint "Release $VERSION-1" + dch --newversion="$VERSION-1" --urgency=medium --distribution=stable --controlmaint "Release $VERSION-1" dpkg-buildpackage -b -d --no-sign lintian || true mv ../"${PKGNAME}_${VERSION}-1"_*.deb "$OUTPUT" diff --git a/dists/docker.sh b/dists/docker.sh index 45191adb8..4dd958759 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -3,10 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just package ubuntu24 -# just package archlinux -# just package opensuse +# Usage: make package dist= set -eu -o pipefail @@ -17,15 +14,14 @@ readonly VOLUME=/tmp/build readonly BUILDIR=/home/build/tmp readonly OUTDIR=".pkg" readonly OUTPUT="$PWD/$OUTDIR" -readonly DISTRIBUTION="${1:-}" -readonly RELEASE="${2:-}" +readonly COMMAND="$1" VERSION="0.$(git rev-list --count HEAD)" PACKAGER="$(git config user.name) <$(git config user.email)>" readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" || return 1 + docker start "$img" } _is_running() { @@ -65,7 +61,6 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg @@ -73,24 +68,21 @@ build_in_docker_makepkg() { } build_in_docker_dpkg() { - local img dist="$1" target="$1" release="$2" + local dist="$1" target="$1" + local img="$PREFIX$dist" [[ "$dist" == whonix ]] && dist=debian - [[ "$release" == "13" ]] && release=trixie - img="$PREFIX$dist$release" if _exist "$img"; then if ! _is_running "$img"; then _start "$img" fi else - docker pull "$BASEIMAGE/$dist:$release" + docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ - --env DISTRIBUTION="$target" "$BASEIMAGE/$dist:$release" + --env DISTRIBUTION="$target" "$BASEIMAGE/$dist" docker exec "$img" sudo apt-get update -q - docker exec "$img" sudo apt-get install -y config-package-dev lsb-release libdistro-info-perl - if [[ "$dist" == debian && "$release" == "12" ]]; then - aptopt=(-t bookworm-backports) - fi + docker exec "$img" sudo apt-get install -y config-package-dev rsync + [[ "$dist" == debian ]] && aptopt=(-t bookworm-backports) docker exec "$img" sudo apt-get install -y "${aptopt[@]}" golang-go fi @@ -110,7 +102,7 @@ build_in_docker_rpm() { docker pull "$BASEIMAGE/$dist" docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \ "$BASEIMAGE/$dist" - docker exec "$img" sudo zypper install -y distribution-release golang-packaging apparmor-profiles + docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm @@ -118,19 +110,20 @@ build_in_docker_rpm() { } main() { - case "$DISTRIBUTION" in + case "$COMMAND" in archlinux) - build_in_docker_makepkg "$DISTRIBUTION" + # build_in_docker_makepkg "$COMMAND" + PKGDEST="$OUTPUT" makepkg -Cf ;; debian | ubuntu | whonix) sync - build_in_docker_dpkg "$DISTRIBUTION" "$RELEASE" + build_in_docker_dpkg "$COMMAND" ;; opensuse) sync - build_in_docker_rpm "$DISTRIBUTION" + build_in_docker_rpm "$COMMAND" ;; *) ;; diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cd9a0e5a6..ac4547850 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,9 +1,15 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' +bwrap attach_disconnected,mediate_deleted,complain +bwrap-app attach_disconnected,mediate_deleted,complain +default attach_disconnected,mediate_deleted,complain +default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain +systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain +aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -22,7 +28,6 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain -apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain @@ -35,9 +40,12 @@ avahi-resolve complain avahi-set-host-name complain baloo complain baloorunner complain +busctl complain calibre complain cc-remote-login-helper complain cctk complain +child-modprobe-nvidia attach_disconnected,complain +child-open attach_disconnected,complain cockpit-askpass complain cockpit-bridge complain cockpit-certificate-ensure attach_disconnected,complain @@ -46,7 +54,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws attach_disconnected,complain +cockpit-ws complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -70,12 +78,8 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain -deb-systemd-helper complain -deb-systemd-invoke complain -debconf-escape complain -decibels complain dino attach_disconnected,complain -discord attach_disconnected,complain +discord complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -83,14 +87,6 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain -dpkg-db-backup complain -dpkg-maintscript-helper complain -dpkg-script-apparmor complain -dpkg-script-kmod complain -dpkg-script-linux complain -dpkg-script-systemd complain -dpkg-scripts complain -dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -103,31 +99,41 @@ fail2ban-client attach_disconnected,complain fail2ban-server attach_disconnected,complain fdisk complain filezilla complain -finalrd complain firewall-applet attach_disconnected,complain firewall-config complain +firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain +flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain +fstrim complain fuse-overlayfs complain -gdk-pixbuf-thumbnailer complain +fusermount complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain +gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain +gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain +gnome-music attach_disconnected,complain +gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain +gnome-software complain +gnome-system-monitor attach_disconnected,complain +gnome-terminal-server complain +gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -157,11 +163,12 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain +gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl attach_disconnected,complain -hyprlock attach_disconnected,complain +hyprctl complain +hyprlock complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -171,6 +178,7 @@ im-launch complain install-info complain iwctl complain iwd complain +jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -185,20 +193,13 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain -kdestroy complain -kdump_mem_estimator complain -kdump-config attach_disconnected,complain -kdump-tools-init complain,attach_disconnected -kernel complain kernel-install complain -kernel-postinst-kdump complain keyboxd complain kglobalacceld complain -kinit complain +kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain -klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain @@ -216,14 +217,8 @@ libreoffice complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain -lightdm-session complain -linux-check-removal complain -linux-update-symlinks complain locale-gen complain localectl complain -localsearch complain -localsearch-control complain -localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain @@ -233,16 +228,14 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm attach_disconnected,complain -mdadm-mkconf complain +mdevctl complain +metadata-cleaner attach_disconnected,complain +mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain -needrestart-hook complain -needrestart-notify complain -needrestart-restart complain -netplan attach_disconnected,complain +netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain @@ -254,10 +247,9 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -papers complain +pam-tmpdir-helper complain passimd attach_disconnected,complain -pkla-admin-identities complain -pkla-check-authorization complain +pidof complain pkttyagent complain plank complain plasma_waitforname complain @@ -268,10 +260,6 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted -pollinate complain -ptyxis complain -ptyxis-agent complain -pycompile complain qdbus complain remmina complain run-parts complain @@ -281,19 +269,23 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain +signal-desktop attach_disconnected,complain +signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain -snap attach_disconnected,complain +snap complain +snap-bootstrap complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp attach_disconnected,complain +snap-repair complain +snap-seccomp complain snap-update-ns complain snapd complain snapd-apparmor complain +snapd-core-fixup complain snapshot complain speech-dispatcher complain -sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain @@ -312,14 +304,12 @@ swtpm complain swtpm_ioctl complain swtpm_localca complain swtpm_setup complain -sysstat-sa complain -sysstat-sadc complain systemd-analyze complain systemd-ask-password complain systemd-binfmt attach_disconnected,complain systemd-cgls complain systemd-cgtop complain -systemd-cryptsetup attach_disconnected,complain +systemd-cryptsetup complain systemd-dissect attach_disconnected,complain systemd-escape complain systemd-generator-bless-boot attach_disconnected,complain @@ -329,66 +319,42 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain -systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain -systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain -systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain -systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain -systemd-generator-snapd attach_disconnected,complain -systemd-generator-ssh attach_disconnected,complain -systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain -systemd-generator-sysv attach_disconnected,complain -systemd-generator-tpm2 attach_disconnected,complain -systemd-generator-user-autostart attach_disconnected,complain -systemd-generator-user-environment attach_disconnected,complain +systemd-generator-user-autostart complain +systemd-generator-user-environment complain systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain -systemd-initctl attach_disconnected,complain -systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator attach_disconnected,complain -systemd-nsresourced attach_disconnected,complain -systemd-nsresourcework complain +systemd-network-generator complain systemd-portabled complain +systemd-remount-fs complain +systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain systemd-udevd attach_disconnected,complain -systemd-user-sessions attach_disconnected,complain +systemd-user-sessions complain systemd-userwork attach_disconnected,complain systemsettings complain telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain -ucf complain -ucfq complain -ucfr complain -udev-ata_id complain -udev-bcache-export-cached complain -udev-cdrom_id complain udev-dmi-memory-id complain -udev-fido_id complain -udev-hdparm complain -udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain -update-catalog complain update-grub complain -update-info-dir complain update-secureboot-policy complain -update-shells complain -userdbctl attach_disconnected,complain +userdbctl complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain @@ -400,21 +366,18 @@ virtnodedevd attach_disconnected,complain virtsecretd attach_disconnected,complain virtstoraged attach_disconnected,complain waybar attach_disconnected,complain -wechat attach_disconnected,complain -wechat-appimage attach_disconnected,complain +wg complain wg-quick complain -whoopsie complain -whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain xdg-desktop-portal-kde complain xdg-desktop-portal-rewrite-launchers complain -xdg-desktop-portal-validate-icon attach_disconnected,complain xdg-user-dirs-gtk-update complain xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain +xwaylandvideobridge complain zpool complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 125575ce1..a6d6bcc85 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,15 +1,12 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain -apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain -esm_cache complain -fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -21,7 +18,6 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain -ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 0665edf85..917b117f1 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,13 +2,21 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'just fsp' +# when built with 'make full' apparmor.d/groups/_full # Provided by other packages man # Work in progress profiles -apparmor.d/groups/steam dunst plasma-discover +steam +steam-fossilize +steam-game-native +steam-game-proton +steam-gameoverlayui +steam-launch +steam-launcher +steam-runtime +steamerrorreporter diff --git a/dists/overwrite b/dists/overwrite index 70ee1cc41..767c07312 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,12 +1,11 @@ -# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d -# This file keeps track of them and allow apparmor.d to replace them by our own. +# Apparmor 4.0 ships several profiles that allow userns and are otherwise +# unconfined. This file keeps track of them and allow apparmor.d to replace +# them by our own. # File format: one profile name by line. -# Overwrite unconfined upstream profiles that only allow userns brave chrome chromium -cockpit-desktop element-desktop epiphany firefox @@ -14,31 +13,13 @@ flatpak foliate loupe msedge -mullvad nautilus opera -os-prober plasmashell signal-desktop slirp4netns systemd-coredump thunderbird -virtiofsd - -# Overwrite upstreamed profiles, our local version may be more up to date -unix-chkpwd - -# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while -# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) -fusermount3 -lsblk -lsusb -openvpn -remmina transmission -wg-quick -systemd-detect-virt # Missing integration with @{p_systemd} -hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables - +unix-chkpwd +virtiofsd diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png deleted file mode 100644 index 80170da1e..000000000 Binary files a/docs/assets/avatar-icon.png and /dev/null differ diff --git a/docs/configuration.md b/docs/configuration.md index 5e1c7992f..e3fbba5ea 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -32,7 +32,7 @@ The profiles heavily use the **largely extended** [XDG directory variables](#xdg ``` 3. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl reload apparmor.service + sudo systemctl restart apparmor.service ``` ### Profile Additions @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh @@ -55,7 +55,7 @@ By default, `nautilus` (and any file browser) only allows access to user files. ``` 2. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl reload apparmor.service + sudo systemctl restart apparmor.service ``` ### XDG variables @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -152,7 +152,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | @@ -189,7 +189,7 @@ Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`: ```sh -@{MOUNTS}+=/ssd/ +@{MOUNT}+=/ssd/ ``` - - /* Hide the edit button */ - .md-typeset .md-content__button { - display: none; - } +**Full set of AppArmor profiles** - /* Hide the date of revision */ - .md-source-file { - display: none; - } +!!! danger "Help Wanted" - /* Get started button */ - .md-typeset .md-button--primary { - color: var(--md-primary-fg-color); - background-color: var(--md-primary-bg-color); - border-color: var(--md-primary-bg-color); - } + This project is still in its early development. Help is very welcome; see [Development](development/index.md) - .md-typeset .md-button--primary:hover { - color: var(--md-primary-bg-color); - background-color: var(--md-primary-fg-color); - border-color: var(--md-primary-bg-color); - } +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. - .tx-hero { - max-width: 700px; - display: flex; - padding: .4rem; - margin: 0 auto; - text-align: center; - } +### Purpose - .tx-hero h1 { - font-weight: 700; - font-size: 38px; - line-height: 46px; - } +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software - .tx-hero p { - color: var(--md-primary-bg-color--light); - font-weight: 400; - font-size: 20px; - line-height: 32px; - } +See the [Concepts](concepts.md)' page for more detail on the architecture. - .tx-hero__image { - max-width: 1350px; - min-width: 600px; - width: 100%; - height: auto; - margin: 0 auto; - display: flex; - align-items: stretch; - } +### Goals - .tx-hero__image img { - width: 100%; - height: 100%; - min-width: 0; - } +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- Fully tested *(work in progress)* - .image-wrapper img { - width: 100%; - height: 100%; - min-width: 0; - } +### Presentations - .main_logo { - fill: var(--md-primary-bg-color); - width: 30%; - } +Building the largest set of AppArmor profiles: - +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* -
-
-
-
- -

apparmor.d

-

Full set of AppArmor policies

-

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

-

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

- - Get started - - - - Demo Server - - -
-
-
-
+### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/install.md b/docs/install.md index a56599c22..91b0b4ae6 100644 --- a/docs/install.md +++ b/docs/install.md @@ -36,8 +36,7 @@ The following desktop environments are supported: **Build dependency** -* Go >= 1.23 -* [just](https://github.com/casey/just) >= 1.40.0 +* Go >= 1.21 ## Configure AppArmor @@ -85,21 +84,12 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - just dpkg - ``` - - !!! note - - **Ubuntu 24.04 user will need to:** - - Install [just](https://github.com/casey/just). E.g: - ```sh - pipx install rust-just + make dpkg ``` !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -120,29 +110,22 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - just dpkg + make dpkg ``` !!! note - **Debian 12 user will need to:** + You may need golang from the backports repository to build: - 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` - 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: - ```sh - pipx install rust-just - sed '/just/d' -i debian/control - ``` - !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. @@ -161,20 +144,20 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - just complain - sudo just local profile-names... + make + sudo make profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo just local pass` gives: + For instance, `sudo make pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, @{bin}/xclip rPx, - @{python_path} rPx -> pass-import, # pass-import + @{bin}/python3.@{int} rPx -> pass-import, # pass-import @{pager_path} rPx -> child-pager, '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass' ``` diff --git a/docs/issues.md b/docs/issues.md index 2f38f4c5a..1db3b195a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,19 +6,6 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. -## Ubuntu - -### Dbus - -Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* - -Note: Ubuntu server has been more tested and will work without issues with enforced rules. - -### Snap - -Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. - - ## Complain mode A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: @@ -27,3 +14,20 @@ A profile in *complain* mode cannot break the program it confines. However, ther 2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, 3. If AppArmor does not find the profile to transition `rPx`. +## Pacman "could not get current working directory" + +```sh +$ sudo pacman -Syu +... +error: could not get current working directory +:: Processing package changes... +... +``` + +This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. + +According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. + +This provides a basic protection against some packages (on the AUR) that may have rogue install script. + +[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman diff --git a/docs/overview.md b/docs/overview.md deleted file mode 100644 index 20a5a454f..000000000 --- a/docs/overview.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: Overview ---- - -!!! danger "Help Wanted" - - This project is still in its early development. Help is very welcome; see [Development](development/index.md) - -**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. - -### Purpose - -- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` -- Confine all Desktop environments -- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browsers, file managers, etc -- Should not break a normal usage of the confined software - -See the [Concepts](concepts.md)' page for more detail on the architecture. - -### Goals - -- Target both desktops and servers -- Support for all distributions that support AppArmor: - * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) - * [:material-debian: Debian 12/13](install.md#debian) - * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) -- Support for all major desktop environments: - - [x] :material-gnome: Gnome (GDM) - - [x] :simple-kde: KDE (SDDM) - - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- [Fully tested](development/tests.md) - -### Demo - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ - -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -Lessons learned while making an AppArmor Play machine: - -- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/docs/usage.md b/docs/usage.md index 372762998..e73439efc 100644 --- a/docs/usage.md +++ b/docs/usage.md @@ -116,15 +116,15 @@ profile dnsmasq { ### Help ``` -aa-log [-h] [--systemd] [--file file] [--rules | --raw] [--since] [profile] +aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile] - Review AppArmor generated messages in a colorful way. It supports logs from + Review AppArmor generated messages in a colorful way. Supports logs from auditd, systemd, syslog as well as dbus session events. It can be given an optional profile name to filter the output with. - Default logs are read from '/var/log/audit/audit.log'. Other files in - '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' + Default logs are read from '/var/log/audit/audit.log'. Other files in + '/var/log/audit/' can easily be checked: 'aa-log -f 1' parses 'audit.log.1' Options: -h, --help Show this help message and exit. @@ -132,5 +132,4 @@ Options: -s, --systemd Parse systemd logs from journalctl. -r, --rules Convert the log into AppArmor rules. -R, --raw Print the raw log without any formatting. - -S, --since DATE Show entries not older than the specified date. ``` diff --git a/docs/variables.md b/docs/variables.md index 1bcee8f93..ef2533c0f 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -29,7 +29,7 @@ title: Variables References | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | +| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -94,7 +94,7 @@ title: Variables References | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | +| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | @@ -168,8 +168,7 @@ title: Variables References | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | | Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | | Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}bin` | -| Sbin | `@{sbin}` | `/{usr/,}sbin` | +| Bin | `@{bin}` | `/{usr/,}{s,}bin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | diff --git a/go.mod b/go.mod index 3bea9f548..f98df5c19 100644 --- a/go.mod +++ b/go.mod @@ -1,3 +1,3 @@ module github.com/roddhjav/apparmor.d -go 1.23.0 +go 1.22 diff --git a/mkdocs.yml b/mkdocs.yml index e5244a529..9390b3dde 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2025 Alexandre Pujol +copyright: Copyright © 2021-2024 Alexandre Pujol # Configuration theme: @@ -138,7 +138,6 @@ nav: - Home: - index.md - Getting Started: - - overview.md - concepts.md - install.md - configuration.md @@ -153,7 +152,6 @@ nav: - recovery.md - Development: - development/index.md - - development/roadmap.md - Profiles: - development/workflow.md - development/guidelines.md @@ -162,9 +160,6 @@ nav: - development/directives.md - development/dbus.md - development/recommendations.md - - Packages: - - development/build.md - Tests: - development/tests.md - - development/vm.md - development/integration.md diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 94e232c81..a887d4b98 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,39 +5,12 @@ package aa import ( - "strings" - "github.com/roddhjav/apparmor.d/pkg/paths" ) -// MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. +// Default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") -// FileKind represents an AppArmor file kind. -type FileKind uint8 - -const ( - ProfileKind FileKind = iota - AbstractionKind - TunableKind -) - -func KindFromPath(file *paths.Path) FileKind { - dirname := file.Parent().String() - switch { - case strings.Contains(dirname, "abstractions"): - return AbstractionKind - case strings.Contains(dirname, "tunables"): - return TunableKind - case strings.Contains(dirname, "local"): - return AbstractionKind - case strings.Contains(dirname, "mappings"): - return AbstractionKind - default: - return ProfileKind - } -} - // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile @@ -60,9 +33,8 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, - &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, &Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true}, &Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true}, @@ -76,9 +48,7 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, &Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true}, - &Variable{Name: "user", Values: []string{"[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}"}, Define: true}, &Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true}, - &Variable{Name: "w", Values: []string{"[a-zA-Z0-9_]"}, Define: true}, }, } } diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 172cfc2b5..0cc74d438 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -211,7 +211,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, + Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, }, }, Profiles: []*Profile{{ @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, @@ -237,7 +237,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { }, }}, }, - want: mustReadProfileFile(intData.Join("groups/apparmor/aa-status")), + want: mustReadProfileFile(intData.Join("profiles-a-f/aa-status")), }, } for _, tt := range tests { diff --git a/pkg/aa/base.go b/pkg/aa/base.go index a712a5899..609525111 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,20 +99,19 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { - Priority string Audit bool AccessType string } func newQualifierFromLog(log map[string]string) Qualifier { - audit := log["apparmor"] == "AUDIT" + audit := false + if log["apparmor"] == "AUDIT" { + audit = true + } return Qualifier{Audit: audit} } func (r Qualifier) Compare(o Qualifier) int { - if r := compare(r.Priority, o.Priority); r != 0 { - return r - } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -120,7 +119,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/blocks.go b/pkg/aa/blocks.go index d0826dfa2..901fdaae8 100644 --- a/pkg/aa/blocks.go +++ b/pkg/aa/blocks.go @@ -27,21 +27,21 @@ func (p *Hat) String() string { return renderTemplate(p.Kind(), p) } -func (p *Hat) Validate() error { +func (r *Hat) Validate() error { return nil } -func (p *Hat) Compare(other Rule) int { +func (r *Hat) Compare(other Rule) int { o, _ := other.(*Hat) - return compare(p.Name, o.Name) + return compare(r.Name, o.Name) } -func (p *Hat) Merge(other Rule) bool { +func (r *Hat) Merge(other Rule) bool { return false // Never merge hat blocks } -func (p *Hat) Lengths() []int { +func (r *Hat) Lengths() []int { return []int{} // No len for hat } -func (p *Hat) setPaddings(max []int) {} // No paddings for hat +func (r *Hat) setPaddings(max []int) {} // No paddings for hat diff --git a/pkg/aa/capability.go b/pkg/aa/capability.go index a55f8bc9b..b1ba27c6a 100644 --- a/pkg/aa/capability.go +++ b/pkg/aa/capability.go @@ -84,8 +84,8 @@ func (r *Capability) Merge(other Rule) bool { func (r *Capability) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Names), } } diff --git a/pkg/aa/change_profile.go b/pkg/aa/change_profile.go index 5334b343c..769427024 100644 --- a/pkg/aa/change_profile.go +++ b/pkg/aa/change_profile.go @@ -106,8 +106,8 @@ func (r *ChangeProfile) Merge(other Rule) bool { func (r *ChangeProfile) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.ExecMode), length("", r.Exec), length("", r.ProfileName), diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index 28aa703d6..b96fd865f 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,34 +65,8 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } - network3Log = map[string]string{ - "apparmor": "ALLOWED", - "class": "net", - "operation": "sendmsg", - "info": "failed af match", - "error": "-13", - "profile": "unattended-upgrade", - "comm": "unattended-upgr", - "laddr": "127.0.0.1", - "lport": "57007", - "faddr": "127.0.0.53", - "saddr": "127.0.0.1", - "src": "57007", - "fport": "53", - "sock_type": "dgram", - "protocol": "17", - "requested": "send", - "denied": "send", - } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} - network3 = &Network{ - Base: Base{Comment: " failed af match"}, - LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, - PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, - Type: "dgram", - Protocol: "17", - } // Mount mount1Log = map[string]string{ diff --git a/pkg/aa/dbus.go b/pkg/aa/dbus.go index fa4ec7ec4..79072925f 100644 --- a/pkg/aa/dbus.go +++ b/pkg/aa/dbus.go @@ -125,7 +125,7 @@ func (r *Dbus) Compare(other Rule) int { func (r *Dbus) Merge(other Rule) bool { o, _ := other.(*Dbus) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Bus == o.Bus && r.Name == o.Name && r.Path == o.Path && diff --git a/pkg/aa/file.go b/pkg/aa/file.go index 091f9436f..36c7101a4 100644 --- a/pkg/aa/file.go +++ b/pkg/aa/file.go @@ -168,7 +168,7 @@ func (r *File) Compare(other Rule) int { func (r *File) Merge(other Rule) bool { o, _ := other.(*File) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Owner == o.Owner && r.Path == o.Path && r.Target == o.Target { @@ -189,8 +189,8 @@ func (r *File) Lengths() []int { lenPath = length("", r.Path) } return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("owner", r.Owner), lenPath, } @@ -212,7 +212,7 @@ func (r *File) addLine(other Rule) bool { letterJ := getLetterIn(fileAlphabet, other.(*File).Path) groupI, ok1 := fileAlphabetGroups[letterI] groupJ, ok2 := fileAlphabetGroups[letterJ] - return letterI != letterJ && (!ok1 || !ok2 || groupI != groupJ) + return letterI != letterJ && !(ok1 && ok2 && groupI == groupJ) } type Link struct { @@ -314,8 +314,8 @@ func (r *Link) Merge(other Rule) bool { func (r *Link) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("owner", r.Owner), length("subset", r.Subset), length("", r.Path), diff --git a/pkg/aa/io_uring.go b/pkg/aa/io_uring.go index 76e9e172d..3346ed4c6 100644 --- a/pkg/aa/io_uring.go +++ b/pkg/aa/io_uring.go @@ -78,7 +78,7 @@ func (r *IOUring) Compare(other Rule) int { func (r *IOUring) Merge(other Rule) bool { o, _ := other.(*IOUring) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Label == o.Label { @@ -91,8 +91,8 @@ func (r *IOUring) Merge(other Rule) bool { func (r *IOUring) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Access), length("label=", r.Label), } diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index 72719414d..a9d8dbeaf 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", @@ -181,7 +181,7 @@ func (r *Mount) Merge(other Rule) bool { o, _ := other.(*Mount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Source == o.Source && r.MountPoint == o.MountPoint && @@ -194,10 +194,10 @@ func (r *Mount) Merge(other Rule) bool { func (r *Mount) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), + r.MountConditions.getLenFsType(), + r.MountConditions.getLenOptions(), length("", r.Source), length("", r.MountPoint), } @@ -278,7 +278,7 @@ func (r *Umount) Merge(other Rule) bool { o, _ := other.(*Umount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -290,10 +290,10 @@ func (r *Umount) Merge(other Rule) bool { func (r *Umount) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), + r.MountConditions.getLenFsType(), + r.MountConditions.getLenOptions(), length("", r.MountPoint), } } @@ -374,7 +374,7 @@ func (r *Remount) Merge(other Rule) bool { o, _ := other.(*Remount) mc := &r.MountConditions - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.MountPoint == o.MountPoint && mc.Merge(o.MountConditions) { @@ -386,10 +386,10 @@ func (r *Remount) Merge(other Rule) bool { func (r *Remount) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), - r.getLenFsType(), - r.getLenOptions(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), + r.MountConditions.getLenFsType(), + r.MountConditions.getLenOptions(), length("", r.MountPoint), } } diff --git a/pkg/aa/mqueue.go b/pkg/aa/mqueue.go index 12ae4bd59..82106ec79 100644 --- a/pkg/aa/mqueue.go +++ b/pkg/aa/mqueue.go @@ -112,7 +112,7 @@ func (r *Mqueue) Compare(other Rule) int { func (r *Mqueue) Merge(other Rule) bool { o, _ := other.(*Mqueue) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Label == o.Label && r.Name == o.Name { @@ -125,8 +125,8 @@ func (r *Mqueue) Merge(other Rule) bool { func (r *Mqueue) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Access), length("type=", r.Type), length("label=", r.Label), diff --git a/pkg/aa/network.go b/pkg/aa/network.go index 15dd4385e..69bd01c83 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,54 +33,34 @@ func init() { } } -type LocalAddress struct { - IP string - Port string +type AddressExpr struct { + Source string + Destination string + Port string } -func newLocalAddressFromLog(log map[string]string) LocalAddress { - return LocalAddress{ - IP: log["laddr"], - Port: log["lport"], +func newAddressExprFromLog(log map[string]string) AddressExpr { + return AddressExpr{ + Source: log["laddr"], + Destination: log["faddr"], + Port: log["lport"], } } -func (r LocalAddress) Compare(other LocalAddress) int { - if res := compare(r.IP, other.IP); res != 0 { +func (r AddressExpr) Compare(other AddressExpr) int { + if res := compare(r.Source, other.Source); res != 0 { + return res + } + if res := compare(r.Destination, other.Destination); res != 0 { return res } return compare(r.Port, other.Port) } -type PeerAddress struct { - IP string - Port string - Src string -} - -func newPeerAddressFromLog(log map[string]string) PeerAddress { - return PeerAddress{ - IP: log["faddr"], - Port: log["fport"], - Src: log["saddr"], - } -} - -func (r PeerAddress) Compare(other PeerAddress) int { - if res := compare(r.IP, other.IP); res != 0 { - return res - } - if res := compare(r.Port, other.Port); res != 0 { - return res - } - return compare(r.Src, other.Src) -} - type Network struct { Base Qualifier - LocalAddress - PeerAddress + AddressExpr Domain string Type string Protocol string @@ -110,13 +90,12 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - LocalAddress: newLocalAddressFromLog(log), - PeerAddress: newPeerAddressFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + AddressExpr: newAddressExprFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -156,10 +135,7 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { - return res - } - if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { + if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) @@ -171,8 +147,8 @@ func (r *Network) Merge(other Rule) bool { func (r *Network) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Domain), length("", r.Type), length("", r.Protocol), diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index 3b737abfd..ef8a7acd9 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,8 +15,6 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" - tokPROMPT = "prompt" - tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -288,7 +286,10 @@ func parseRule(str string) rule { res := make(rule, 0, len(str)/2) tokens := tokenizeRule(str) - inAare := len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) + inAare := false + if len(tokens) > 0 && (isAARE(tokens[0]) || tokens[0] == tokOWNER) { + inAare = true + } for idx, token := range tokens { switch { case token == tokEQUAL, token == tokPLUS+tokEQUAL, token == tokLESS+tokEQUAL: // Variable & Rlimit @@ -513,7 +514,7 @@ func newRules(rules []rule) (Rules, error) { for _, rule := range rules { if len(rule) == 0 { - return nil, fmt.Errorf("empty rule") + return nil, fmt.Errorf("Empty rule") } owner := false @@ -526,11 +527,7 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokPRIORITY: - q.Priority = rule.GetValues(tokPRIORITY).GetString() - rule = rule[1:] - goto qualifier - case tokALLOW, tokDENY, tokPROMPT: + case tokALLOW, tokDENY: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier @@ -566,7 +563,7 @@ func newRules(rules []rule) (Rules, error) { // return nil, fmt.Errorf("Unknown rule: %s", rule) } } else { - return nil, fmt.Errorf("unrecognized rule: %s", rule) + return nil, fmt.Errorf("Unrecognized rule: %s", rule) } } } @@ -660,7 +657,7 @@ done: return nb, nil } -// ParseRules parses apparmor profile rules by paragraphs +// Parse apparmor profile rules by paragraphs func ParseRules(input string) (ParaRules, []string, error) { paragraphRules := ParaRules{} paragraphs := []string{} diff --git a/pkg/aa/pivot_root.go b/pkg/aa/pivot_root.go index 8632b4490..2341f4458 100644 --- a/pkg/aa/pivot_root.go +++ b/pkg/aa/pivot_root.go @@ -86,8 +86,8 @@ func (r *PivotRoot) Merge(other Rule) bool { func (r *PivotRoot) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("oldroot=", r.OldRoot), length("", r.NewRoot), length("", r.TargetProfile), diff --git a/pkg/aa/preamble.go b/pkg/aa/preamble.go index 50e7dbef7..4b54954a9 100644 --- a/pkg/aa/preamble.go +++ b/pkg/aa/preamble.go @@ -72,10 +72,10 @@ func newAbi(q Qualifier, rule rule) (Rule, error) { } path := rule.Get(0) - switch path[0] { - case '"': + switch { + case path[0] == '"': magic = false - case '<': + case path[0] == '<': magic = true default: return nil, fmt.Errorf("invalid path %s in rule: %s", path, rule) @@ -198,10 +198,10 @@ func newInclude(rule rule) (Rule, error) { } path := r[0] - switch path[0] { - case '"': + switch { + case path[0] == '"': magic = false - case '<': + case path[0] == '<': magic = true default: return nil, fmt.Errorf("invalid path format: %v", path) diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go index 5d097cad9..30e8b106f 100644 --- a/pkg/aa/profile.go +++ b/pkg/aa/profile.go @@ -81,19 +81,19 @@ func (p *Profile) String() string { return renderTemplate(p.Kind(), p) } -func (p *Profile) Validate() error { - if err := validateValues(p.Kind(), tokFLAGS, p.Flags); err != nil { - return fmt.Errorf("profile %s: %w", p.Name, err) +func (r *Profile) Validate() error { + if err := validateValues(r.Kind(), tokFLAGS, r.Flags); err != nil { + return fmt.Errorf("profile %s: %w", r.Name, err) } - return p.Rules.Validate() + return r.Rules.Validate() } -func (p *Profile) Compare(other Rule) int { +func (r *Profile) Compare(other Rule) int { o, _ := other.(*Profile) - if res := compare(p.Name, o.Name); res != 0 { + if res := compare(r.Name, o.Name); res != 0 { return res } - return compare(p.Attachments, o.Attachments) + return compare(r.Attachments, o.Attachments) } func (p *Profile) Merge(other Rule) bool { @@ -103,11 +103,11 @@ func (p *Profile) Merge(other Rule) bool { return false } -func (p *Profile) Lengths() []int { +func (r *Profile) Lengths() []int { return []int{} // No len for profile } -func (p *Profile) setPaddings(max []int) {} // No paddings for profile +func (r *Profile) setPaddings(max []int) {} // No paddings for profile func (p *Profile) Sort() { p.Rules = p.Rules.Sort() @@ -140,16 +140,10 @@ func (p *Profile) GetAttachments() string { var ( newLogMap = map[string]func(log map[string]string) Rule{ // class - "rlimits": newRlimitFromLog, - "namespace": newUsernsFromLog, - "cap": newCapabilityFromLog, - "net": func(log map[string]string) Rule { - if log["family"] == "unix" { - return newUnixFromLog(log) - } else { - return newNetworkFromLog(log) - } - }, + "rlimits": newRlimitFromLog, + "namespace": newUsernsFromLog, + "cap": newCapabilityFromLog, + "net": newNetworkFromLog, "posix_mqueue": newMqueueFromLog, "sysv_mqueue": newMqueueFromLog, "signal": newSignalFromLog, @@ -182,7 +176,6 @@ var ( "open": newFileFromLog, "rename_dest": newFileFromLog, "rename_src": newFileFromLog, - "rmdir": newFileFromLog, "truncate": newFileFromLog, "unlink": newFileFromLog, } @@ -226,7 +219,7 @@ func (p *Profile) AddRule(log map[string]string) { case strings.Contains(log["operation"], "dbus"): p.Rules = append(p.Rules, newDbusFromLog(log)) default: - fmt.Printf("unknown log type: %s:%v\n", log["operation"], log) + fmt.Printf("unknown log type: %s\n", log["operation"]) } } } diff --git a/pkg/aa/ptrace.go b/pkg/aa/ptrace.go index 7e0990fe8..91547087c 100644 --- a/pkg/aa/ptrace.go +++ b/pkg/aa/ptrace.go @@ -80,7 +80,7 @@ func (r *Ptrace) Compare(other Rule) int { func (r *Ptrace) Merge(other Rule) bool { o, _ := other.(*Ptrace) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Peer == o.Peer { @@ -93,8 +93,8 @@ func (r *Ptrace) Merge(other Rule) bool { func (r *Ptrace) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Access), length("peer=", r.Peer), } diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go index 8dc09b2c6..6ce768bc0 100644 --- a/pkg/aa/resolve.go +++ b/pkg/aa/resolve.go @@ -80,7 +80,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { values := []string{} match := regVariableReference.FindStringSubmatch(input) if len(match) == 0 { - return nil, fmt.Errorf("invalid variable reference: %s", input) + return nil, fmt.Errorf("Invalid variable reference: %s", input) } variable := match[0] @@ -105,7 +105,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { } if !found { - return nil, fmt.Errorf("variable %s not defined", varname) + return nil, fmt.Errorf("Variable %s not defined", varname) } return values, nil } @@ -113,7 +113,7 @@ func (f *AppArmorProfileFile) resolveValues(input string) ([]string, error) { // resolveInclude resolves all includes defined in the profile preamble func (f *AppArmorProfileFile) resolveInclude(include *Include) error { if include == nil || include.Path == "" { - return fmt.Errorf("invalid include: %v", include) + return fmt.Errorf("Invalid include: %v", include) } _, isCached := includeCache[include] diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 1e4a54fe5..5c9c9026f 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}bin/foo"}, + want: []string{"/{,usr/}{,s}bin/foo"}, }, { name: "double", diff --git a/pkg/aa/rlimit.go b/pkg/aa/rlimit.go index 29c617ff1..d7b9a0518 100644 --- a/pkg/aa/rlimit.go +++ b/pkg/aa/rlimit.go @@ -45,8 +45,8 @@ func newRlimit(q Qualifier, rule rule) (Rule, error) { func newRlimitFromLog(log map[string]string) Rule { return &Rlimit{ Base: newBaseFromLog(log), - Key: log["rlimit"], - Op: "<=", + Key: log["key"], + Op: log["op"], Value: log["value"], } } diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ed6e7043d..ee50532a9 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,17 +216,6 @@ var ( wMerge: false, wString: "network netlink raw,", }, - { - name: "network3", - fromLog: newNetworkFromLog, - log: network3Log, - rule: network3, - wValidErr: true, - other: network1, - wCompare: -7, - wMerge: false, - wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", - }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/signal.go b/pkg/aa/signal.go index 319e16584..c0fa4e1be 100644 --- a/pkg/aa/signal.go +++ b/pkg/aa/signal.go @@ -106,7 +106,7 @@ func (r *Signal) Compare(other Rule) int { func (r *Signal) Merge(other Rule) bool { o, _ := other.(*Signal) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } switch { @@ -124,8 +124,8 @@ func (r *Signal) Merge(other Rule) bool { func (r *Signal) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Access), length("set=", r.Set), length("peer=", r.Peer), diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 3694442be..6f2503a8b 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,22 +15,6 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} - {{- with .LocalAddress.IP -}} - {{ " ip=" }}{{ . }} - {{- end -}} - {{- with .LocalAddress.Port -}} - {{ " port=" }}{{ . }} - {{- end -}} - {{- if and .PeerAddress.IP .PeerAddress.Port -}} - {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} - {{- else -}} - {{- with .PeerAddress.IP -}} - {{ " peer=(ip=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- with .PeerAddress.Port -}} - {{ " peer=(port=" }}{{ . }}{{ ")" }} - {{- end -}} - {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index 69181051a..a0ff554ec 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,9 +3,6 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} - {{- with .Priority -}} - {{- "priority=" -}}{{ . }}{{ " " }} - {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} diff --git a/pkg/aa/unix.go b/pkg/aa/unix.go index 1e8a99298..3b14c2984 100644 --- a/pkg/aa/unix.go +++ b/pkg/aa/unix.go @@ -124,7 +124,7 @@ func (r *Unix) Compare(other Rule) int { func (r *Unix) Merge(other Rule) bool { o, _ := other.(*Unix) - if !r.Equal(o.Qualifier) { + if !r.Qualifier.Equal(o.Qualifier) { return false } if r.Type == o.Type && r.Protocol == o.Protocol && r.Address == o.Address && @@ -139,8 +139,8 @@ func (r *Unix) Merge(other Rule) bool { func (r *Unix) Lengths() []int { return []int{ - r.getLenAudit(), - r.getLenAccess(), + r.Qualifier.getLenAudit(), + r.Qualifier.getLenAccess(), length("", r.Access), length("type=", r.Type), length("protocol=", r.Protocol), diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 523eb99fe..485478fef 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,10 +148,9 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n ") + token = strings.Trim(token, "()\n") if strings.ContainsAny(token, ", ") { var sep string - token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," @@ -183,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) + return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) } } slices.SortFunc(res, func(i, j string) int { diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go index 642dc8273..7f5af2e08 100644 --- a/pkg/logging/logging.go +++ b/pkg/logging/logging.go @@ -81,7 +81,7 @@ func Warning(msg string, a ...interface{}) int { return Print("%s", Warningf(msg, a...)) } -// Error returns a formatted error message +// Fatalf returns a formatted error message func Error(msg string, a ...interface{}) int { return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...))) } diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index b0ae58702..194e6dc03 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,11 +64,10 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/]+/`, `@{att}/`, + `/att/[^/@]+`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, - `/usr/sbin`, `@{sbin}`, - `/usr/bin`, `@{bin}`, + `/usr/(bin|sbin)`, `@{bin}`, `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, @@ -86,6 +85,7 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, + `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 376b23f42..6ddd5ac9e 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{sbin}/httpd2-prefork//vhost_foo", + "profile": "@{bin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 357b9c2f7..feb1e21c4 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -388,16 +388,6 @@ func CopyTo(src *Path, dst *Path) error { return nil } -// CopyFS copies the file system fsys into the directory dir, -// creating dir if necessary. It is the exivalent of os.CopyFS with Path. -func (p *Path) CopyFS(dst *Path) error { - err := os.CopyFS(dst.String(), os.DirFS(p.String())) - if err != nil { - return fmt.Errorf("copying %s to %s: %s", p, dst, err) - } - return nil -} - // CopyDirTo recursively copies the directory denoted by the current path to // the destination path. The source directory must exist and the destination // directory must NOT exist (no implicit destination name allowed). @@ -525,7 +515,7 @@ func (p *Path) ReadFileAsLines() ([]string, error) { return nil, err } txt := string(data) - txt = strings.ReplaceAll(txt, "\r\n", "\n") + txt = strings.Replace(txt, "\r\n", "\n", -1) return strings.Split(txt, "\n"), nil } @@ -546,7 +536,7 @@ func (p *Path) MustReadFilteredFileAsLines() []string { panic(err) } txt := string(data) - txt = strings.ReplaceAll(txt, "\r\n", "\n") + txt = strings.Replace(txt, "\r\n", "\n", -1) txt = util.Filter(txt) res := strings.Split(txt, "\n") if slices.Contains(res, "") { @@ -640,9 +630,7 @@ func (p *Path) String() string { func (p *Path) Canonical() *Path { canonical := p.Clone() // https://github.com/golang/go/issues/17084#issuecomment-246645354 - if err := canonical.FollowSymLink(); err != nil { - return nil - } + canonical.FollowSymLink() if absPath, err := canonical.Abs(); err == nil { canonical = absPath } diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index b0052d13f..818edbb76 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,8 +14,6 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, - ` all`, ` # all`, - ` deny mqueue`, ` # deny mqueue`, }) ) @@ -27,7 +25,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", + Msg: "Convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 1ec5e06b1..6fd700291 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -5,11 +5,16 @@ package builder import ( + "regexp" "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) +var ( + regProfile = regexp.MustCompile(`profile ([^ ]+)`) +) + type ReAttach struct { prebuild.Base } @@ -18,45 +23,42 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Feat: re-attach disconnected path", + Msg: "Re-attach disconnect path", }, }) } // Apply will re-attach the disconnected path // - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag -// - Replace the base abstraction by attached/base -// - Replace the consoles abstraction by attached/consoles +// - Add the attached/base abstraction in the profile // - For compatibility, non disconnected profile will have the @{att} variable set to / func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name - if opt.File.HasSuffix("attached/base") { - return profile, nil // Do not re-attach twice - } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" - profile = strings.ReplaceAll(profile, + profile = strings.Replace(profile, "attach_disconnected", - "attach_disconnected,attach_disconnected.path=@{att}", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - profile = strings.ReplaceAll(profile, - "include ", - "include ", + "attach_disconnected,attach_disconnected.path=@{att}", -1, ) + old := "include if exists " + new := "include \n " + old + profile = strings.Replace(profile, old, new, 1) + + for _, match := range regProfile.FindAllStringSubmatch(profile, -1) { + name := match[1] + if name == opt.Name { + continue + } + old = "include if exists " + new = "include \n " + old + profile = strings.Replace(profile, old, new, 1) + } + } else { - insert = "@{att} = \"\"\n" - + insert = "@{att} = /\n" } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go deleted file mode 100644 index 29a065629..000000000 --- a/pkg/prebuild/builder/base-strict.go +++ /dev/null @@ -1,32 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type BaseStrict struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&BaseStrict{ - Base: prebuild.Base{ - Keyword: "base-strict", - Msg: "Feat: use 'base-strict' as base abstraction", - }, - }) -} - -func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) - return profile, nil -} diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 0d6a48f37..dbd9b3478 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Build: set complain flag on all profiles", + Msg: "Set complain flag on all profiles", }, }) } @@ -38,9 +38,6 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } - if slices.Contains(flags, "unconfined") { - return profile, nil - } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go index bfc1aa025..93b73d76c 100644 --- a/pkg/prebuild/builder/core.go +++ b/pkg/prebuild/builder/core.go @@ -20,13 +20,13 @@ var ( Builders = map[string]Builder{} ) -// Builder main directive interface +// Main directive interface type Builder interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) } -// Option for a builder +// Builder options type Option struct { Name string File *paths.Path diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 6bcf74647..5a1a39da0 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, @@ -231,80 +231,10 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, - { - name: "stacked-dbus-1", - b: Builders["stacked-dbus"], - profile: ` -profile foo { - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - -}`, - want: ` -profile foo { -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), -dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), - -}`, - }, - { - name: "base-strict-1", - b: Builders["base-strict"], - profile: ` -profile foo { - include -}`, - want: ` -profile foo { - include -}`, - }, - { - name: "attach-1", - b: Builders["attach"], - profile: ` -profile attach-1 flags=(attach_disconnected) { - include - include - include -}`, - want: ` -@{att} = /att/attach-1/ -profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { - include - include - include -}`, - }, - { - name: "attach-2", - b: Builders["attach"], - profile: ` -profile attach-2 flags=(complain) { - include - include - include -}`, - want: ` -@{att} = "" -profile attach-2 flags=(complain) { - include - include - include -}`, - }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index 3d3d218c6..a7ce90a7a 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "Build: all profiles have been enforced", + Msg: "All profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 12dab15cd..ed2285de5 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `(PU|U)x,`, `Px,`, + `r(PU|U)x,`, `rPx,`, }) ) @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Feat: prevent unconfined transitions in profile rules", + Msg: "Prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index be8750f26..f7e6143b1 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Fix: temporary solution for #74, #80 & #235", + Msg: "Temporary fix for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go deleted file mode 100644 index eca8122c6..000000000 --- a/pkg/prebuild/builder/stacked-dbus.go +++ /dev/null @@ -1,104 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package builder - -import ( - "slices" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/aa" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - resolve = map[string][]string{ - `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, - `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, - } -) - -// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 -type StackedDbus struct { - prebuild.Base -} - -func init() { - RegisterBuilder(&StackedDbus{ - Base: prebuild.Base{ - Keyword: "stacked-dbus", - Msg: "Fix: resolve peer label variable in dbus rules", - }, - }) -} - -func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { - var raw string - paragraphs := []string{} - rulesByParagraph := aa.ParaRules{} - - switch kind { - case aa.ProfileKind: - f := &aa.AppArmorProfileFile{} - nb, err := f.Parse(profile) - if err != nil { - return nil, nil, err - } - lines := strings.Split(profile, "\n") - raw = strings.Join(lines[nb:], "\n") - - case aa.AbstractionKind, aa.TunableKind: - raw = profile - } - - r, par, err := aa.ParseRules(raw) - if err != nil { - return nil, nil, err - } - rulesByParagraph = append(rulesByParagraph, r...) - paragraphs = append(paragraphs, par...) - return rulesByParagraph, paragraphs, nil -} - -func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { - kind := aa.KindFromPath(opt.File) - if kind == aa.TunableKind { - return profile, nil - } - - toResolve := []string{} - for k := range resolve { - toResolve = append(toResolve, k) - } - - rulesByParagraph, paragraphs, err := parse(kind, profile) - if err != nil { - return "", err - } - for idx, rules := range rulesByParagraph { - changed := false - newRules := aa.Rules{} - for _, rule := range rules { - switch rule := rule.(type) { - case *aa.Dbus: - if slices.Contains(toResolve, rule.PeerLabel) { - changed = true - for _, label := range resolve[rule.PeerLabel] { - newRule := *rule - newRule.PeerLabel = label - newRules = append(newRules, &newRule) - } - } else { - newRules = append(newRules, rule) - } - default: - newRules = append(newRules, rule) - } - } - if changed { - profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") - } - } - return profile, nil -} diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 70dff8ec9..d62cad522 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,29 +27,20 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Fix: resolve variable in profile attachments", + Msg: "Resolve variable in profile attachments", }, }) } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { - if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { - return profile, nil - } + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok { + return profile, nil + } + if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok { + return profile, nil } f := aa.DefaultTunables() - if prebuild.Distribution == "arch" { - f.Preamble = append(f.Preamble, &aa.Variable{ - Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, - }) - } else { - f.Preamble = append(f.Preamble, &aa.Variable{ - Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, - }) - } - if _, err := f.Parse(profile); err != nil { return "", err } @@ -64,7 +55,7 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { matches := regAttachments.FindAllString(profile, -1) if len(matches) > 0 { att := f.GetDefaultProfile().GetAttachments() - strheader := strings.ReplaceAll(matches[0], tokATTACHMENT, att) + strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1) return regAttachments.ReplaceAllLiteralString(profile, strheader), nil } return profile, nil diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index afed5aedf..2821d52c2 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,8 +7,6 @@ package cli import ( "flag" "fmt" - "os" - "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,25 +18,19 @@ import ( ) const ( - nilABI = 0 - nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] + nilABI uint = 0 + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -s, --server Set AppArmor for server. - -b, --buildir DIR Root build directory. - -F, --file Only prebuild a given file. - --test Enable test mode. - --debug Enable debug mode. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -f, --full Set AppArmor for full system policy. + -F, --file Only prebuild a given file. ` ) @@ -47,13 +39,8 @@ var ( complain bool enforce bool full bool - server bool - debug bool - test bool - abi int - version float64 + abi uint file string - buildir string ) func init() { @@ -61,25 +48,17 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") - flag.BoolVar(&server, "s", false, "Set AppArmor for server.") - flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.") - flag.IntVar(&abi, "a", nilABI, "Target apparmor ABI.") - flag.IntVar(&abi, "abi", nilABI, "Target apparmor ABI.") - flag.Float64Var(&version, "v", nilVer, "Target apparmor version.") - flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") + flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.") + flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") - flag.StringVar(&buildir, "b", "", "Root build directory.") - flag.StringVar(&buildir, "buildir", "", "Root build directory.") - flag.BoolVar(&debug, "debug", false, "Enable debug mode.") - flag.BoolVar(&test, "test", false, "Enable test mode.") } -func Configure() { +func Prebuild() { flag.Usage = func() { fmt.Printf("%s\n%s\n%s\n%s", usage, prebuild.Help("Prepare", prepare.Tasks), @@ -90,40 +69,18 @@ func Configure() { flag.Parse() if help { flag.Usage() - os.Exit(0) - } - - if server { - idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) - if idx == -1 { - prepare.Register("server") - } else { - prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) - } - - // Remove hotfix task as it is not needed on server - idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) - if idx != -1 { - prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) - } + return } if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") - prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } if complain { builder.Register("complain") - if debug { - builder.Register("debug") - } - if test { - prebuild.Test = true - } } else if enforce { builder.Register("enforce") } @@ -135,50 +92,19 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // Re-attach disconnected path - if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { - // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent - // profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - - // Use stacked-dbus builder to resolve dbus rules - builder.Register("stacked-dbus") - - } else { - if !prebuild.DownStream { - prepare.Register("attach") - } - builder.Register("attach") - - } - + // builder.Register("attach") // Re-attach disconnect path default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } - if version != nilVer { - prebuild.Version = version - } - if buildir != "" { - prebuild.Root = paths.New(buildir) - prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") - } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) - sync.Paths = []string{file} + sync.Path = file overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite) - overwrite.Optional = true + overwrite.OneFile = true } -} -func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) - if full { - logging.Success("Full system policy enabled") - } - if prebuild.Version != nilVer { - logging.Success("AppArmor version targeted: %.1f", prebuild.Version) - } if err := Prepare(); err != nil { logging.Fatal("%s", err.Error()) } diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index cde9470dc..aadf9294e 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -23,7 +23,7 @@ var ( regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`) ) -// Directive main interface +// Main directive interface type Directive interface { prebuild.BaseInterface Apply(opt *Option, profile string) (string, error) @@ -39,7 +39,7 @@ func Usage() string { return res } -// Option for the directive +// Directive options type Option struct { Name string ArgMap map[string]string @@ -83,7 +83,7 @@ func (o *Option) cleanKeyword(input string) string { return reg.ReplaceAllString(input, "") } -// IsInline checks if either the directive is in one line or if it is a paragraph +// Check if the directive is inline or if it is a paragraph func (o *Option) IsInline() bool { inline := true tmp := strings.Split(o.Raw, Keyword) @@ -106,10 +106,7 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { - if opt.Name == "lint" { - continue - } - return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) + return "", fmt.Errorf("Unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) if err != nil { diff --git a/pkg/prebuild/directive/core_test.go b/pkg/prebuild/directive/core_test.go index 229dda630..faf39df4b 100644 --- a/pkg/prebuild/directive/core_test.go +++ b/pkg/prebuild/directive/core_test.go @@ -20,7 +20,7 @@ func TestNewOption(t *testing.T) { }{ { name: "dbus", - file: paths.New("dbus"), + file: nil, match: []string{ " #aa:dbus own bus=system name=org.gnome.DisplayManager", "dbus", @@ -34,13 +34,13 @@ func TestNewOption(t *testing.T) { "own": "", }, ArgList: []string{"own", "bus=system", "name=org.gnome.DisplayManager"}, - File: paths.New("dbus"), + File: nil, Raw: " #aa:dbus own bus=system name=org.gnome.DisplayManager", }, }, { name: "only", - file: paths.New("only"), + file: nil, match: []string{ " #aa:only opensuse", "only", @@ -50,7 +50,7 @@ func TestNewOption(t *testing.T) { Name: "only", ArgMap: map[string]string{"opensuse": ""}, ArgList: []string{"opensuse"}, - File: paths.New("only"), + File: nil, Raw: " #aa:only opensuse", }, }, @@ -74,13 +74,13 @@ func TestRun(t *testing.T) { }{ { name: "none", - file: paths.New("dummy"), + file: nil, profile: ` `, want: ` `, }, { name: "present", - file: paths.New("fake-own"), + file: nil, profile: ` #aa:dbus own bus=system name=org.freedesktop.systemd1`, want: dbusOwnSystemd1, }, diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 4862597bb..a1135d675 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -21,6 +21,11 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) +var defaultInterfaces = []string{ + "org.freedesktop.DBus.Properties", + "org.freedesktop.DBus.ObjectManager", +} + type Dbus struct { prebuild.Base } @@ -33,12 +38,20 @@ func init() { Help: []string{ "own bus= name= [interface=AARE] [path=AARE]", "talk bus= name= label= [interface=AARE] [path=AARE]", - "common bus= name= label=", }, }}, ) } +func setInterfaces(rules map[string]string) []string { + interfaces := []string{rules["name"]} + if _, present := rules["interface"]; present { + interfaces = append(interfaces, rules["interface"]) + } + interfaces = append(interfaces, defaultInterfaces...) + return interfaces +} + func (d Dbus) Apply(opt *Option, profile string) (string, error) { var r aa.Rules @@ -51,8 +64,6 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { r = d.own(opt.ArgMap) case "talk": r = d.talk(opt.ArgMap) - case "common": - r = d.common(opt.ArgMap) } aa.IndentationLevel = strings.Count( @@ -61,213 +72,94 @@ func (d Dbus) Apply(opt *Option, profile string) (string, error) { generatedDbus := r.String() lenDbus := len(generatedDbus) generatedDbus = generatedDbus[:lenDbus-1] - profile = strings.ReplaceAll(profile, opt.Raw, generatedDbus) + profile = strings.Replace(profile, opt.Raw, generatedDbus, -1) return profile, nil } func (d Dbus) sanityCheck(opt *Option) (string, error) { if len(opt.ArgList) < 1 { - return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) + return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } action := opt.ArgList[0] - if action != "own" && action != "talk" && action != "common" { - return "", fmt.Errorf("unknown dbus action: %s in %s", opt.Name, opt.File) + if action != "own" && action != "talk" { + return "", fmt.Errorf("Unknown dbus action: %s in %s", opt.Name, opt.File) } if _, present := opt.ArgMap["name"]; !present { - return "", fmt.Errorf("missing name for 'dbus: %s' in %s", action, opt.File) + return "", fmt.Errorf("Missing name for 'dbus: %s' in %s", action, opt.File) } if _, present := opt.ArgMap["bus"]; !present { - return "", fmt.Errorf("missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("Missing bus for '%s' in %s", opt.ArgMap["name"], opt.File) } if _, present := opt.ArgMap["label"]; !present && action == "talk" { - return "", fmt.Errorf("missing label for '%s' in %s", opt.ArgMap["name"], opt.File) + return "", fmt.Errorf("Missing label for '%s' in %s", opt.ArgMap["name"], opt.File) } // Set default values if _, present := opt.ArgMap["path"]; !present { - opt.ArgMap["path"] = "/" + strings.ReplaceAll(opt.ArgMap["name"], ".", "/") + "{,/**}" + opt.ArgMap["path"] = "/" + strings.Replace(opt.ArgMap["name"], ".", "/", -1) + "{,/**}" } opt.ArgMap["name"] += "{,.*}" return action, nil } -func getInterfaces(rules map[string]string) []string { - var interfaces []string - if _, present := rules["interface"]; present { - interfaces = []string{rules["interface"]} - } else { - interfaces = []string{rules["name"]} - } - - if _, present := rules["interface+"]; present { - interfaces = append(interfaces, rules["interface+"]) - } - return interfaces -} - func (d Dbus) own(rules map[string]string) aa.Rules { - interfaces := getInterfaces(rules) - - res := aa.Rules{ - &aa.Include{ - IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", - }, - &aa.Dbus{ - Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], - }, - } - - // Interfaces + interfaces := setInterfaces(rules) + res := aa.Rules{} + res = append(res, &aa.Dbus{ + Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], + }) for _, iface := range interfaces { - res = append(res, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: iface, - PeerName: `"@{busname}"`, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: iface, - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - ) + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `":1.@{int}"`, + }) } - - res = append(res, - // DBus.Properties: reply to properties request from anyone - &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - - // DBus.Introspectable: allow clients to introspect the service - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"@{busname}"`, - }, - - // DBus.ObjectManager: allow clients to enumerate sources - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},org.freedesktop.DBus}"`, - }, - ) + for _, iface := range interfaces { + res = append(res, &aa.Dbus{ + Access: []string{"send"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `"{:1.@{int},org.freedesktop.DBus}"`, + }) + } + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: "org.freedesktop.DBus.Introspectable", + Member: "Introspect", + PeerName: `":1.@{int}"`, + }) return res } func (d Dbus) talk(rules map[string]string) aa.Rules { - interfaces := getInterfaces(rules) - res := aa.Rules{ - &aa.Unix{ - Type: "stream", - Address: "none", - PeerLabel: rules["label"], - PeerAddr: "none", - }, - } - - // Interfaces + interfaces := setInterfaces(rules) + res := aa.Rules{} for _, iface := range interfaces { res = append(res, &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], + Access: []string{"send"}, + Bus: rules["bus"], + Path: rules["path"], Interface: iface, - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], + PeerName: `"{:1.@{int},` + rules["name"] + `}"`, + PeerLabel: rules["label"], }) } - - res = append(res, - // DBus.Properties - &aa.Dbus{ - Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll,Set,PropertiesChanged}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - - // DBus.Introspectable - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - - // DBus.ObjectManager: allow clients to enumerate sources - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "GetManagedObjects", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.ObjectManager", - Member: "{InterfacesAdded,InterfacesRemoved}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - ) - return res -} - -func (d Dbus) common(rules map[string]string) aa.Rules { - res := aa.Rules{ - - // DBus.Properties: read all properties from the interface - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Properties: read all properties from the interface", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "{Get,GetAll}", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - nil, - - // DBus.Properties: receive property changed events - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Properties: receive property changed events", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Properties", - Member: "PropertiesChanged", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, - nil, - - // DBus.Introspectable: allow clients to introspect the service - &aa.Comment{ - Base: aa.Base{ - Comment: " DBus.Introspectable: allow clients to introspect the service", - IsLineRule: true, - }, - }, - &aa.Dbus{ - Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], - Interface: "org.freedesktop.DBus.Introspectable", - Member: "Introspect", - PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], - }, + for _, iface := range interfaces { + res = append(res, &aa.Dbus{ + Access: []string{"receive"}, + Bus: rules["bus"], + Path: rules["path"], + Interface: iface, + PeerName: `"{:1.@{int},` + rules["name"] + `}"`, + PeerLabel: rules["label"], + }) } return res } diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index d6e90bb99..65e55e785 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,31 +8,29 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include - - dbus bind bus=system name=org.freedesktop.systemd1{,.*}, +const dbusOwnSystemd1 = ` dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="@{busname}"), + peer=(name=":1.@{int}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name=":1.@{int}"), + dbus receive bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name=":1.@{int}"), dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.systemd1{,.*} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus (send receive) bus=system path=/org/freedesktop/systemd1{,/**} + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.DBus}"), + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=system path=/org/freedesktop/systemd1{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name="{:1.@{int},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), - dbus receive bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.systemd1{,.*}}"), - dbus send bus=system path=/org/freedesktop/systemd1{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),` + peer=(name=":1.@{int}"),` func TestDbus_Apply(t *testing.T) { tests := []struct { @@ -63,47 +61,45 @@ func TestDbus_Apply(t *testing.T) { opt: &Option{ Name: "dbus", ArgMap: map[string]string{ - "bus": "session", - "name": "com.rastersoft.ding", - "interface+": "org.gtk.Actions", - "own": "", + "bus": "session", + "name": "com.rastersoft.dingextension", + "interface": "org.gtk.Actions", + "own": "", }, - ArgList: []string{"own", "bus=session", "name=com.rastersoft.ding", "interface+=org.gtk.Actions"}, + ArgList: []string{"own", "bus=session", "name=com.rastersoft.dingextension", "interface=org.gtk.Actions"}, File: nil, - Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", + Raw: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", }, - profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include - - dbus bind bus=session name=com.rastersoft.ding{,.*}, - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=com.rastersoft.ding{,.*} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} + profile: " #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions", + want: ` dbus bind bus=session name=com.rastersoft.dingextension{,.*}, + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + interface=com.rastersoft.dingextension{,.*} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.gtk.Actions - peer=(name="@{busname}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.gtk.Actions - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus (send receive) bus=session path=/com/rastersoft/ding{,/**} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.DBus}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} + peer=(name=":1.@{int}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name=":1.@{int}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=com.rastersoft.dingextension{,.*} + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.gtk.Actions + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus send bus=session path=/com/rastersoft/dingextension{,/**} + interface=org.freedesktop.DBus.ObjectManager + peer=(name="{:1.@{int},org.freedesktop.DBus}"), + dbus receive bus=session path=/com/rastersoft/dingextension{,/**} interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}"), - dbus receive bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},com.rastersoft.ding{,.*}}"), - dbus send bus=session path=/com/rastersoft/ding{,/**} - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.DBus}"),`, + peer=(name=":1.@{int}"),`, }, { name: "talk", @@ -120,60 +116,24 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), - - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), - dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll,Set,PropertiesChanged} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus send bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus receive bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.Accounts{,.*} + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), + dbus receive bus=system path=/org/freedesktop/Accounts{,/**} + interface=org.freedesktop.DBus.Properties + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus receive bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.DBus.ObjectManager - member={InterfacesAdded,InterfacesRemoved} - peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, - }, - { - name: "common", - opt: &Option{ - Name: "dbus", - ArgMap: map[string]string{ - "bus": "system", - "name": "net.hadess.PowerProfiles", - "label": "power-profiles-daemon", - "talk": "", - }, - ArgList: []string{"common", "bus=system", "name=net.hadess.PowerProfiles", "power-profiles-daemon"}, - File: nil, - Raw: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - }, - profile: " #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon", - want: ` # DBus.Properties: read all properties from the interface - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member={Get,GetAll} - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Properties: receive property changed events - dbus receive bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon), - - # DBus.Introspectable: allow clients to introspect the service - dbus send bus=system path=/net/hadess/PowerProfiles{,/**} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name="{@{busname},net.hadess.PowerProfiles{,.*}}", label=power-profiles-daemon),`, + peer=(name="{:1.@{int},org.freedesktop.Accounts{,.*}}", label=accounts-daemon),`, }, } for _, tt := range tests { diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go index b348fb46b..5aee73740 100644 --- a/pkg/prebuild/directive/exec.go +++ b/pkg/prebuild/directive/exec.go @@ -31,7 +31,7 @@ func init() { func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("no profile to exec") + return "", fmt.Errorf("No profile to exec") } transition := "Px" transitions := []string{"P", "U", "p", "u", "PU", "pu"} @@ -70,5 +70,5 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) { rules = rules.Sort() new := rules.String() new = new[:len(new)-1] - return strings.ReplaceAll(profileRaw, opt.Raw, new), nil + return strings.Replace(profileRaw, opt.Raw, new, -1), nil } diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go index 255d9a237..5581d7f2b 100644 --- a/pkg/prebuild/directive/exec_test.go +++ b/pkg/prebuild/directive/exec_test.go @@ -36,7 +36,7 @@ func TestExec_Apply(t *testing.T) { }, { name: "exec-unconfined", - rootApparmord: paths.New("../../../apparmor.d/groups/polkit/"), + rootApparmord: paths.New("../../../apparmor.d/groups/freedesktop/"), opt: &Option{ Name: "exec", ArgMap: map[string]string{"U": "", "polkit-agent-helper": ""}, diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index ac632471b..2fe46e6f2 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,22 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { - if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { - return true - } - - if prebuild.Test && slices.Contains(opt.ArgList, "test") { - return true - } - abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true } - versionStr := fmt.Sprintf("apparmor%.1f", prebuild.Version) - if slices.Contains(opt.ArgList, versionStr) { - return true - } return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family) } @@ -67,7 +55,7 @@ func filter(only bool, opt *Option, profile string) (string, error) { } if opt.IsInline() { - profile = strings.ReplaceAll(profile, opt.Raw, "") + profile = strings.Replace(profile, opt.Raw, "", -1) } else { regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`) profile = regRemoveParagraph.ReplaceAllString(profile, "") diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index a43849228..03dd826e1 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -40,7 +40,7 @@ func init() { func (s Stack) Apply(opt *Option, profile string) (string, error) { if len(opt.ArgList) == 0 { - return "", fmt.Errorf("no profile to stack") + return "", fmt.Errorf("No profile to stack") } t := opt.ArgList[0] if t != "X" { @@ -55,13 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() - if err != nil { - return "", fmt.Errorf("%s need to stack: %w", name, err) - } + stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { - return "", fmt.Errorf("no profile found in %s", name) + return "", fmt.Errorf("No profile found in %s", name) } stackedRules := m[1] stackedRules = regCleanStakedRules.Replace(stackedRules) @@ -71,9 +68,9 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { // Insert the stacked profile at the end of the current profile, remove the stack directive m := regEndOfRules.FindStringSubmatch(profile) if len(m) <= 1 { - return "", fmt.Errorf("no end of rules found in %s", opt.File) + return "", fmt.Errorf("No end of rules found in %s", opt.File) } - profile = strings.ReplaceAll(profile, m[0], res+m[0]) - profile = strings.ReplaceAll(profile, opt.Raw, "") + profile = strings.Replace(profile, m[0], res+m[0], -1) + profile = strings.Replace(profile, opt.Raw, "", -1) return profile, nil } diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 486a45d14..cd5958b72 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -8,22 +8,7 @@ import "github.com/roddhjav/apparmor.d/pkg/paths" var ( // AppArmor ABI version - ABI = 0 - - // AppArmor version - Version = 4.0 - - // Tells the build we are a downstream project using apparmor.d as dependency - DownStream = false - - // Either or not RBAC is enabled - RBAC = false - - // Either or not we are in test mode - Test = false - - // Pkgname is the name of the package - Pkgname = "apparmor.d" + ABI uint = 0 // Root is the root directory for the build (default: .build) Root *paths.Path = paths.New(".build") diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index d9879570b..c14730960 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -10,13 +10,10 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -// Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "just", all edit will be lost. +// Default content of debian/apparmor.d.hide. Whonix has special addition. +var Hide = `# This file is generated by "make", all edit will be lost. /etc/apparmor.d/usr.bin.firefox -/etc/apparmor.d/usr.bin.swtpm -/etc/apparmor.d/usr.bin.wsdd -/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd @@ -58,7 +55,7 @@ type DebianHider struct { path *paths.Path } -// Init initializes the file with content from Hide +// Initialize the file with content from Hide func (d DebianHider) Init() error { return d.path.WriteFile([]byte(Hide)) } diff --git a/pkg/prebuild/os.go b/pkg/prebuild/os.go index 8ef8fb79e..352f4e185 100644 --- a/pkg/prebuild/os.go +++ b/pkg/prebuild/os.go @@ -67,13 +67,13 @@ func getDistribution() string { if id == "ubuntu" { return id } - idLike := Release["ID_LIKE"] + id_like := Release["ID_LIKE"] for main, based := range supportedDists { - if main == id || main == idLike { + if main == id || main == id_like { return main } else if slices.Contains(based, id) { return main - } else if slices.Contains(based, idLike) { + } else if slices.Contains(based, id_like) { return main } } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go deleted file mode 100644 index 4523382d8..000000000 --- a/pkg/prebuild/prepare/attach.go +++ /dev/null @@ -1,37 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2025 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "strings" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -type ReAttach struct { - prebuild.Base -} - -func init() { - RegisterTask(&ReAttach{ - Base: prebuild.Base{ - Keyword: "attach", - Msg: "Configure tunable for re-attached path", - }, - }) -} - -func (p ReAttach) Apply() ([]string, error) { - res := []string{} - - // Remove the @{att} tunable that is going to be defined in profile header - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) - return res, path.WriteFile([]byte(out)) -} diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index 9ca3b14d3..4b8e11ec5 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,8 +6,8 @@ package prepare import ( "fmt" - "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -24,15 +24,6 @@ func init() { }) } -func removeFiles(files []string) error { - for _, name := range files { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return err - } - } - return nil -} - func (p Configure) Apply() ([]string, error) { res := []string{} @@ -44,8 +35,8 @@ func (p Configure) Apply() ([]string, error) { return res, err } - if prebuild.Version < 3.0 { - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { + if prebuild.ABI == 3 { + if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { return res, err } } @@ -55,53 +46,14 @@ func (p Configure) Apply() ([]string, error) { return res, err } - if prebuild.Version < 4.1 { - // Copy Debian specific abstractions - if err := prebuild.DistDir.Join("ubuntu").CopyFS(prebuild.RootApparmord); err != nil { - return res, err - } + // Copy Debian specific abstractions + if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil { + return res, err } default: return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution) } - - if prebuild.Version >= 4.1 { - remove := []string{ - // Remove files upstreamed in 4.1 - "abstractions/devices-usb-read", - "abstractions/devices-usb", - "abstractions/nameservice-strict", - "tunables/multiarch.d/base", - - // Direct upstream contributed profiles, similar to ours - "wg", - } - if err := removeFiles(remove); err != nil { - return res, err - } - } - if prebuild.Version >= 5.0 { - remove := []string{ - // Direct upstrem contributed profiles, similar to ours - "dig", - "free", - "nslookup", - "who", - } - if err := removeFiles(remove); err != nil { - return res, err - } - - // @{pci_bus} was upstreamed in 5.0 - path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") - out, err := path.ReadFileAsString() - if err != nil { - return res, err - } - out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") - return res, path.WriteFile([]byte(out)) - } return res, nil } diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go index 74d7778ed..d96e21043 100644 --- a/pkg/prebuild/prepare/core.go +++ b/pkg/prebuild/prepare/core.go @@ -18,7 +18,7 @@ var ( Tasks = map[string]Task{} ) -// Task main directive interface +// Main directive interface type Task interface { prebuild.BaseInterface Apply() ([]string, error) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index f8d3cb17f..1d38ca294 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,60 +5,11 @@ package prepare import ( - "regexp" + "strings" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - tunables = map[string]string{ - // Set systemd profiles name - "sd": "sd", - "sdu": "sdu", - "systemd_user": "systemd-user", - "systemd": "systemd", - - // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they - "dbus_system": "dbus-system", - "dbus_session": "dbus-session", - - // Update name of stacked profiles - "apt_news": "", - "colord": "", - "e2scrub_all": "", - "e2scrub": "", - "fprintd": "", - "fwupd": "", - "fwupdmgr": "", - "geoclue": "", - "irqbalance": "", - "logrotate": "", - "ModemManager": "", - "nm_priv_helper": "", - "pcscd": "", - "polkitd": "", - "power_profiles_daemon": "", - "rsyslogd": "", - "systemd_coredump": "", - "systemd_homed": "", - "systemd_hostnamed": "", - "systemd_importd": "", - "systemd_initctl": "", - "systemd_journal_remote": "", - "systemd_journald": "", - "systemd_localed": "", - "systemd_logind": "", - "systemd_machined": "", - "systemd_networkd": "", - "systemd_oomd": "", - "systemd_resolved": "", - "systemd_rfkill": "", - "systemd_timedated": "", - "systemd_timesyncd": "", - "systemd_userdbd": "", - "upowerd": "", - } + "github.com/roddhjav/apparmor.d/pkg/util" ) type FullSystemPolicy struct { @@ -78,24 +29,30 @@ func (p FullSystemPolicy) Apply() ([]string, error) { res := []string{} // Install full system policy profiles - if err := paths.New("apparmor.d/groups/_full/").CopyFS(prebuild.Root.Join("apparmor.d")); err != nil { + if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil { return res, err } - // Set profile name for FSP - path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") + // Set systemd profile name + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") out, err := path.ReadFileAsString() if err != nil { return res, err } - for varname, profile := range tunables { - pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) - if profile == "" { - out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) - } else { - out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) - } + out = strings.Replace(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd", -1) + out = strings.Replace(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user", -1) + if err := path.WriteFile([]byte(out)); err != nil { + return res, err } + + // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution + path = prebuild.RootApparmord.Join("abstractions/gstreamer") + out, err = path.ReadFileAsString() + if err != nil { + return res, err + } + regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) + out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go index d974b26e4..6f8951161 100644 --- a/pkg/prebuild/prepare/overwrite.go +++ b/pkg/prebuild/prepare/overwrite.go @@ -11,11 +11,11 @@ import ( "github.com/roddhjav/apparmor.d/pkg/prebuild" ) -var ext = "." + prebuild.Pkgname +const ext = ".apparmor.d" type Overwrite struct { prebuild.Base - Optional bool + OneFile bool } func init() { @@ -24,7 +24,7 @@ func init() { Keyword: "overwrite", Msg: "Overwrite dummy upstream profiles", }, - Optional: false, + OneFile: false, }) } @@ -46,13 +46,12 @@ func (p Overwrite) Apply() ([]string, error) { for _, name := range path.MustReadFilteredFileAsLines() { origin := prebuild.RootApparmord.Join(name) dest := prebuild.RootApparmord.Join(name + ext) - if !dest.Exist() && p.Optional { + if !dest.Exist() && p.OneFile { continue } - if origin.Exist() { - if err := origin.Rename(dest); err != nil { - return res, err - } + if err := origin.Rename(dest); err != nil { + + return res, err } originRel, err := origin.RelFrom(dest) if err != nil { diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go deleted file mode 100644 index fb9a1f602..000000000 --- a/pkg/prebuild/prepare/server.go +++ /dev/null @@ -1,108 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2021-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package prepare - -import ( - "fmt" - "strings" - - "github.com/roddhjav/apparmor.d/pkg/paths" - "github.com/roddhjav/apparmor.d/pkg/prebuild" -) - -var ( - serverIgnorePatterns = []string{ - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - "include ", - } - serverIgnoreGroups = []string{ - "akonadi", - "avahi", - "bluetooth", - "browsers", - "cosmic", - "cups", - "display-manager", - "flatpak", - "freedesktop", - "gnome", - "gvfs", - "hyprland", - "kde", - "lxqt", - "steam", - "xfce", - "zed", - } -) - -type Server struct { - prebuild.Base -} - -func init() { - RegisterTask(&Server{ - Base: prebuild.Base{ - Keyword: "server", - Msg: "Configure AppArmor for server", - }, - }) -} - -func (p Server) Apply() ([]string, error) { - res := []string{} - - // Ignore desktop related groups - groupNb := 0 - for _, group := range serverIgnoreGroups { - path := prebuild.RootApparmord.Join("groups", group) - if path.IsDir() { - if err := path.RemoveAll(); err != nil { - return res, err - } - groupNb++ - } else { - res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) - } - } - - // Ignore profiles using a desktop related abstraction - fileNb := 0 - files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) - for _, file := range files { - if !file.Exist() { - continue - } - profile, err := file.ReadFileAsString() - if err != nil { - return res, err - } - for _, pattern := range serverIgnorePatterns { - if strings.Contains(profile, pattern) { - if err := file.RemoveAll(); err != nil { - return res, err - } - fileNb++ - break - } - } - } - - res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) - res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) - return res, nil -} diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go index b6c2dbf5b..b272388c7 100644 --- a/pkg/prebuild/prepare/synchronise.go +++ b/pkg/prebuild/prepare/synchronise.go @@ -11,7 +11,7 @@ import ( type Synchronise struct { prebuild.Base - Paths []string // File or directory to sync into the build directory. + Path string } func init() { @@ -20,39 +20,38 @@ func init() { Keyword: "synchronise", Msg: "Initialize a new clean apparmor.d build directory", }, - Paths: []string{"apparmor.d", "share"}, + Path: "", }) } func (p Synchronise) Apply() ([]string, error) { res := []string{} - if err := prebuild.Root.Join("systemd").RemoveAll(); err != nil { - return res, err - } - if err := prebuild.RootApparmord.RemoveAll(); err != nil { - return res, err - } - - for _, name := range p.Paths { - src := paths.New(name) - dst := prebuild.Root.Join(name) - if err := dst.RemoveAll(); err != nil { + dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")} + for _, dir := range dirs { + if err := dir.RemoveAll(); err != nil { return res, err } - - if src.IsDir() { - if err := src.CopyFS(dst); err != nil { - return res, err - } - } else { - if err := dst.Parent().MkdirAll(); err != nil { - return res, err - } - if err := src.CopyTo(dst); err != nil { + } + if p.Path == "" { + for _, name := range []string{"apparmor.d", "share"} { + if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil { return res, err } } - res = append(res, dst.String()) + } else { + file := paths.New(p.Path) + destination, err := file.RelFrom(paths.New("apparmor.d")) + if err != nil { + return res, err + } + destination = prebuild.RootApparmord.JoinPath(destination) + if err := destination.Parent().MkdirAll(); err != nil { + return res, err + } + if err := file.CopyTo(destination); err != nil { + return res, err + } + res = append(res, destination.String()) } return res, nil } diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 62f40966e..42c9a3560 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,10 +1,10 @@ -.\" Automatically generated by Pandoc 3.1.12.1 +.\" Automatically generated by Pandoc 3.1.9 .\" -.TH "aa\-log" "8" "September 2024" "" "" +.TH "aa-log" "8" "September 2024" "" "" .SH NAME -aa\-log \[em] Review AppArmor generated messages in a colorful way. +aa-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS -\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] @@ -13,48 +13,48 @@ as well as \f[I]dbus session\f[R] events. It can be given an optional profile name to filter the output with. .PP It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa\-logprof(8)\f[R]. +an alternative to \f[CR]aa-logprof(8)\f[R]. The generated rules should be manually reviewed and inserted into the profile. .PP Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] +\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] .SH OPTIONS -\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP [\f[I]profile\f[R]] Optional profile name to filter the output with. .TP -\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] +\f[CR]--file\f[R], \f[CR]-f\f[R] Set a logfile or a suffix to the default log file. .TP -\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] +\f[CR]--systemd\f[R], \f[CR]-s\f[R] Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP -\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] +\f[CR]--rules\f[R], \f[CR]-r\f[R] Convert the log into AppArmor rules. .TP -\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] +\f[CR]--raw\f[R], \f[CR]-R\f[R] Print the raw log without any formatting. Useful for reporting logs. .TP -\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] +\f[CR]--help\f[R], \f[CR]-h\f[R] Print the program usage. .SH USAGE To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: .IP .EX -aa\-log +aa-log .EE .PP To optionally filter a given profile name: -\f[CR]aa\-log \f[R] (your shell will autocomplete the +\f[CR]aa-log \f[R] (your shell will autocomplete the profile name): .IP .EX -$ aa\-log dnsmasq +$ aa-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r @@ -63,7 +63,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r To generate AppArmor rule: .IP .EX -$ aa\-log \-r dnsmasq +$ aa-log -r dnsmasq profile dnsmasq { \[at]{PROC}/\[at]{pid}/environ r, \[at]{PROC}/cmdline r, @@ -71,9 +71,9 @@ profile dnsmasq { } .EE .SH SEE ALSO -\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], -\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], -\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. +\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], +\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], +\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. .SH AUTHORS -aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). +aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service new file mode 100644 index 000000000..9c1fad533 --- /dev/null +++ b/systemd/default/user/at-spi-dbus-bus.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service new file mode 100644 index 000000000..818d5cdf3 --- /dev/null +++ b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ibus-daemon diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 2d1593f19..03d352890 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&ModemManager +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service deleted file mode 100644 index 73bbc99d8..000000000 --- a/systemd/full/system/apport-coredump-hook@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service deleted file mode 100644 index d7bf885dd..000000000 --- a/systemd/full/system/apt-news.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&apt_news diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index b88768556..03d352890 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&archlinux-keyring-wkd-sync +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 5cccff422..03d352890 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&bluetoothd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service deleted file mode 100644 index a2a121fc3..000000000 --- a/systemd/full/system/cloud-init-hotplugd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service deleted file mode 100644 index 9a64fbc26..000000000 --- a/systemd/full/system/colord.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&colord diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 6d078aea9..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-hostnamed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 0ab519541..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-importd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 276595080..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-localed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index c5728915c..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-logind \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 315b1b230..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-machined \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index ab04c5a45..03d352890 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-timedated \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service deleted file mode 100644 index f895f7941..000000000 --- a/systemd/full/system/debug-shell.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service deleted file mode 100644 index d4647117b..000000000 --- a/systemd/full/system/dmesg.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 7340b7610..03d352890 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&e2scrub \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index b903d2f0a..03d352890 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&e2scrub_all \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 5f1f063fa..03d352890 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&fprintd \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index acd28a5a4..fa215b3f0 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,2 +1,4 @@ [Service] -AppArmorProfile=&fwupdmgr \ No newline at end of file +ProtectKernelModules=no +RestrictRealtime=no +ProtectKernelModules=no diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service deleted file mode 100644 index 5054a73d6..000000000 --- a/systemd/full/system/fwupd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 2c10e32f5..4ba897659 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,2 +1,6 @@ [Service] -AppArmorProfile=&geoclue \ No newline at end of file +NoNewPrivileges=no +MemoryDenyWriteExecute=no +ProtectKernelTunables=no +ProtectKernelModules=no +RestrictRealtime=no diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service deleted file mode 100644 index 8520aea76..000000000 --- a/systemd/full/system/grub-common.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index eab67fa44..03d352890 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&irqbalance \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service deleted file mode 100644 index 1b2a9c287..000000000 --- a/systemd/full/system/ldconfig.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service deleted file mode 100644 index bc984e025..000000000 --- a/systemd/full/system/logrotate.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service new file mode 100644 index 000000000..dabf76f3a --- /dev/null +++ b/systemd/full/system/low-memory-monitor.service @@ -0,0 +1,3 @@ +[Service] +NoNewPrivileges=no + diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service deleted file mode 100644 index d3a78dd80..000000000 --- a/systemd/full/system/man-db.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 53f99edd0..03d352890 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&nm-priv-helper +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/paccache.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/passim.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service deleted file mode 100644 index 8d39f3f26..000000000 --- a/systemd/full/system/pcscd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pcscd diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index b21a28baa..03d352890 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&polkitd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service deleted file mode 100644 index 45c5ed93b..000000000 --- a/systemd/full/system/power-profiles-daemon.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service new file mode 100644 index 000000000..03d352890 --- /dev/null +++ b/systemd/full/system/reflector.service @@ -0,0 +1,2 @@ +[Service] +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index c52a85d0c..03d352890 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&rngd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service deleted file mode 100644 index 6b49a73f0..000000000 --- a/systemd/full/system/rsyslog.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service deleted file mode 100644 index 722781b8a..000000000 --- a/systemd/full/system/secureboot-db.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index 52d2f644c..dabf76f3a 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&shadow.service +NoNewPrivileges=no + diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service deleted file mode 100644 index 7953d522a..000000000 --- a/systemd/full/system/snapd.system-shutdown.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service deleted file mode 100644 index 24c914f77..000000000 --- a/systemd/full/system/system-update-cleanup.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service deleted file mode 100644 index d13624709..000000000 --- a/systemd/full/system/systemd-coredump@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 65d4ae62e..03d352890 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-homed +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 6d078aea9..03d352890 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-hostnamed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service deleted file mode 100644 index e44c8767f..000000000 --- a/systemd/full/system/systemd-initctl.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service deleted file mode 100644 index e08cf75a9..000000000 --- a/systemd/full/system/systemd-journal-remote.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 48f5a0156..0316a67c8 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-journald \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 48f5a0156..0316a67c8 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-journald \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 276595080..03d352890 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-localed \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index c5728915c..0316a67c8 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,2 +1,3 @@ [Service] -AppArmorProfile=&systemd-logind \ No newline at end of file +NoNewPrivileges=no +ProtectClock=no \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 315b1b230..03d352890 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-machined \ No newline at end of file +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 3f4b60849..03d352890 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-networkd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service deleted file mode 100644 index 2dc668b80..000000000 --- a/systemd/full/system/systemd-nsresourced.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service deleted file mode 100644 index c384626ee..000000000 --- a/systemd/full/system/systemd-oomd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index fd36871e4..03d352890 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-resolved +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service deleted file mode 100644 index 4abf222d5..000000000 --- a/systemd/full/system/systemd-rfkill.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 78dd0193d..03d352890 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-timedated +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service deleted file mode 100644 index 0cd6fefbf..000000000 --- a/systemd/full/system/systemd-timesyncd.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index d3771658d..03d352890 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&systemd-userdbd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 082e8f0fa..03d352890 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -AppArmorProfile=&upowerd +NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service deleted file mode 100644 index 0eca1db25..000000000 --- a/systemd/full/system/usb_modeswitch@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=usb_modeswitch.service \ No newline at end of file diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service deleted file mode 100644 index 4dd212f51..000000000 --- a/systemd/full/user/filter-chain.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service new file mode 100644 index 000000000..c392e82fe --- /dev/null +++ b/systemd/full/user/pipewire-media-session.service @@ -0,0 +1,5 @@ +[Service] +NoNewPrivileges=no +MemoryDenyWriteExecute=no +LockPersonality=no +RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service deleted file mode 100644 index 1d35a493e..000000000 --- a/systemd/full/user/pipewire-pulse.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service deleted file mode 100644 index 4dd212f51..000000000 --- a/systemd/full/user/pipewire.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service deleted file mode 100644 index c47175f40..000000000 --- a/systemd/full/user/wireplumber.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service deleted file mode 100644 index c47175f40..000000000 --- a/systemd/full/user/wireplumber@.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/tests/Makefile b/tests/Makefile new file mode 100644 index 000000000..8bf5f6182 --- /dev/null +++ b/tests/Makefile @@ -0,0 +1,28 @@ +#!/usr/bin/make -f +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Usage: +# make archlinux flavor=gnome +# vagrant up arch-gnome +# vagrant ssh archl-gnome + +# Build variables +flavor ?= +disk ?= 10G + +VERSION := 0.$(shell git rev-list --count HEAD) +BASE = archlinux debian ubuntu opensuse fedora + +.PHONY: ${BASE} lint + +$(BASE): + @make --directory=../ package dist=${@} + @packer build -force -var version=${VERSION} \ + -var disk_size=${disk} -var flavor="${flavor}" \ + -only=qemu.${@} packer/ + +lint: + @packer fmt --check packer/ + @packer validate --syntax-only packer/ diff --git a/tests/Vagrantfile b/tests/Vagrantfile new file mode 100644 index 000000000..4bdaac985 --- /dev/null +++ b/tests/Vagrantfile @@ -0,0 +1,62 @@ +# -*- mode: ruby -*- +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +require 'yaml' + +machines = YAML.load_file(File.join(File.dirname(__FILE__), 'boxes.yml')) +default = machines['defaults'] + +Vagrant.require_version '>= 2.0.0' + +Vagrant.configure("2") do |config| + + config.ssh.keys_only = true + config.ssh.insert_key = false + config.ssh.private_key_path = [ '~/.ssh/id_ed25519' ] + config.ssh.username = 'user' + + machines['boxes'].each do |instance| + + # Configure the VMs per details in boxes.yml + config.vm.define instance['name'] do |srv| + srv.vm.box = instance['box'] + srv.vm.box_check_update = false + srv.vm.post_up_message = instance.to_yaml + srv.vm.synced_folder '.', '/vagrant', disabled: true + if !ENV['AA_INTEGRATION'] + srv.vm.synced_folder '../', '/home/user/Projects/apparmor.d', type: 'virtiofs', mount: false + end + + # Configure Libvirt provider + srv.vm.provider 'libvirt' do |libvirt| + libvirt.driver = 'kvm' + libvirt.default_prefix = 'aa-' + libvirt.connect_via_ssh = false + libvirt.storage_pool_name = 'ssd' + libvirt.memory = instance.fetch('ram', default['ram']) + libvirt.cpus = instance.fetch('cpu', default['cpu']) + libvirt.cpu_mode = 'host-passthrough' + libvirt.machine_type = 'q35' + libvirt.video_type = 'virtio' + libvirt.graphics_type = 'spice' + libvirt.sound_type = 'ich9' + libvirt.tpm_model = 'tpm-crb' + libvirt.tpm_type = 'emulator' + libvirt.tpm_version = '2.0' + libvirt.random model: 'random' + libvirt.memorybacking 'source', type: 'memfd' + libvirt.memorybacking 'access', mode: 'shared' + libvirt.channel type: 'unix', target_name: 'org.qemu.guest_agent.0', target_type: 'virtio' + (1..2).each do + libvirt.redirdev :type => "spicevmc" + end + if instance.fetch('uefi', default['uefi']) + libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd' + end + end + + end + end +end diff --git a/tests/integration/apparmor/aa-enforce.bats b/tests/bats/aa-enforce.bats similarity index 94% rename from tests/integration/apparmor/aa-enforce.bats rename to tests/bats/aa-enforce.bats index 7bc0e740b..d6b549b1e 100644 --- a/tests/integration/apparmor/aa-enforce.bats +++ b/tests/bats/aa-enforce.bats @@ -3,9 +3,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common setup_file() { + aa_setup skip } diff --git a/tests/integration/apparmor/aa-status.bats b/tests/bats/aa-status.bats similarity index 97% rename from tests/integration/apparmor/aa-status.bats rename to tests/bats/aa-status.bats index e7e0fc3d5..fbfb6667d 100644 --- a/tests/integration/apparmor/aa-status.bats +++ b/tests/bats/aa-status.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "aa-status: Check status" { sudo aa-status diff --git a/tests/integration/utils/blkid.bats b/tests/bats/blkid.bats similarity index 95% rename from tests/integration/utils/blkid.bats rename to tests/bats/blkid.bats index 625f5f9bb..6dcf4b4d7 100644 --- a/tests/integration/utils/blkid.bats +++ b/tests/bats/blkid.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "blkid: List all partitions" { sudo blkid diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 000000000..a9f5a6978 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "chsh: [l]ist available shells" { + chsh --list-shells || true +} + +@test "chsh: Set a specific login [s]hell for the current user" { + echo "$PASSWORD" | chsh --shell /usr/bin/bash +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root +} diff --git a/tests/integration/common.bash b/tests/bats/common.bash similarity index 91% rename from tests/integration/common.bash rename to tests/bats/common.bash index 7a012191b..556ef871b 100644 --- a/tests/integration/common.bash +++ b/tests/bats/common.bash @@ -6,11 +6,6 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" -export SYSTEMD_PAGER= - -# Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) - # User password for sudo commands export PASSWORD=${PASSWORD:-user} @@ -110,21 +105,12 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") - for profile in "${IGNORE[@]}"; do - logs=$(echo "$logs" | grep -v "$profile") - done - aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi } -_timeout() { - local duration="2s" - timeout --preserve-status --kill-after="$duration" "$duration" "$@" -} - # Bats setup and teardown hooks setup_file() { diff --git a/tests/integration/cpuid.bats b/tests/bats/cpuid.bats similarity index 100% rename from tests/integration/cpuid.bats rename to tests/bats/cpuid.bats diff --git a/tests/integration/utils/df.bats b/tests/bats/df.bats similarity index 93% rename from tests/integration/utils/df.bats rename to tests/bats/df.bats index c15a32d5f..a97ad53cb 100644 --- a/tests/integration/utils/df.bats +++ b/tests/bats/df.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "df: Display all filesystems and their disk usage" { df @@ -14,7 +14,7 @@ load ../common } @test "df: Display the filesystem and its disk usage containing the given file or directory" { - df /etc/apparmor.d/ + df apparmor.d/ } @test "df: Include statistics on the number of free inodes" { diff --git a/tests/integration/dfc.bats b/tests/bats/dfc.bats similarity index 100% rename from tests/integration/dfc.bats rename to tests/bats/dfc.bats diff --git a/tests/integration/utils/dmesg.bats b/tests/bats/dmesg.bats similarity index 97% rename from tests/integration/utils/dmesg.bats rename to tests/bats/dmesg.bats index f2880666d..722b3204b 100644 --- a/tests/integration/utils/dmesg.bats +++ b/tests/bats/dmesg.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "dmesg: Show kernel messages" { sudo dmesg diff --git a/tests/integration/fc-cache.bats b/tests/bats/fc-cache.bats similarity index 100% rename from tests/integration/fc-cache.bats rename to tests/bats/fc-cache.bats diff --git a/tests/integration/fc-list.bats b/tests/bats/fc-list.bats similarity index 100% rename from tests/integration/fc-list.bats rename to tests/bats/fc-list.bats diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats new file mode 100644 index 000000000..e549e01ad --- /dev/null +++ b/tests/bats/flatpak.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "flatpak: List installed applications, ignoring runtimes" { + flatpak list --app +} + +@test "flatpak: Install an application from a remote source" { + flatpak install --noninteractive org.vim.Vim +} + +@test "flatpak: Show information about an installed application" { + flatpak info org.vim.Vim +} + +@test "flatpak: Run an installed application" { + flatpak run org.vim.Vim +} + +@test "flatpak: Update all installed applications and runtimes" { + flatpak update --noninteractive +} + +@test "flatpak: Remove an installed application" { + flatpak remove --noninteractive org.vim.Vim +} + +@test "flatpak: Remove all unused applications" { + flatpak remove --unused +} diff --git a/tests/integration/fwupdmgr.bats b/tests/bats/fwupdmgr.bats similarity index 100% rename from tests/integration/fwupdmgr.bats rename to tests/bats/fwupdmgr.bats diff --git a/tests/integration/gpg/gpgconf.bats b/tests/bats/gpgconf.bats similarity index 98% rename from tests/integration/gpg/gpgconf.bats rename to tests/bats/gpgconf.bats index 41627dc67..7155c5aa9 100644 --- a/tests/integration/gpg/gpgconf.bats +++ b/tests/bats/gpgconf.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "gpgconf: List all components" { gpgconf --list-components diff --git a/tests/integration/shadow/groupadd.bats b/tests/bats/groupadd.bats similarity index 97% rename from tests/integration/shadow/groupadd.bats rename to tests/bats/groupadd.bats index 3d07619b2..d93b1a690 100644 --- a/tests/integration/shadow/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "groupadd: Create a new group" { sudo groupadd user2 diff --git a/tests/integration/shadow/groups.bats b/tests/bats/groups.bats similarity index 95% rename from tests/integration/shadow/groups.bats rename to tests/bats/groups.bats index f932e9129..60bf6ea45 100644 --- a/tests/integration/shadow/groups.bats +++ b/tests/bats/groups.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "groups: Print group memberships for the current user" { groups diff --git a/tests/integration/systemd/homectl.bats b/tests/bats/homectl.bats similarity index 93% rename from tests/integration/systemd/homectl.bats rename to tests/bats/homectl.bats index bb3b38227..656a3407b 100644 --- a/tests/integration/systemd/homectl.bats +++ b/tests/bats/homectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common setup_file() { sudo systemctl start systemd-homed @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - printf "user2\nuser2" | sudo homectl create user2 + sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/integration/systemd/hostnamectl.bats b/tests/bats/hostnamectl.bats similarity index 97% rename from tests/integration/systemd/hostnamectl.bats rename to tests/bats/hostnamectl.bats index 38924920a..2c15658ad 100644 --- a/tests/integration/systemd/hostnamectl.bats +++ b/tests/bats/hostnamectl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "hostnamectl: Get the hostname of the computer" { hostnamectl diff --git a/tests/integration/id.bats b/tests/bats/id.bats similarity index 100% rename from tests/integration/id.bats rename to tests/bats/id.bats diff --git a/tests/integration/ip.bats b/tests/bats/ip.bats similarity index 100% rename from tests/integration/ip.bats rename to tests/bats/ip.bats diff --git a/tests/integration/utils/lsblk.bats b/tests/bats/lsblk.bats similarity index 98% rename from tests/integration/utils/lsblk.bats rename to tests/bats/lsblk.bats index 4093526a9..4dc3e20b7 100644 --- a/tests/integration/utils/lsblk.bats +++ b/tests/bats/lsblk.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "lsblk: List all storage devices in a tree-like format" { lsblk diff --git a/tests/integration/utils/lscpu.bats b/tests/bats/lscpu.bats similarity index 96% rename from tests/integration/utils/lscpu.bats rename to tests/bats/lscpu.bats index eb60d890d..d09599065 100644 --- a/tests/integration/utils/lscpu.bats +++ b/tests/bats/lscpu.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "lscpu: Display information about all CPUs" { lscpu diff --git a/tests/integration/utils/lspci.bats b/tests/bats/lspci.bats similarity index 80% rename from tests/integration/utils/lspci.bats rename to tests/bats/lspci.bats index facf379a9..021906602 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/bats/lspci.bats @@ -3,11 +3,10 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "lspci: Show a brief list of devices" { lspci - sudo lspci } @test "lspci: Display additional info" { @@ -22,10 +21,6 @@ load ../common lspci -s 00:00.0 } -@test "lspci: Query the PCI ID database for unknown ID's via DNS" { - sudo lspci -q -} - @test "lspci: Dump info in a readable form" { lspci -vm } diff --git a/tests/integration/usb/lsusb.bats b/tests/bats/lsusb.bats similarity index 96% rename from tests/integration/usb/lsusb.bats rename to tests/bats/lsusb.bats index 85bee2fd6..f5444fced 100644 --- a/tests/integration/usb/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "lsusb: List all the USB devices available" { lsusb || true diff --git a/tests/integration/needrestart.bats b/tests/bats/needrestart.bats similarity index 84% rename from tests/integration/needrestart.bats rename to tests/bats/needrestart.bats index 4676b36af..567f8c773 100644 --- a/tests/integration/needrestart.bats +++ b/tests/bats/needrestart.bats @@ -5,6 +5,10 @@ load common +setup_file() { + skip "mqueue raised despite the rule being present. See https://gitlab.com/apparmor/apparmor/-/issues/362" +} + @test "needrestart: List outdated processes" { needrestart } diff --git a/tests/integration/procps/ps.bats b/tests/bats/ps.bats similarity index 97% rename from tests/integration/procps/ps.bats rename to tests/bats/ps.bats index a27bdf98d..bcdfbe1b8 100644 --- a/tests/integration/procps/ps.bats +++ b/tests/bats/ps.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "ps: List all running processes" { ps aux diff --git a/tests/integration/utils/pstree.bats b/tests/bats/pstree.bats similarity index 96% rename from tests/integration/utils/pstree.bats rename to tests/bats/pstree.bats index 1fc43c76c..23094478c 100644 --- a/tests/integration/utils/pstree.bats +++ b/tests/bats/pstree.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "pstree: Display a tree of processes" { pstree diff --git a/tests/integration/snap.bats b/tests/bats/snap.bats similarity index 52% rename from tests/integration/snap.bats rename to tests/bats/snap.bats index a670a9ece..1eff200a8 100644 --- a/tests/integration/snap.bats +++ b/tests/bats/snap.bats @@ -10,11 +10,11 @@ load common } @test "snap: Install a package" { - sudo snap install vault + sudo snap install nano-strict } @test "snap: Update a package to another channel (track, risk, or branch)" { - sudo snap refresh vault --channel=edge + sudo snap refresh nano-strict --channel=edge } @test "snap: Update all packages" { @@ -25,31 +25,10 @@ load common sudo snap list } -@test "snap: lists information about the services" { - sudo snap services - sudo snap services vault -} - -@test "snap: starts, and optionally enables, the given services" { - sudo snap start --enable vault -} - -@test "snap: logs of the given services" { - sudo snap logs vault || true -} - -@test "snap: restarts the given services" { - sudo snap restart vault -} - -@test "snap: stops, and optionally disables, the given services" { - sudo snap stop --disable vault -} - -@test "snap: Uninstall a package" { - sudo snap remove vault -} - @test "snap: Check for recent snap changes in the system" { sudo snap changes } + +@test "snap: Uninstall a package" { + sudo snap remove nano-strict +} diff --git a/tests/integration/utils/sync.bats b/tests/bats/sync.bats similarity index 95% rename from tests/integration/utils/sync.bats rename to tests/bats/sync.bats index 03cc4730f..9f2e26885 100644 --- a/tests/integration/utils/sync.bats +++ b/tests/bats/sync.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "sync: Flush all pending write operations on all disks" { sync diff --git a/tests/integration/procps/sysctl.bats b/tests/bats/sysctl.bats similarity index 84% rename from tests/integration/procps/sysctl.bats rename to tests/bats/sysctl.bats index 66720c434..171ee98a9 100644 --- a/tests/integration/procps/sysctl.bats +++ b/tests/bats/sysctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "sysctl: Show all available variables and their values" { sysctl -a @@ -21,6 +21,7 @@ load ../common sysctl fs.file-max } -@test "sysctl: Apply changes from '/etc/sysctl.conf'" { - sudo sysctl -p +@test "sysctl: Apply changes from `/etc/sysctl.conf`" { + sysctl -p } + diff --git a/tests/integration/systemd/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats similarity index 96% rename from tests/integration/systemd/systemd-ac-power.bats rename to tests/bats/systemd-ac-power.bats index 65779b617..30019825a 100644 --- a/tests/integration/systemd/systemd-ac-power.bats +++ b/tests/bats/systemd-ac-power.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true diff --git a/tests/integration/systemd/systemd-analyze.bats b/tests/bats/systemd-analyze.bats similarity index 97% rename from tests/integration/systemd/systemd-analyze.bats rename to tests/bats/systemd-analyze.bats index b36abb62d..6bb275bb6 100644 --- a/tests/integration/systemd/systemd-analyze.bats +++ b/tests/bats/systemd-analyze.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame @@ -16,3 +16,5 @@ load ../common @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security } + + diff --git a/tests/integration/systemd/systemd-cat.bats b/tests/bats/systemd-cat.bats similarity index 96% rename from tests/integration/systemd/systemd-cat.bats rename to tests/bats/systemd-cat.bats index 9d796ff07..da634982a 100644 --- a/tests/integration/systemd/systemd-cat.bats +++ b/tests/bats/systemd-cat.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd diff --git a/tests/integration/systemd/systemd-cgls.bats b/tests/bats/systemd-cgls.bats similarity index 97% rename from tests/integration/systemd/systemd-cgls.bats rename to tests/bats/systemd-cgls.bats index a0822a516..dca00b62a 100644 --- a/tests/integration/systemd/systemd-cgls.bats +++ b/tests/bats/systemd-cgls.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager @@ -16,3 +16,4 @@ load ../common @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind } + diff --git a/tests/integration/systemd/systemd-detect-virt.bats b/tests/bats/systemd-detect-virt.bats similarity index 85% rename from tests/integration/systemd/systemd-detect-virt.bats rename to tests/bats/systemd-detect-virt.bats index bb2b2a659..41150ef7f 100644 --- a/tests/integration/systemd/systemd-detect-virt.bats +++ b/tests/bats/systemd-detect-virt.bats @@ -3,20 +3,23 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } +# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { systemd-detect-virt || true } +# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { systemd-detect-virt --quiet || true } +# bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { systemd-detect-virt --vm || true } diff --git a/tests/integration/systemd/systemd-id128.bats b/tests/bats/systemd-id128.bats similarity index 97% rename from tests/integration/systemd/systemd-id128.bats rename to tests/bats/systemd-id128.bats index 68e48d9a4..67bf5907d 100644 --- a/tests/integration/systemd/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-id128: Generate a new random identifier" { systemd-id128 new diff --git a/tests/integration/systemd/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats similarity index 97% rename from tests/integration/systemd/systemd-sysusers.bats rename to tests/bats/systemd-sysusers.bats index 7fff472ee..0816fd45e 100644 --- a/tests/integration/systemd/systemd-sysusers.bats +++ b/tests/bats/systemd-sysusers.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config diff --git a/tests/integration/uname.bats b/tests/bats/uname.bats similarity index 100% rename from tests/integration/uname.bats rename to tests/bats/uname.bats diff --git a/tests/integration/upower.bats b/tests/bats/upower.bats similarity index 100% rename from tests/integration/upower.bats rename to tests/bats/upower.bats diff --git a/tests/integration/uptime.bats b/tests/bats/uptime.bats similarity index 100% rename from tests/integration/uptime.bats rename to tests/bats/uptime.bats diff --git a/tests/integration/useradd.bats b/tests/bats/useradd.bats similarity index 100% rename from tests/integration/useradd.bats rename to tests/bats/useradd.bats diff --git a/tests/integration/systemd/userdbctl.bats b/tests/bats/userdbctl.bats similarity index 97% rename from tests/integration/systemd/userdbctl.bats rename to tests/bats/userdbctl.bats index eda5f5b09..065dba5f5 100644 --- a/tests/integration/systemd/userdbctl.bats +++ b/tests/bats/userdbctl.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "userdbctl: List all known user records" { userdbctl --no-pager user diff --git a/tests/integration/utils/users.bats b/tests/bats/users.bats similarity index 95% rename from tests/integration/utils/users.bats rename to tests/bats/users.bats index 885121a58..8f8ad383d 100644 --- a/tests/integration/utils/users.bats +++ b/tests/bats/users.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "users: Print logged in usernames" { users diff --git a/tests/integration/utils/uuidd.bats b/tests/bats/uuidd.bats similarity index 96% rename from tests/integration/utils/uuidd.bats rename to tests/bats/uuidd.bats index d3ab28cc0..9e3ac5ef0 100644 --- a/tests/integration/utils/uuidd.bats +++ b/tests/bats/uuidd.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "uuidd: Generate a random UUID" { uuidd --random diff --git a/tests/integration/utils/uuidgen.bats b/tests/bats/uuidgen.bats similarity index 95% rename from tests/integration/utils/uuidgen.bats rename to tests/bats/uuidgen.bats index 838be5cbc..eb6465c04 100644 --- a/tests/integration/utils/uuidgen.bats +++ b/tests/bats/uuidgen.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "uuidgen: Create a random UUIDv4" { uuidgen --random diff --git a/tests/integration/procps/w.bats b/tests/bats/w.bats similarity index 68% rename from tests/integration/procps/w.bats rename to tests/bats/w.bats index 3ee1fe218..1b97ba445 100644 --- a/tests/integration/procps/w.bats +++ b/tests/bats/w.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "w: Display information about all users who are currently logged in" { w @@ -12,8 +12,3 @@ load ../common @test "w: Display information about a specific user" { w root } - -@test "w: Display information without including the header, the login, JCPU and PCPU columns" { - w --no-header - w --short -} diff --git a/tests/integration/utils/who.bats b/tests/bats/who.bats similarity index 96% rename from tests/integration/utils/who.bats rename to tests/bats/who.bats index b69fc2dd1..c05995d0e 100644 --- a/tests/integration/utils/who.bats +++ b/tests/bats/who.bats @@ -3,7 +3,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -load ../common +load common @test "who: Display the username, line, and time of all currently logged-in sessions" { who diff --git a/tests/boxes.yml b/tests/boxes.yml new file mode 100644 index 000000000..ef037e07f --- /dev/null +++ b/tests/boxes.yml @@ -0,0 +1,51 @@ +--- + +defaults: + uefi: true + ram: '4096' + cpu: '6' + +boxes: + - name: arch-gnome + box: aa-archlinux-gnome + uefi: false + + - name: arch-kde + box: aa-archlinux-kde + uefi: false + + - name: arch-xfce + box: aa-archlinux-xfce + uefi: false + + - name: arch-cosmic + box: aa-archlinux-cosmic + uefi: false + + - name: arch-server + box: aa-archlinux-server + uefi: false + + - name: ubuntu-desktop + box: aa-ubuntu-desktop + + - name: ubuntu-desktop24 + box: aa-ubuntu-desktop24 + + - name: ubuntu-server + box: aa-ubuntu-server + + - name: ubuntu-server24 + box: aa-ubuntu-server24 + + - name: debian-server + box: aa-debian-server + + - name: debian-gnome + box: aa-debian-gnome + + - name: debian-kde + box: aa-debian-kde + + - name: opensuse-kde + box: aa-opensuse-kde diff --git a/tests/check.sh b/tests/check.sh index b54bc157a..3ddda9827 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,633 +1,174 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024-2025 Alexandre Pujol +# Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: just check +# Usage: make check # shellcheck disable=SC2044 set -eu -o pipefail -RES=$(mktemp) -echo "false" >"$RES" -MAX_JOBS=$(nproc) -APPARMORD=${CHECK_APPARMORD:-apparmor.d} -SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} -declare WITH_CHECK -declare _check_is_disabled -declare _check_is_disabled_global -_FILE_IGNORE_ALL=false -readonly APPARMORD SBIN_LIST RES MAX_JOBS -readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" -_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } -_warn() { - local name="$1" file="$2" - shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" -} -_err() { - local name="$1" file="$2" - shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" - echo "true" >"$RES" -} - -_in_array() { - local item needle="$1" - shift - for item in "$@"; do - if [[ "${item}" == "${needle}" ]]; then - return 0 - fi - done - return 1 -} - -_is_enabled() { - local check="$1" - if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then - if _in_array "$check" "${_check_is_disabled_global[@]}"; then - return 1 - fi - fi - if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then - return 0 - fi - if _in_array "$check" "${_check_is_disabled[@]}"; then - return 1 - fi - return 0 - fi - return 1 -} - -_wait() { - local -n job=$1 - job=$((job + 1)) - if ((job >= MAX_JOBS)); then - wait -n - job=$((job - 1)) - fi -} - -_IGNORE_LINT_BLOCK=false -readonly _IGNORE_LINT="#aa:lint ignore" -_ignore_lint() { - local checks line="$1" - - if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block (or file-wide if in header) - checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - # Treat as file-wide ignore - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - _IGNORE_LINT_BLOCK=false - return 0 - fi - _IGNORE_LINT_BLOCK=true - _check_is_disabled=("${_parsed[@]}") - - elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then - # New paragraph, end of block - _IGNORE_LINT_BLOCK=false - _check_is_disabled=() - - elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block/paragraph - return 0 - - elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore (or file-wide if in header) - checks="${line#*"$_IGNORE_LINT="}" - read -ra _parsed <<<"${checks//,/ }" - if (( line_number <= 10 )); then - _check_is_disabled_global=("${_parsed[@]}") - _FILE_IGNORE_ALL=true - return 0 - fi - _check_is_disabled=("${_parsed[@]}") - - else - # Do not clear if file-wide ignore is set - if ! $_FILE_IGNORE_ALL; then - _check_is_disabled=() - fi - fi -} - -_check() { - local file="$1" - line_number=0 - _FILE_IGNORE_ALL=false - _check_is_disabled_global=() - - while IFS= read -r line; do - line_number=$((line_number + 1)) - _ignore_lint "$line" - - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - _check_udev - - # The following checks do not apply to commented lines - [[ "$line" =~ ^[[:space:]]*# ]] && continue - if [[ "$line" =~ ,[[:space:]]*# ]]; then - line="${line%%#*}" - fi - - # Rules checks - _check_abstractions - _check_directory_mark - _check_equivalent - _check_too_wide - _check_transition - _check_useless - _check_tunables - - # Guidelines check - _check_abi - _check_include - _check_profile - _check_subprofiles - - done <"$file" - - # Results - _res_abi - _res_include - _res_profile - _res_subprofiles - _res_header - _res_vim -} - -# Rules checks: security, compatibility, and rule issues - -readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) -declare -A ABS_DEPRECATED=( - ["nameservice"]="nameservice-strict" - ["bash"]="shell" - ["X"]="X-strict" - ["dbus-accessibility-strict"]="bus-accessibility" - ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" - ["dbus-session-strict"]="bus-session" - ["dbus-system-strict"]="bus-system" - ["gnome"]="gnome-strict" - ["kde"]="kde-strict" -) -_check_abstractions() { - _is_enabled abstractions || return 0 - - local absname - for absname in "${ABS_DANGEROUS[@]}"; do - if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" - fi - done - for absname in "${!ABS_DEPRECATED[@]}"; do - if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" - fi - done - if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then - _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" - fi -} - -readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') -_check_directory_mark() { - _is_enabled directory-mark || return 0 - for pattern in "${DIRECTORIES[@]}"; do - if [[ "$line" == *"$pattern"* ]]; then - [[ "$line" == *'='* ]] && continue - if [[ ! "$line" == *"$pattern/"* ]]; then - _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" - fi - fi - done -} - -declare -A EQUIVALENTS=( - ["awk"]="{m,g,}awk" - ["gawk"]="{m,g,}awk" - ["grep"]="{,e}grep" - ["gs"]="gs{,.bin}" - ["which"]="which{,.debianutils}" -) -_check_equivalent() { - _is_enabled equivalent || return 0 - local prgmname - for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname "* ]]; then - if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" - fi - fi - done -} - -readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') -_check_too_wide() { - _is_enabled too-wide || return 0 - for pattern in "${TOOWIDE[@]}"; do - if [[ "$line" == *" $pattern "* ]]; then - _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" - fi - done -} - -readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' - chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir - sed shred stat tail tee test timeout touch truncate unlink -) -readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot who -) -readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkill pkexec sudo systemctl udevadm - fusermount fusermount3 fusermount{,3} - nvim vim sensible-editor -) -_check_transition() { - _is_enabled transition || return 0 - for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" - fi - done - for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" - fi - done - for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn transition "$file:$line_number" \ - "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" - fi - done -} - -readonly USELESS=( - 'ptrace readby' - '/usr/share/locale/' - '@{sys}/devices/system/cpu/online' - '@{sys}/devices/system/cpu/possible' - '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' - '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' - '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' - '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' - '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' - '/dev/full' '/dev/zero' -) -_check_useless() { - _is_enabled useless || return 0 - for rule in "${!USELESS[@]}"; do - if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" - fi - done -} - -declare -A TUNABLES=( - # User variables - ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" - ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" - ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" - ["/home/[^/]+/"]="@{HOME}/" - - # System variables - ["/usr/lib(|32|64|exec)"]='@{lib}' - ["/usr/sbin"]='@{sbin}' - ["/usr/bin"]='@{bin}' - ["(x86_64|amd64|i386|i686)"]='@{arch}' - ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' - ["/usr/etc/"]='@{etc_ro}/' - ["/boot/(|efi/)"]="@{efi}/" - ["/efi/"]="@{efi}/" - ["/var/run/"]='@{run}/' - ["/run/"]='@{run}/' - ["user/[0-9]*/"]='user/@{uid}/' - ["/tmp/user/[^/]+/"]='@{tmp}/' - ["/sys/"]='@{sys}/' - ["/proc/"]='@{PROC}/' - ["1000"]="@{uid}" - - # Some system glob - [":not.active.yet"]="@{busname}" - [":1.[0-9]*"]="@{busname}" - ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" - ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" -) -_check_tunables() { - _is_enabled tunables || return 0 - for pattern in "${!TUNABLES[@]}"; do - rpattern="$pattern" - [[ "$rpattern" == /* ]] && rpattern=" $rpattern" - if [[ "$line" =~ $rpattern ]]; then - match="${BASH_REMATCH[0]}" - _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" - fi - done -} - -# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - -RES_ABI=false -readonly ABI_SYNTAX='abi ,' -_check_abi() { - _is_enabled abi || return 0 - if [[ "$line" == *"$ABI_SYNTAX" ]]; then - RES_ABI=true - fi -} -_res_abi() { - _is_enabled abi || return 0 - if ! $RES_ABI; then - _err abi "$file" "missing 'abi ,'" - fi -} - -RES_INCLUDE=false -_check_include() { - _is_enabled include || return 0 - if [[ "$line" == *"${include}"* ]]; then - RES_INCLUDE=true - fi -} -_res_include() { - _is_enabled include || return 0 - if ! $RES_INCLUDE; then - _err include "$file" "missing '$include'" - fi -} - -RES_PROFILE=false -_check_profile() { - _is_enabled profile || return 0 - if [[ "$line" =~ ^"profile $name" ]]; then - RES_PROFILE=true - fi -} -_res_profile() { - _is_enabled profile || return 0 - if ! $RES_PROFILE; then - _err profile "$file" "missing profile name: 'profile $name'" - fi -} - -# Style check - +readonly APPARMORD="apparmor.d" readonly HEADERS=( "# apparmor.d - Full set of apparmor profiles" "# Copyright (C) " "# SPDX-License-Identifier: GPL-2.0-only" ) -_RES_HEADER=(false false false) -_check_header() { - _is_enabled header || return 0 - for idx in "${!HEADERS[@]}"; do - if [[ "$line" == "${HEADERS[$idx]}"* ]]; then - _RES_HEADER[idx]=true - break + +_die() { + echo -e "\033[1;31m ✗ Error: \033[0m$*" + exit 1 +} + +_ensure_header() { + local file="$1" + for header in "${HEADERS[@]}"; do + if ! grep -q "^$header" "$file"; then + _die "$file does not contain '$header'" fi done } -_res_header() { - _is_enabled header || return 0 - for idx in "${!_RES_HEADER[@]}"; do - if ${_RES_HEADER[$idx]}; then - continue + +_ensure_indentation() { + local file="$1" + local in_profile=false + local first_line_after_profile=true + local line_number=0 + + while IFS= read -r line; do + line_number=$((line_number + 1)) + + if [[ "$line" =~ $'\t' ]]; then + _die "$file:$line_number: tabs are not allowed." fi - _err header "$file" "missing header: '${HEADERS[$idx]}'" - done -} -_check_tabs() { - _is_enabled tabs || return 0 - if [[ "$line" =~ $'\t' ]]; then - _err tabs "$file:$line_number" "tabs are not allowed" - fi -} + if [[ "$line" =~ ^profile ]]; then + in_profile=true + first_line_after_profile=true -_check_trailing() { - _is_enabled trailing || return 0 - if [[ "$line" =~ [[:space:]]+$ ]]; then - _err trailing "$file:$line_number" "line has trailing whitespace" - fi -} + elif [[ "$line" =~ [[:space:]]+$ ]]; then + _die "$file:$line_number: line has trailing whitespace." -_CHECK_IN_PROFILE=false -_CHECK_FIRST_LINE_AFTER_PROFILE=true -_check_indentation() { - _is_enabled indentation || return 0 - if [[ "$line" =~ ^profile ]]; then - _CHECK_IN_PROFILE=true - _CHECK_FIRST_LINE_AFTER_PROFILE=true + elif $in_profile; then + if $first_line_after_profile; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _die "$file: profile must have a two-space indentation." + fi + first_line_after_profile=false - elif $_CHECK_IN_PROFILE; then - if $_CHECK_FIRST_LINE_AFTER_PROFILE; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _err indentation "$file:$line_number" "profile must have a two-space indentation" - fi - _CHECK_FIRST_LINE_AFTER_PROFILE=false + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break + fi + if ((num_spaces % 2 == 0)); then + ok=true + break + fi + done - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break + if ! $ok; then + _die "$file:$line_number: invalid indentation." fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done - - if ! $ok; then - _err indentation "$file:$line_number" "invalid indentation" fi fi fi + done <"$file" +} + +_ensure_include() { + local file="$1" + local include="$2" + if ! grep -q "^ *${include}$" "$file"; then + _die "$file does not contain '$include'" fi } -_CHEK_IN_SUBPROFILE=false -declare -A _RES_SUBPROFILES -_check_subprofiles() { - _is_enabled subprofiles || return 0 - if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then - indentation="${BASH_REMATCH[1]}" - subprofile="${BASH_REMATCH[2]}" - subprofile="${subprofile%% *}" - include="${indentation}include if exists " - _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" - _CHEK_IN_SUBPROFILE=true - elif $_CHEK_IN_SUBPROFILE; then - if [[ "$line" == *"$include" ]]; then - _RES_SUBPROFILES["$subprofile"]=true - fi - fi -} -_res_subprofiles() { - _is_enabled subprofiles || return 0 - for msg in "${_RES_SUBPROFILES[@]}"; do - if [[ $msg == true ]]; then - continue - fi - _err subprofiles "$file" "$msg" - done -} - -readonly VIM_SYNTAX="# vim:syntax=apparmor" -RES_VIM=false -_check_vim() { - _is_enabled vim || return 0 - if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then - RES_VIM=true - fi -} -_res_vim() { - _is_enabled vim || return 0 - if ! $RES_VIM; then - _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" +_ensure_abi() { + local file="$1" + if ! grep -q "^ *abi ," "$file"; then + _die "$file does not contain 'abi ,'" fi } -_check_udev() { - _is_enabled udev || return 0 - if [[ "$line" == *"@{run}/udev/data/"* ]]; then - if [[ "$line" != *"#"* ]]; then - _err udev "$file:$line_number" "udev data path without a description comment" - fi +_ensure_vim() { + local file="$1" + if ! grep -q "^# vim:syntax=apparmor" "$file"; then + _die "$file does not contain '# vim:syntax=apparmor'" fi } -check_sbin() { - local file name jobs - mapfile -t sbin <"$SBIN_LIST" - _msg "Ensuring '@{bin} and '@{sbin}' are correctly used in profiles" - - jobs=0 - for name in "${sbin[@]}"; do - ( - mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" "$APPARMORD" | - cut -d: -f1,2 - ) - for file in "${files[@]}"; do - _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - ) & - _wait jobs - done - wait - - local pattern='[[:alnum:]_.-]+' # Pattern for valid file names - jobs=0 - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" "$APPARMORD" | cut -d: -f1,2) - for file in "${files[@]}"; do - ( - while read -r match; do - name="${match/\@\{sbin\}\//}" - if ! _in_array "$name" "${sbin[@]}"; then - _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") - ) & - _wait jobs - done - wait -} - check_profiles() { - _msg "Checking profiles" - mapfile -t files < <( - find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ - -prune -o -type f -print - ) - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide useless transition tunables - abi include profile header tabs trailing indentation subprofiles vim udev - ) - for file in "${files[@]}"; do - ( + echo -e "\033[1m â‹… \033[0mChecking if all profiles contain:" + echo " - apparmor.d header & license" + echo " - Check indentation: 2 spaces" + echo " - Check for trailing whitespaces" + echo " - 'abi ,'" + echo " - 'profile '" + echo " - 'include if exists '" + echo " - include if exists local for subprofiles" + echo " - vim:syntax=apparmor" + directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") + # shellcheck disable=SC2068 + for dir in ${directories[@]}; do + for file in $(find "$dir" -maxdepth 1 -type f); do + case "$file" in */README.md) continue ;; esac name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _check "$file" - ) & - _wait jobs + _ensure_header "$file" + _ensure_indentation "$file" + _ensure_include "$file" "$include" + _ensure_abi "$file" + _ensure_vim "$file" + if ! grep -q "^profile $name" "$file"; then + _die "$name does not contain 'profile $name'" + fi + mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') + for subprofile in "${subrofiles[@]}"; do + include="include if exists " + if ! grep -q "^ *${include}$" "$file"; then + _die "$name: $name//$subprofile does not contain '$include'" + fi + done + done done - wait } check_abstractions() { - _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide tunables - abi include header tabs trailing indentation vim udev + echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" + echo " - apparmor.d header & license" + echo " - Check indentation: 2 spaces" + echo " - Check for trailing whitespaces" + echo " - 'abi ,'" + echo " - 'include if exists '" + echo " - vim:syntax=apparmor" + directories=( + "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" + "$APPARMORD/abstractions/attached/" + "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" ) - for file in "${files[@]}"; do - ( + for dir in "${directories[@]}"; do + for file in $(find "$dir" -maxdepth 1 -type f); do name="$(basename "$file")" - absdir="${file/${APPARMORD}\//}" - include="include if exists <${absdir}.d>" - _check "$file" - ) & - _wait jobs + root="${dir/${APPARMORD}\/abstractions\//}" + include="include if exists " + _ensure_header "$file" + _ensure_indentation "$file" + _ensure_include "$file" "$include" + _ensure_abi "$file" + _ensure_vim "$file" + done done - wait - - mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true - find "$APPARMORD/mappings" -type f 2>/dev/null || true - ) - # shellcheck disable=SC2034 - jobs=0 - WITH_CHECK=( - abstractions directory-mark equivalent too-wide tunables - header tabs trailing indentation vim udev - ) - for file in "${files[@]}"; do - _check "$file" & - _wait jobs - done - wait } -check_sbin check_profiles check_abstractions - -FAIL=$(cat "$RES") -if [[ "$FAIL" == "true" ]]; then - exit 1 -fi diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml deleted file mode 100644 index 9ed6c1d92..000000000 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ /dev/null @@ -1,57 +0,0 @@ -#cloud-config - -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - just - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - cosmic - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable cosmic-greeter - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml deleted file mode 100644 index d33f685b6..000000000 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable gdm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml deleted file mode 100644 index cb4c4d3b0..000000000 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *kde-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml deleted file mode 100644 index 208f7dab5..000000000 --- a/tests/cloud-init/archlinux-lxqt.user-data.yml +++ /dev/null @@ -1,28 +0,0 @@ -#cloud-config - -packages: *lxqt-packages - -# lxqt-wayland-session kwin - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable sddm - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml deleted file mode 100644 index 2b3567171..000000000 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ /dev/null @@ -1,24 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable rngd - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml deleted file mode 100644 index afba57519..000000000 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ /dev/null @@ -1,26 +0,0 @@ -#cloud-config - -packages: *xfce-packages - -runcmd: - # Regenerate grub.cfg - - grub-mkconfig -o /boot/grub/grub.cfg - - # Remove swapfile - - swapoff -a - - rm -rf /swap/ - - sed -e "/swap/d" -i /etc/fstab - - # Enable core services - - systemctl enable apparmor - - systemctl enable auditd - - systemctl enable lightdm.service - - systemctl enable NetworkManager - - systemctl enable rngd - - systemctl enable avahi-daemon - - systemctl enable systemd-timesyncd.service - -write_files: - - *grub-enable-apparmor # Enable AppArmor in kernel parameters - - *setup-bash-aliases # Set some bash aliases - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml deleted file mode 100644 index 629de7d02..000000000 --- a/tests/cloud-init/archlinux.yml +++ /dev/null @@ -1,170 +0,0 @@ -#cloud-config - -core-packages: &core-packages - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - -gnome-packages: &gnome-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - alacarte - - gnome - - gnome-extra - - ptyxis - - seahorse - -kde-packages: &kde-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular - -lxqt-packages: &lxqt-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - lxqt - - breeze-icons - - sddm - -xfce-packages: &xfce-packages - # Core packages for Archlinux - - apparmor - - base-devel - - bash-completion - - docker - - git - - htop - - just - - man - - pass - - python-notify2 - - qemu-guest-agent - - rng-tools - - spice-vdagent - - vim - - wget - - # Desktop packages for Archlinux - - networkmanager - - cups - - cups-pdf - - system-config-printer - - chromium - - firefox - - spice-vdagent - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter - -# Enable AppArmor in kernel parameters -grub-enable-apparmor: &grub-enable-apparmor - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - -# Set some bash aliases -setup-bash-aliases: &setup-bash-aliases - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml deleted file mode 100644 index 2048e5368..000000000 --- a/tests/cloud-init/common.yml +++ /dev/null @@ -1,39 +0,0 @@ -#cloud-config - -hostname: ${hostname} - -ssh_pwauth: true -users: - - name: ${username} - plain_text_passwd: ${password} - shell: /bin/bash - ssh_authorized_keys: - - ${ssh_key} - lock_passwd: false - sudo: ALL=(ALL) NOPASSWD:ALL - -package_update: true -package_upgrade: true -package_reboot_if_required: false - -# Mount shared directory -shared-directory: &shared-directory - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - -# Network configuration for server -systemd-netword: &systemd-netword - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml deleted file mode 100644 index b96bb5880..000000000 --- a/tests/cloud-init/debian.yml +++ /dev/null @@ -1,97 +0,0 @@ -#cloud-config - -# Core packages for Debian -core-packages: &core-packages - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - -gnome-packages: &gnome-packages - # Core packages for Debian - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Gnome packages for Debian - - spice-vdagent - - task-gnome-desktop - - terminator - - loupe - - ptyxis - -kde-packages: &kde-packages - # Core packages for Debian - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # KDE packages for Debian - - spice-vdagent - - task-kde-desktop - - plasma-workspace-wayland - - terminator - -debian12-runcmd: &debian12-runcmd - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go - -debian13-runcmd: &debian13-runcmd - - apt-get update -y - - apt-get install -y golang-go - -# Add backports repository -debian12-backports: &debian12-backports - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml deleted file mode 100644 index fbb3d1232..000000000 --- a/tests/cloud-init/debian12-gnome.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml deleted file mode 100644 index cec721285..000000000 --- a/tests/cloud-init/debian12-server.user-data.yml +++ /dev/null @@ -1,10 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: *debian12-runcmd - -write_files: - - *debian12-backports # Add backports repository - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml deleted file mode 100644 index 0d5adfe17..000000000 --- a/tests/cloud-init/debian13-gnome.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml deleted file mode 100644 index 5a4d33bf5..000000000 --- a/tests/cloud-init/debian13-kde.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kde-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml deleted file mode 100644 index 692548770..000000000 --- a/tests/cloud-init/debian13-server.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: *debian13-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml deleted file mode 100644 index b59d66af3..000000000 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ /dev/null @@ -1,22 +0,0 @@ -#cloud-config - -packages: *gnome-packages - -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - - # Ensure auditd is enabled - - systemctl enable systemd-journald-audit.socket - -write_files: - - *shared-directory # Setup shared directory - - - path: /etc/sysconfig/displaymanager - append: true - content: | - DISPLAYMANAGER="gdm" - diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml deleted file mode 100644 index 2058846dd..000000000 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ /dev/null @@ -1,18 +0,0 @@ -#cloud-config - -packages: *kde-packages - -# apparmor.debug=1 -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - -write_files: - - *shared-directory # Setup shared directory - - path: /etc/sysconfig/displaymanager - append: true - content: | - DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml deleted file mode 100644 index b6d35cd68..000000000 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ /dev/null @@ -1,14 +0,0 @@ -#cloud-config - -packages: *core-packages - -runcmd: - # Replace SELinux by AppArmor in kernel parameters - - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub - - # Regenerate grub.cfg - - grub2-mkconfig -o /boot/grub2/grub.cfg - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml deleted file mode 100644 index ab0954c6a..000000000 --- a/tests/cloud-init/opensuse.yml +++ /dev/null @@ -1,70 +0,0 @@ -#cloud-config - -# Core packages for OpenSUSE -core-packages: &core-packages - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - -gnome-packages: &gnome-packages - # Core packages for OpenSUSE - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - - # Gnome packages for OpenSUSE - - pattern:gnome - - gdm - - spice-vdagent - - terminator - - loupe - - ptyxis - -kde-packages: &kde-packages - # Core packages for OpenSUSE - - pattern:apparmor - - apparmor-profiles - - bash-completion - - distribution-release - - docker - - git - - go - - golang-packaging - - htop - - just - - rpmbuild - - rsync - - systemd-container - - systemd-homed - - vim - - # KDE packages for OpenSUSE - - pattern:kde_plasma - - pattern:kde - - sddm - - spice-vdagent - - terminator diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml deleted file mode 100644 index 1f3563750..000000000 --- a/tests/cloud-init/ubuntu.yml +++ /dev/null @@ -1,114 +0,0 @@ -#cloud-config - -core-packages: &core-packages - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - -desktop-packages: &desktop-packages - # Core packages for Ubuntu - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Desktop packages for Ubuntu - - spice-vdagent - - terminator - - ubuntu-desktop - - loupe - - ptyxis - -kubuntu-packages: &kubuntu-packages - # Core packages for Ubuntu - - apparmor-profiles - - apparmor-utils - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - docker.io - - golang-go - - htop - - just - - libpam-apparmor - - lintian - - qemu-guest-agent - - rsync - - systemd-container - - systemd-coredump - - systemd-homed - - systemd-oomd - - unattended-upgrades - - vim - - # Desktop packages for Ubuntu - - spice-vdagent - - terminator - - kubuntu-desktop - - plasma-workspace-wayland - -desktop-runcmd: &desktop-runcmd - # Add missing snap packages - - snap install snap-store - - snap install snapd-desktop-integration - - snap install --edge desktop-security-center - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove - - # Ensure systemd-networkd is disabled - - systemctl disable systemd-networkd-wait-online.service - - # Ensure auditd is enabled - - systemctl enable systemd-journald-audit.socket diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml deleted file mode 100644 index 7f4183d49..000000000 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ /dev/null @@ -1,8 +0,0 @@ -#cloud-config - -packages: *desktop-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml deleted file mode 100644 index bea74af3a..000000000 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kubuntu-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml deleted file mode 100644 index 98b78ec80..000000000 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ /dev/null @@ -1,7 +0,0 @@ -#cloud-config - -packages: *core-packages - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml deleted file mode 100644 index 7f4183d49..000000000 --- a/tests/cloud-init/ubuntu25-desktop.user-data.yml +++ /dev/null @@ -1,8 +0,0 @@ -#cloud-config - -packages: *desktop-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml deleted file mode 100644 index bea74af3a..000000000 --- a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml +++ /dev/null @@ -1,9 +0,0 @@ -#cloud-config - -packages: *kubuntu-packages - -runcmd: *desktop-runcmd - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml deleted file mode 100644 index 98b78ec80..000000000 --- a/tests/cloud-init/ubuntu25-server.user-data.yml +++ /dev/null @@ -1,7 +0,0 @@ -#cloud-config - -packages: *core-packages - -write_files: - - *shared-directory # Setup shared directory - - *systemd-netword # Network configuration for server diff --git a/tests/cmd/main.go b/tests/cmd/main.go index e7e620b00..eb88de1ec 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -88,8 +88,7 @@ func run() error { } logging.Bullet("Bats tests directory: %s", cfg.BatsDir) - logging.Bullet("Number of profiles with tests found %d", len(tests)) - logging.Bullet("Number of programs without profile found %d", len(tests)) + logging.Bullet("Number of tests found %d", len(tests)) return nil } diff --git a/tests/cmd/tldr.go b/tests/cmd/tldr.go index ec98fa8b4..d86c80565 100644 --- a/tests/cmd/tldr.go +++ b/tests/cmd/tldr.go @@ -17,14 +17,14 @@ import ( ) type Tldr struct { - URL string // Tldr download url + Url string // Tldr download url Dir *paths.Path // Tldr cache directory Ignore []string // List of ignored software } func NewTldr(dir *paths.Path) Tldr { return Tldr{ - URL: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", + Url: "https://github.com/tldr-pages/tldr/archive/refs/heads/main.tar.gz", Dir: dir, } } @@ -33,9 +33,9 @@ func NewTldr(dir *paths.Path) Tldr { func (t Tldr) Download() error { gzPath := t.Dir.Parent().Join("tldr.tar.gz") if !gzPath.Exist() { - resp, err := http.Get(t.URL) + resp, err := http.Get(t.Url) if err != nil { - return fmt.Errorf("downloading %s: %w", t.URL, err) + return fmt.Errorf("downloading %s: %w", t.Url, err) } defer resp.Body.Close() diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats deleted file mode 100644 index 3f13d4ea4..000000000 --- a/tests/integration/apt/apt.bats +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "apt: Update the list of available packages and versions" { - sudo apt update -} - -@test "apt: Search for a given package" { - apt search apparmor -} - -@test "apt: Show information for a package" { - apt show apparmor -} - -@test "apt: Install a package, or update it to the latest available version" { - sudo apt install -y pass -} - -@test "apt: Remove a package and its configuration files" { - sudo apt purge -y pass -} - -@test "apt: Upgrade all installed packages to their newest available versions" { - sudo apt upgrade -y -} - -@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { - sudo apt dist-upgrade -y -} - -@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean -y -} - -@test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove -y -} - -@test "apt: List all packages" { - apt list -} - -@test "apt: List installed packages" { - apt list --installed -} - -@test "apt: Print a cow easter egg" { - apt moo -} diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats deleted file mode 100644 index 39259e0a0..000000000 --- a/tests/integration/apt/dpkg-query.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg-query: List all installed packages" { - dpkg-query --list -} - -@test "dpkg-query: List installed packages matching a pattern" { - dpkg-query --list 'libc6*' -} - -@test "dpkg-query: List all files installed by a package" { - dpkg-query --listfiles libc6 -} - -@test "dpkg-query: Show information about a package" { - dpkg-query --status libc6 -} - -@test "dpkg-query: Search for packages that own files matching a pattern" { - dpkg-query --search /etc/ld.so.conf.d -} - diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats deleted file mode 100644 index f6aec98ea..000000000 --- a/tests/integration/apt/dpkg-reconfigure.bats +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg-reconfigure: Reconfigure one or more packages" { - sudo apt install -y pass - sudo dpkg-reconfigure pass -} - diff --git a/tests/integration/apt/dpkg.bats b/tests/integration/apt/dpkg.bats deleted file mode 100644 index 6a0e735b4..000000000 --- a/tests/integration/apt/dpkg.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "dpkg: Remove a package" { - sudo apt install -y pass - sudo dpkg -r pass -} - -@test "dpkg: List installed packages" { - dpkg -l apparmor -} - -@test "dpkg: List a package's contents" { - dpkg -L apparmor.d -} - -@test "dpkg: Find out which package owns a file" { - dpkg -S /etc/apparmor/parser.conf -} - -@test "dpkg: Purge an installed or already removed package, including configuration" { - sudo dpkg -P pass -} diff --git a/tests/integration/flatpak.bats b/tests/integration/flatpak.bats deleted file mode 100644 index b61024d06..000000000 --- a/tests/integration/flatpak.bats +++ /dev/null @@ -1,47 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "flatpak: Add a new remote repository (by URL)" { - sudo flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo -} - -@test "flatpak: List all remote repositories" { - flatpak remotes -} - -@test "flatpak: Search for an application in a remote repository" { - sudo flatpak search vim - sudo flatpak search org.freedesktop.Platform -} - -@test "flatpak: Install an application from a remote source" { - sudo flatpak install --noninteractive org.vim.Vim -} - -@test "flatpak: List installed applications, ignoring runtimes" { - flatpak list --app -} - -@test "flatpak: Show information about an installed application" { - flatpak info org.vim.Vim -} - -# @test "flatpak: Run an installed application" { -# _timeout flatpak run org.vim.Vim -# } - -@test "flatpak: Update all installed applications and runtimes" { - sudo flatpak update --noninteractive -} - -@test "flatpak: Remove an installed application" { - sudo flatpak remove --noninteractive org.vim.Vim -} - -@test "flatpak: Remove all unused applications" { - sudo flatpak remove --noninteractive --unused -} diff --git a/tests/integration/hostname.bats b/tests/integration/hostname.bats deleted file mode 100644 index 35008bd79..000000000 --- a/tests/integration/hostname.bats +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "hostname: Show current host name" { - hostname -} - -@test "hostname: Show the network address of the host name" { - hostname -i -} - -@test "hostname: Show all network addresses of the host" { - hostname -I -} - -@test "hostname: Show the FQDN (Fully Qualified Domain Name)" { - hostname --fqdn -} - -@test "hostname: Set current host name" { - name=$(hostname) - sudo hostname "new-$(hostname)" - sudo hostname "$name" -} - diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats deleted file mode 100644 index b2e1369e2..000000000 --- a/tests/integration/pacman/paccache.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { - sudo paccache -d -} - -@test "paccache: Move candidate packages to a directory instead of deleting them" { - sudo paccache -m "$USER_BUILD_DIRS" -} - -@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { - sudo paccache -r -} - -@test "paccache: Set the number of package versions to keep" { - sudo paccache -rk 3 -} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats deleted file mode 100644 index 82e34a379..000000000 --- a/tests/integration/pacman/pacman-key.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pacman-key: Initialize the 'pacman' keyring" { - sudo pacman-key --init -} - -@test "pacman-key: Add the default Arch Linux keys" { - sudo pacman-key --populate -} - -@test "pacman-key: List keys from the public keyring" { - pacman-key --list-keys -} - -@test "pacman-key: Receive a key from a key server" { - sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Print the fingerprint of a specific key" { - pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Sign an imported key locally" { - sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC -} - -@test "pacman-key: Remove a specific key" { - sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC -} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats deleted file mode 100644 index 575a65bc1..000000000 --- a/tests/integration/pacman/pacman.bats +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pacman: Synchronize and update all packages" { - sudo pacman -Syu --noconfirm -} - -@test "pacman: Install a new package" { - sudo pacman -S --noconfirm pass pass-otp -} - -@test "pacman: Remove a package and its dependencies" { - sudo pacman -Rs --noconfirm pass-otp -} - -@test "pacman: List installed packages and versions" { - pacman -Q -} - -@test "pacman: List only the explicitly installed packages and versions" { - pacman -Qe -} - -@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { - pacman -Qtdq -} - -@test "pacman: Empty the entire 'pacman' cache" { - sudo pacman -Scc --noconfirm -} diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats deleted file mode 100644 index dcc216bfa..000000000 --- a/tests/integration/procps/free.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "free: Display system memory" { - free -} - -@test "free: Display memory in GB" { - free -g -} - -@test "free: Display memory in human-readable units" { - free -h -} diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats deleted file mode 100644 index 9fd6b92f8..000000000 --- a/tests/integration/procps/pgrep.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pgrep: Return PIDs of any running processes with a matching command string" { - pgrep systemd -} - -@test "pgrep: Search for processes including their command-line options" { - pgrep --full 'systemd' -} - -@test "pgrep: Search for processes run by a specific user" { - pgrep --euid root systemd-udevd -} - diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats deleted file mode 100644 index ec20cbe86..000000000 --- a/tests/integration/procps/pidof.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "pidof: List all process IDs with given name" { - pidof systemd - pidof bash -} - -@test "pidof: List a single process ID with given name" { - pidof -s bash -} - -@test "pidof: List process IDs including scripts with given name" { - pidof -x bash -} diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats deleted file mode 100644 index 7d9361d5a..000000000 --- a/tests/integration/procps/uptime.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "uptime: Print current time, uptime, number of logged-in users and other information" { - uptime -} - -@test "uptime: Show only the amount of time the system has been booted for" { - uptime --pretty -} - -@test "uptime: Print the date and time the system booted up at" { - uptime --since -} diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats deleted file mode 100644 index e5900a324..000000000 --- a/tests/integration/procps/vmstat.bats +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "vmstat: Display virtual memory statistics" { - vmstat - vmstat --active - vmstat --forks -} - -@test "vmstat: Display disk statistics" { - vmstat --disk - vmstat --disk-sum -} - -@test "vmstat: Display slabinfo" { - sudo vmstat --slabs -} - -@test "vmstat: Display reports every second for 3 times" { - vmstat 1 3 -} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats deleted file mode 100644 index 2dfb39a7f..000000000 --- a/tests/integration/systemd/bootctl.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "bootctl: Show information about the system firmware and the bootloaders" { - sudo bootctl status -} - -@test "bootctl: Show all available bootloader entries" { - sudo bootctl list -} - -@test "bootctl: Install 'systemd-boot' into the EFI system partition" { - sudo bootctl install -} - -@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { - sudo bootctl remove -} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats deleted file mode 100644 index ef3e973e9..000000000 --- a/tests/integration/systemd/busctl.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "busctl: Show all peers on the bus, by their service names" { - busctl list -} - -@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { - busctl status 1 - busctl status org.freedesktop.DBus -} - -@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { - busctl tree org.freedesktop.DBus -} - -@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { - busctl introspect org.freedesktop.login1 /org/freedesktop/login1 -} - -@test "busctl: Retrieve the current value of one or more object properties" { - busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked -} diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats deleted file mode 100644 index 9eeb7c9fe..000000000 --- a/tests/integration/systemd/journalctl.bats +++ /dev/null @@ -1,30 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { - sudo journalctl -b --priority=3 -} - -@test "journalctl: Show only the last N lines of the journal" { - sudo journalctl --lines 100 -} - -@test "journalctl: Show all messages by a specific [u]nit" { - sudo journalctl --unit apparmor.service -} - -@test "journalctl: Show all messages by a specific process" { - sudo journalctl _PID=1 -} - -@test "journalctl: Show all messages by a specific executable" { - sudo journalctl /usr/bin/bootctl -} - -@test "journalctl: Delete journal logs which are older than 10 seconds" { - sudo journalctl --vacuum-time=10s -} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats deleted file mode 100644 index 71dfd2e06..000000000 --- a/tests/integration/systemd/localectl.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "localectl: Show the current settings of the system locale and keyboard mapping" { - localectl -} - -@test "localectl: List available locales" { - localectl list-locales -} - -@test "localectl: Set a system locale variable" { - sudo localectl set-locale LANG=en_US.UTF-8 -} - -@test "localectl: List available keymaps" { - localectl list-keymaps || true -} - -@test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk || true -} - diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats deleted file mode 100644 index 18771ae72..000000000 --- a/tests/integration/systemd/machinectl.bats +++ /dev/null @@ -1,26 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true -} - -@test "machinectl: Display a list of available images" { - sudo machinectl list-images -} - -@test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble || true -} - -@test "machinectl: Display a list of running machines" { - sudo machinectl list -} - -@test "machinectl: Stop a running machine" { - sudo machinectl stop noble || true -} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats deleted file mode 100644 index 81418ba01..000000000 --- a/tests/integration/systemd/networkctl.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "networkctl: List existing links with their status" { - sudo networkctl list -} - -@test "networkctl: Show an overall network status" { - sudo networkctl status -} - -@test "networkctl: Reload configuration files (.netdev and .network)" { - sudo networkctl reload -} diff --git a/tests/integration/tlp.bats b/tests/integration/tlp.bats deleted file mode 100644 index b9a9530fc..000000000 --- a/tests/integration/tlp.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "tlp: Apply settings (according to the actual power source)" { - sudo tlp start -} - -@test "tlp: Apply battery settings (ignoring the actual power source)" { - sudo tlp bat -} - -@test "tlp: Apply AC settings (ignoring the actual power source)" { - sudo tlp ac -} - -@test "tlp: Apply Disk settings" { - sudo tlp diskid -} diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats deleted file mode 100644 index a23799def..000000000 --- a/tests/integration/utils/chsh.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "chsh: list available shells" { - chsh --list-shells || true -} - -@test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash || true -} - -# bats test_tags=chsh -@test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root || true -} diff --git a/tests/integration/utils/eject.bats b/tests/integration/utils/eject.bats deleted file mode 100644 index c4c2a3e0d..000000000 --- a/tests/integration/utils/eject.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "eject: Display the default device" { - eject -d || true -} - -@test "eject: Eject the default device" { - eject || true -} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats deleted file mode 100644 index dff1083e2..000000000 --- a/tests/integration/utils/fstrim.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "fstrim: Trim unused blocks on all mounted partitions that support it" { - sudo fstrim --all -} - -@test "fstrim: Trim unused blocks on a specified partition" { - sudo fstrim --verbose / -} diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats deleted file mode 100644 index a3dcdc31a..000000000 --- a/tests/integration/utils/hwclock.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock || true -} - -@test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc || true -} - -@test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys || true -} - diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats deleted file mode 100644 index bf0c4de0c..000000000 --- a/tests/integration/utils/lsfd.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsfd: List all open file descriptors" { - lsfd -} - -@test "lsfd: List all files kept open by a specific program" { - sudo lsfd --filter 'PID == 1' -} - -@test "lsfd: List open IPv4 or IPv6 sockets" { - sudo lsfd -i4 - sudo lsfd -i6 -} diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats deleted file mode 100644 index a18126982..000000000 --- a/tests/integration/utils/lsipc.bats +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsipc: Show information about all active IPC facilities" { - lsipc -} - -@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { - lsipc --shmems - lsipc --queues - lsipc --semaphores -} diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats deleted file mode 100644 index 042834cae..000000000 --- a/tests/integration/utils/lslocks.bats +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lslocks: List all local system locks" { - sudo lslocks -} - -@test "lslocks: List locks producing a raw output (no columns), and without column headers" { - sudo lslocks --raw --noheadings -} - -@test "lslocks: List locks by PID input" { - sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" -} - -@test "lslocks: List locks with JSON output to stdout" { - lslocks --json -} diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats deleted file mode 100644 index aa2df69b4..000000000 --- a/tests/integration/utils/lslogins.bats +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lslogins: Display users in the system" { - lslogins - sudo lslogins -} - -@test "lslogins: Display user accounts" { - lslogins --user-accs -} - -@test "lslogins: Display last logins" { - lslogins --last -} - -@test "lslogins: Display system accounts" { - lslogins --system-accs -} - -@test "lslogins: Display supplementary groups" { - lslogins --supp-groups -} diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats deleted file mode 100644 index c7e6563e2..000000000 --- a/tests/integration/utils/lsns.bats +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "lsns: List all namespaces" { - lsns - sudo lsns -} - -@test "lsns: List namespaces in JSON format" { - sudo lsns --json -} - -@test "lsns: List namespaces associated with the specified process" { - sudo lsns --task 1 -} - -@test "lsns: List the specified type of namespaces only" { - sudo lsns --type mnt - sudo lsns --type net - sudo lsns --type ipc - sudo lsns --type user - sudo lsns --type pid - sudo lsns --type uts - sudo lsns --type cgroup - sudo lsns --type time -} - diff --git a/tests/integration/utils/zramctl.bats b/tests/integration/utils/zramctl.bats deleted file mode 100644 index 41a3c1f51..000000000 --- a/tests/integration/utils/zramctl.bats +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load ../common - -@test "zramctl: Check if zram is enabled; enable it if needed" { - lsmod | grep -i zram || sudo modprobe zram || true -} - -@test "zramctl: Find and initialize the next free zram device to a 1 GB virtual drive using LZ4 compression" { - sudo zramctl --find --size 1GB --algorithm lz4 || true -} - -@test "zramctl: List currently initialized devices" { - sudo zramctl || true -} diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats deleted file mode 100644 index fd1cba5fa..000000000 --- a/tests/integration/whois.bats +++ /dev/null @@ -1,19 +0,0 @@ -#!/usr/bin/env bats -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -load common - -@test "whois: Get information about a domain name" { - whois google.fr -} - -@test "whois: Get information about an IP address" { - whois 8.8.8.8 -} - -@test "whois: Get abuse contact for an IP address" { - whois -b 8.8.8.8 -} - diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl new file mode 100644 index 000000000..41a2627d5 --- /dev/null +++ b/tests/packer/archlinux.pkr.hcl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "archlinux" { + disk_image = true + iso_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" + iso_checksum = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" + iso_target_path = "${var.iso_dir}/archlinux-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" + boot_wait = "10s" + shutdown_command = "echo ${var.password} | sudo -S shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}-${var.flavor}" + } + ) + } +} diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 98e923fd9..1c16a6b84 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -2,91 +2,70 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -locals { - name = "${var.prefix}${var.dist}-${var.flavor}" -} - -source "qemu" "default" { - disk_image = true - iso_url = var.DM[var.dist].img_url - iso_checksum = "file:${var.DM[var.dist].img_checksum}" - iso_target_path = pathexpand("${var.iso_dir}/${basename("${var.DM[var.dist].img_url}")}") - cpu_model = "host" - cpus = var.cpus - memory = var.ram - disk_size = var.disk_size - accelerator = "kvm" - headless = true - ssh_username = var.username - ssh_password = var.password - ssh_port = 22 - ssh_wait_timeout = "1000s" - disk_compression = true - disk_detect_zeroes = "unmap" - disk_discard = "unmap" - output_directory = pathexpand(var.output_dir) - vm_name = "${local.name}.qcow2" - boot_wait = "10s" - firmware = pathexpand(var.firmware) - shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" - cd_label = "cidata" - cd_content = { - "meta-data" = "" - "user-data" = format("%s\n%s\n%s", - templatefile("${path.cwd}/tests/cloud-init/common.yml", - { - username = "${var.username}" - password = "${var.password}" - ssh_key = file("${var.ssh_publickey}") - hostname = "${local.name}" - } - ), - file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), - file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") - ) - } -} - build { sources = [ - "source.qemu.default", + "source.qemu.archlinux", + "source.qemu.debian", + "source.qemu.fedora", + "source.qemu.opensuse", + "source.qemu.ubuntu22", + "source.qemu.ubuntu24", ] - # Upload artifacts + # Upload local files provisioner "file" { - destination = "/tmp/" + destination = "/tmp" + sources = ["${path.cwd}/packer/src"] + } + + provisioner "file" { + only = ["qemu.archlinux"] + destination = "/tmp/src/" sources = [ - "${path.cwd}/tests/packer/src/", - "${path.cwd}/tests/packer/init.sh", - "${path.cwd}/tests/packer/clean.sh", - "${path.cwd}/.pkg/", + "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst", ] } - # Full system provisioning + provisioner "file" { + only = ["qemu.opensuse"] + destination = "/tmp/src/" + sources = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"] + } + + provisioner "file" { + only = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"] + destination = "/tmp/src/" + sources = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"] + } + + # Wait for cloud-init to finish provisioner "shell" { execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" inline = [ - # Wait for cloud-init to finish "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", - - # Ensure cloud-init is successful - "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", - - # Remove logs and artifacts so cloud-init can re-run - "cloud-init clean || true", - - # Install local files and config - "bash /tmp/init.sh", - - # Minimize the image - "bash /tmp/clean.sh", + "cloud-init clean", # Remove logs and artifacts so cloud-init can re-run ] } + # Install local files and config + provisioner "shell" { + script = "${path.cwd}/packer/init/init.sh" + execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" + } + + # Minimize the image + provisioner "shell" { + script = "${path.cwd}/packer/init/clean.sh" + execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'" + } + + post-processor "vagrant" { + output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" + } + post-processor "shell-local" { inline = [ - "mv ${var.output_dir}/${local.name}.qcow2 ${var.base_dir}/${local.name}.qcow2", + "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box" ] } diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl new file mode 100644 index 000000000..7fd176b6e --- /dev/null +++ b/tests/packer/debian.pkr.hcl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "debian" { + disk_image = true + iso_url = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2" + iso_checksum = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS" + iso_target_path = "${var.iso_dir}/debian-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/packer/init/archlinux-cosmic.user-data.yml new file mode 100644 index 000000000..442c32470 --- /dev/null +++ b/tests/packer/init/archlinux-cosmic.user-data.yml @@ -0,0 +1,90 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - audit + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - cosmic + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable cosmic-greeter + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml new file mode 100644 index 000000000..c65dfc4dd --- /dev/null +++ b/tests/packer/init/archlinux-gnome.user-data.yml @@ -0,0 +1,92 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - gnome + - gnome-extra + - seahorse + - alacarte + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable gdm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml new file mode 100644 index 000000000..97e8ffa7b --- /dev/null +++ b/tests/packer/init/archlinux-kde.user-data.yml @@ -0,0 +1,94 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml new file mode 100644 index 000000000..93fd254a5 --- /dev/null +++ b/tests/packer/init/archlinux-server.user-data.yml @@ -0,0 +1,85 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable rngd + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/packer/init/archlinux-xfce.user-data.yml new file mode 100644 index 000000000..1cc18f556 --- /dev/null +++ b/tests/packer/init/archlinux-xfce.user-data.yml @@ -0,0 +1,92 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + # Install core packages + - apparmor + - base-devel + - firewalld + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + + # Install Applications + - firefox + - chromium + - terminator + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable lightdm.service + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + # Enable AppArmor in kernel parameters + - path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" + + # Set some bash aliases + - path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/clean.sh b/tests/packer/init/clean.sh similarity index 83% rename from tests/packer/clean.sh rename to tests/packer/init/clean.sh index 23c587d4f..2e1e7b551 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/init/clean.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu -o pipefail +set -u # shellcheck source=/dev/null _lsb_release() { @@ -46,26 +46,40 @@ _sshdgenkeys() { _EOF } -clean_apt() { - _msg "Cleaning the apt cache" +clean_debian() { + _msg "Apt clean configuration" + + _msg "Full system upgrade" + apt-get update -y + apt-get -qq -y --no-install-recommends upgrade + apt-get -qq -y --no-install-recommends dist-upgrade + + _msg "Clean the apt cache" apt-get -y autoremove --purge apt-get -y autoclean apt-get -y clean } -clean_pacman() { - _msg "Cleaning pacman cache" +clean_arch() { + _msg "Pacman clean configuration" + + pacman -Syu --noconfirm + pacman -Qdtq | while IFS='' read -r pkg; do + pacman -Rsccn --noconfirm "$pkg" + done pacman -Scc --noconfirm } -clean_zypper() { - _msg "Cleaning zypper cache" - zypper clean --all +clean_opensuse() { + _msg "zypper clean configuration" + + zypper update -y + zypper clean -y } # Make the image as impersonal as possible. impersonalize() { - _msg "Making the image as impersonal as possible." + _msg "Make the image as impersonal as possible." # Remove remaining pkg file, docs and caches dirs=( @@ -131,6 +145,10 @@ trim() { truncate --size=0 /swap/swapfile fi + # _msg "Fill root filesystem with 0 to reduce box size" + # dd if=/dev/zero of=/EMPTY bs=1M || true + # rm -f /EMPTY + # Block until the empty file has been removed, otherwise, Packer will # try to kill the box while the disk is still full and that is bad. sync @@ -141,16 +159,16 @@ main() { begin=$(_diskused) case "$DISTRIBUTION" in debian | ubuntu) - clean_apt + clean_debian _sshdgenkeys ;; opensuse*) - clean_zypper + clean_opensuse ;; arch) - clean_pacman + clean_arch ;; esac impersonalize diff --git a/tests/packer/init/debian-gnome.user-data.yml b/tests/packer/init/debian-gnome.user-data.yml new file mode 100644 index 000000000..0e2571883 --- /dev/null +++ b/tests/packer/init/debian-gnome.user-data.yml @@ -0,0 +1,63 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - spice-vdagent + - rsync + - vim + - task-gnome-desktop + +runcmd: + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +write_files: + # Add backports repository + - path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian12-kde.user-data.yml b/tests/packer/init/debian-kde.user-data.yml similarity index 65% rename from tests/cloud-init/debian12-kde.user-data.yml rename to tests/packer/init/debian-kde.user-data.yml index 451068db1..a608e9b0b 100644 --- a/tests/cloud-init/debian12-kde.user-data.yml +++ b/tests/packer/init/debian-kde.user-data.yml @@ -1,5 +1,23 @@ #cloud-config +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false packages: - apparmor-profiles - auditd @@ -9,8 +27,8 @@ packages: - devscripts - htop - qemu-guest-agent - - rsync - spice-vdagent + - rsync - vim - task-kde-desktop diff --git a/tests/packer/init/debian-server.user-data.yml b/tests/packer/init/debian-server.user-data.yml new file mode 100644 index 000000000..5f4fe526e --- /dev/null +++ b/tests/packer/init/debian-server.user-data.yml @@ -0,0 +1,61 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + +runcmd: + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +write_files: + # Add backports repository + - path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init.sh b/tests/packer/init/init.sh similarity index 54% rename from tests/packer/init.sh rename to tests/packer/init/init.sh index 44a86220f..df300c0c4 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init/init.sh @@ -3,39 +3,45 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux -o pipefail +set -eu -# shellcheck source=/dev/null -source /etc/os-release || exit 1 -readonly SRC=/tmp/ +_lsb_release() { + # shellcheck source=/dev/null + . /etc/os-release + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" +readonly SRC=/tmp/src +readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases" + install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml" install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc" - install -Dm0644 $SRC/parser.conf /etc/apparmor/parser.conf install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local install -Dm0755 $SRC/aa-update /usr/bin/aa-update - install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean + install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean + cat $SRC/parser.conf >>/etc/apparmor/parser.conf chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$ID" in + case "$DISTRIBUTION" in arch) - rm -f $SRC/*.sig # Ignore signature files - rm -f $SRC/*enforced* # Ignore enforced package - pacman --noconfirm -U $SRC/*.pkg.tar.zst || true + pacman --noconfirm -U $SRC/*.pkg.tar.zst + systemctl start apparmor.service ;; debian | ubuntu) - # Do not install apparmor.d on the current development version - if [[ $VERSION_ID != "25.10" ]]; then - dpkg -i $SRC/*.deb || true - fi + apt-get update -y + apt-get install -y apparmor-profiles build-essential config-package-dev \ + debhelper devscripts htop rsync vim + dpkg -i $SRC/*.deb ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm || true + zypper install -y bash-completion git go htop make rsync vim + rpm -i $SRC/*.rpm ;; esac diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/packer/init/opensuse-gnome.user-data.yml new file mode 100644 index 000000000..b54bb458e --- /dev/null +++ b/tests/packer/init/opensuse-gnome.user-data.yml @@ -0,0 +1,43 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - bash-completion + - distribution-release + - git + - golang-packaging + - htop + - make + - rpmbuild + - vim + +write_files: + # Set some bash aliases + - path: /home/${username}/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml new file mode 100644 index 000000000..b54bb458e --- /dev/null +++ b/tests/packer/init/opensuse-kde.user-data.yml @@ -0,0 +1,43 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - bash-completion + - distribution-release + - git + - golang-packaging + - htop + - make + - rpmbuild + - vim + +write_files: + # Set some bash aliases + - path: /home/${username}/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases + + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 diff --git a/tests/packer/init/ubuntu22-desktop.user-data.yml b/tests/packer/init/ubuntu22-desktop.user-data.yml new file mode 100644 index 000000000..30a82279a --- /dev/null +++ b/tests/packer/init/ubuntu22-desktop.user-data.yml @@ -0,0 +1,83 @@ +#cloud-config + +# Based on https://github.com/canonical/autoinstall-desktop + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - ubuntu-desktop + - linux-generic-hwe-22.04 + - qemu-guest-agent + - spice-vdagent + - terminator + - apparmor-profiles + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - rsync + +snap: + commands: + - install firefox + - install gtk-common-themes + - install snap-store + - install snapd-desktop-integration + +runcmd: + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + ubuntu-server ubuntu-server-minimal netplan.io cloud-init + binutils byobu curl dmeventd finalrd gawk + kpartx mdadm ncurses-term needrestart open-iscsi + sg3-utils ssh-import-id sssd thin-provisioning-tools tmux + sosreport screen open-vm-tools motd-news-config lxd-agent-loader + landscape-common fonts-ubuntu-console ethtool + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-desktop.user-data.yml b/tests/packer/init/ubuntu24-desktop.user-data.yml new file mode 100644 index 000000000..3c3807e29 --- /dev/null +++ b/tests/packer/init/ubuntu24-desktop.user-data.yml @@ -0,0 +1,85 @@ +#cloud-config + +# Based on https://github.com/canonical/autoinstall-desktop + +# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - ubuntu-desktop + - linux-generic-hwe-24.04 + - qemu-guest-agent + - spice-vdagent + - terminator + - apparmor-profiles + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - rsync + +snap: + commands: + - install firefox + - install gtk-common-themes + - install snap-store + - install snapd-desktop-integration + +runcmd: + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + # - >- + # apt-get -y purge + # ubuntu-server ubuntu-server-minimal netplan.io cloud-init + # binutils byobu curl dmeventd finalrd gawk + # kpartx mdadm ncurses-term needrestart open-iscsi + # sg3-utils ssh-import-id sssd thin-provisioning-tools tmux + # sosreport screen open-vm-tools motd-news-config lxd-agent-loader + # landscape-common fonts-ubuntu-console ethtool + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/init/ubuntu24-server.user-data.yml b/tests/packer/init/ubuntu24-server.user-data.yml new file mode 100644 index 000000000..5e6d853ba --- /dev/null +++ b/tests/packer/init/ubuntu24-server.user-data.yml @@ -0,0 +1,53 @@ +#cloud-config + +hostname: ${hostname} +locale: en_IE +keyboard: + layout: ie + +ssh_pwauth: true +users: + - name: ${username} + plain_text_passwd: ${password} + shell: /bin/bash + ssh_authorized_keys: + - ${ssh_key} + lock_passwd: false + sudo: ALL=(ALL) NOPASSWD:ALL + +package_update: true +package_upgrade: true +package_reboot_if_required: false +packages: + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +write_files: + # Setup shared directory + - path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + + # Network configuration + - path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/packer/main.pkr.hcl b/tests/packer/main.pkr.hcl index d2b1a6dbf..ee13e8f92 100644 --- a/tests/packer/main.pkr.hcl +++ b/tests/packer/main.pkr.hcl @@ -8,5 +8,9 @@ packer { source = "github.com/hashicorp/qemu" version = "~> 1" } + vagrant = { + source = "github.com/hashicorp/vagrant" + version = "~> 1" + } } } diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl new file mode 100644 index 000000000..49ba09f70 --- /dev/null +++ b/tests/packer/opensuse.pkr.hcl @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# TODO: Fully automate the creation of the base image + +source "qemu" "opensuse" { + disk_image = true + iso_url = "${var.base_dir}/base-tumbleweed-gnome.qcow2" + iso_checksum = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4" + iso_target_path = "${var.base_dir}/base-tumbleweed-gnome.qcow2" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = false + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 2580556fd..27e05bf80 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,6 +8,7 @@ for nb in $(seq "$1"); do done } +alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' diff --git a/tests/packer/src/aa-clean b/tests/packer/src/aa-clean deleted file mode 100644 index a01b9d77e..000000000 --- a/tests/packer/src/aa-clean +++ /dev/null @@ -1,4 +0,0 @@ -#!/usr/bin/env bash -set -eu -o pipefail -rm -vf /var/log/audit/* /var/log/syslog* -touch /var/log/audit/audit.log /var/log/syslog diff --git a/tests/packer/src/aa-log-clean b/tests/packer/src/aa-log-clean new file mode 100644 index 000000000..9f3ebd818 --- /dev/null +++ b/tests/packer/src/aa-log-clean @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -eu +rm -rf /var/log/audit/* +touch /var/log/audit/audit.log diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index bdbd6ed00..9a326305d 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -1,5 +1,5 @@ #!/usr/bin/env bash -set -eu -o pipefail +set -eu export BUILDDIR=/tmp/build/ @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - just pkg + make pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - just dpkg + make dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - just rpm + make rpm ;; *) ;; esac diff --git a/tests/packer/src/monitors.xml b/tests/packer/src/monitors.xml new file mode 100644 index 000000000..b17136584 --- /dev/null +++ b/tests/packer/src/monitors.xml @@ -0,0 +1,23 @@ + + + + 0 + 0 + 1 + yes + + + Virtual-1 + RHT + QEMU Monitor + 0x00000000 + + + 1920 + 1080 + 60 + + + + + diff --git a/tests/packer/src/parser.conf b/tests/packer/src/parser.conf index 8651efad1..be8c42560 100644 --- a/tests/packer/src/parser.conf +++ b/tests/packer/src/parser.conf @@ -1,9 +1,4 @@ -# Turn creating/updating of the cache on by default + write-cache - -# Enable early policy loads to confine systemd, and services that can not depend -# on the apparmor unit. -cache-loc=/etc/apparmor/earlypolicy/ - -# Adjust compression +cache-loc /etc/apparmor/earlypolicy/ Optimize=compress-fast diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl new file mode 100644 index 000000000..052b460da --- /dev/null +++ b/tests/packer/ubuntu.pkr.hcl @@ -0,0 +1,77 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +source "qemu" "ubuntu22" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} + +source "qemu" "ubuntu24" { + disk_image = true + iso_url = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img" + iso_checksum = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS" + iso_target_path = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img" + cpu_model = "host" + cpus = 6 + memory = 4096 + disk_size = var.disk_size + accelerator = "kvm" + headless = true + ssh_username = var.username + ssh_password = var.password + ssh_port = 22 + ssh_wait_timeout = "1000s" + disk_compression = true + disk_detect_zeroes = "unmap" + disk_discard = "unmap" + output_directory = var.output + vm_name = "${var.prefix}${source.name}-${var.flavor}.qcow2" + boot_wait = "10s" + firmware = var.firmware + shutdown_command = "echo ${var.password} | sudo -S /sbin/shutdown -hP now" + cd_label = "cidata" + cd_content = { + "meta-data" = "" + "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml", + { + username = "${var.username}" + password = "${var.password}" + ssh_key = file("${var.ssh_publickey}") + hostname = "${var.prefix}${source.name}" + } + ) + } +} diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index a44f98412..a37c89bf0 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -16,16 +16,10 @@ variable "password" { default = "user" } -variable "cpus" { - description = "Default CPU of the VM" +variable "ssh_publickey" { + description = "Path to the ssh public key" type = string - default = "6" -} - -variable "ram" { - description = "Default RAM of the VM" - type = string - default = "4096" + default = "~/.ssh/id_ed25519.pub" } variable "disk_size" { @@ -34,34 +28,28 @@ variable "disk_size" { default = "40G" } -variable "ssh_publickey" { - description = "Path to the ssh public key" - type = string - default = "~/.ssh/id_ed25519.pub" -} - variable "iso_dir" { description = "Original ISO file directory" type = string - default = "~/.libvirt/iso" + default = "/var/lib/libvirt/images" } variable "base_dir" { description = "Final packer image output directory" type = string - default = "~/.libvirt/base" -} - -variable "output_dir" { - description = "Output build directory" - type = string - default = "~/.libvirt/base/packer" + default = "/var/lib/libvirt/images" } variable "firmware" { description = "Path to the UEFI firmware" type = string - default = "/usr/share/edk2/x64/OVMF.4m.fd" + default = "/usr/share/edk2/x64/OVMF_CODE.fd" +} + +variable "output" { + description = "Output build directory" + type = string + default = "/tmp/packer" } variable "prefix" { @@ -70,10 +58,10 @@ variable "prefix" { default = "aa-" } -variable "dist" { - description = "Distribution to target" +variable "version" { + description = "apparmor.d version" type = string - default = "ubuntu24" + default = "0.001" } variable "flavor" { @@ -82,40 +70,32 @@ variable "flavor" { default = "" } -variable "DM" { - description = "Distribution Metadata to use" +variable "release" { + description = "Distribution metadata to use" type = map(object({ - img_url = string - img_checksum = string + codename = string + version = string })) default = { - "archlinux" : { - img_url = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2" - img_checksum = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256" - }, - "debian12" : { - img_url = "https://cdimage.debian.org/images/cloud/bookworm/latest/debian-12-genericcloud-amd64.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" - } - "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" - } "ubuntu22" : { - img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/jammy/current/SHA256SUMS" + codename = "jammy", + version = "22.04.2", }, "ubuntu24" : { - img_url = "https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/noble/current/SHA256SUMS" - }, - "ubuntu25" : { - img_url = "https://cloud-images.ubuntu.com/plucky/current/plucky-server-cloudimg-amd64.img" - img_checksum = "https://cloud-images.ubuntu.com/plucky/current/SHA256SUMS" + codename = "noble", + version = "24.04", }, + "debian" : { + codename = "bookworm", + version = "12", + } "opensuse" : { - img_url = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2" - img_checksum = "https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-Cloud.qcow2.sha256" + codename = "tumbleweed", + version = "", + } + "fedora" : { + codename = "40", + version = "1.14", } } } diff --git a/tests/profile_check.py b/tests/profile_check.py deleted file mode 100644 index 9b61e6367..000000000 --- a/tests/profile_check.py +++ /dev/null @@ -1,480 +0,0 @@ -#!/usr/bin/env python3 -# SPDX-License-Identifier: GPL-2.0-only - -# KNOWN ISSUES: -# No guards for file type - expects AppArmor -# Diffirent suggestions for single line are mutually exclusive -# Suggestion could point to changed profile name, based on other suggestion - -import sys -import argparse -import pathlib -import shlex -import json -from copy import deepcopy - -try: - from apparmor.regex import * - from apparmor.aa import is_skippable_file - from apparmor.rule.file import FileRule, FileRuleset - from apparmor.common import convert_regexp - try: - from apparmor.rule.variable import separate_vars - except ImportError: - from apparmor.aa import separate_vars - - LIBAPPARMOR = True - -except ImportError: - LIBAPPARMOR = False - -def sanitizeProfileName(name): - - if name.startswith('/') or name.startswith('@{'): - name = pathlib.Path(name).stem - - if ' ' in name: - name = re.sub(r'\s+', '-', name) - - return name - -def makeLocalIdentity(nestingStacker_): - - newStacker = [] - for i in nestingStacker_: - i = sanitizeProfileName(i) - newStacker.append(i) - - identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores - - return identity - -def getCurrentProfile(stacker): - - if stacker: - profile = stacker[-1] - else: - profile = None - - return profile - -def handleFileMessages(l, file, profile, lineNum): - - wholeFileAccessProfiles = ( -# '', - ) - suggestOwner = ( # TODO: switch to AARE - r'^@{HOME}/', - r'^/home/\w+/', - r'^@{run}/user/@{uid}/', - r'^/run/user/\d+/', - r'^@{tmp}/', - r'^/tmp/', - r'^/var/tmp/', - r'^/dev/shm/', - ) - - lG = l.groupdict() - reason_ = None - if lG.get('path'): - if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives - severity_ = 'ERROR' - reason_ = 'Whole filesystem access is too broad' - suggestion_ = None - - for r in suggestOwner: - if re.match(r, lG.get('path')) and not lG.get('owner'): - indentRe = re.match(r'^\s+', l.group()) - if indentRe: - indent = indentRe.group() - else: - indent = '' - - severity_ = 'NOTICE' - reason_ = "'owner' is likely required" - suggestion_ = indent + 'owner ' + l.group().lstrip() - break - - elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: - severity_ = 'ERROR' - reason_ = 'Whole filesystem access is too broad' - suggestion_ = None - - if reason_: # something matched - msg = {'filename': file, - 'profile': profile, - 'severity': severity_, - 'line': lineNum, - 'reason': reason_, - 'suggestion': suggestion_} - else: - msg = None - - return msg - -def readApparmorFile(fullpath): - '''AA file could contain multiple AA profiles''' - headers = ( - '# apparmor.d - Full set of apparmor profiles', - '# Copyright (C) ', - '# SPDX-License-Identifier: GPL-2.0-only', - ) - - file_data = {} - fileVars = {} - nestingStacker = [] - duplicateProfilesCounter = [] - localExists = {} - localExists_eol = {} - messages = [] - exceptionMsg = None - line = None - gotAbi = False - gotHeaders = {} - gotAttach = False - isAfterProfileStart = False - lastLineNum = None - try: - with open(fullpath, 'r') as f: - for n,line in enumerate(f, start=1): - if isAfterProfileStart: - isAfterProfileStart = False - expectedIndent = len(nestingStacker) * ' ' - indentRe = re.match(r'^\s+', line) - if indentRe: - indent = indentRe.group() - else: - indent = '' - - if indent != expectedIndent: - spacesCount = len(nestingStacker) * 2 - nestingCount = len(nestingStacker) - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", - 'suggestion': f"{expectedIndent}{line.lstrip()}"}) - - if line.endswith(' \n'): - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "Redundant trailing whitespace", - 'suggestion': line.rstrip()}) - - if '\t' in line: - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "Tabs are not allowed", - 'suggestion': line.replace('\t', ' ')}) - - if len(gotHeaders) < 3 and not nestingStacker: - for nH,i in enumerate(headers): - if line.startswith(i): - gotHeaders[nH] = True - - if RE_ABI.search(line): - gotAbi = line - - elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): - isAfterProfileStart = True - m = parse_profile_start_line(line, fullpath) - if m.get('profile'): - nestingStacker.append(m.get('profile')) # set early - - if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular - gotAttach = True - - profileMsg = {'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "A short named profile must be defined", - 'suggestion': None} - if m.get('plainprofile'): - messages.append(profileMsg) - elif m.get('namedprofile'): - if m.get('namedprofile').startswith('/'): - messages.append(profileMsg) - - if m.get('flags'): - m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) - if 'complain' in m['flags']: - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "'complain' flag must be defined in 'dists/flags'", - 'suggestion': None}) - else: - m['flags'] = set() - - if m.get('profile'): - duplicateProfilesCounter.append(m.get('profile')) - profileIdentity = '//'.join(nestingStacker) - file_data[profileIdentity] = m - - elif RE_PROFILE_VARIABLE.search(line): - lineV = RE_PROFILE_VARIABLE.search(line).groups() - - name = strip_quotes(lineV[0]) - operation = lineV[1] - val = separate_vars(lineV[2]) - if fileVars.get(name): - fileVars[name].update(set(val)) - if operation == '=': - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Tunable must be appended with '+='", - 'suggestion': None}) - else: - fileVars[name] = set(val) - if operation == '+=': - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Tunable must be defined with '='", - 'suggestion': None}) - - elif RE_INCLUDE.search(line): - if nestingStacker: - profileIdentity = '//'.join(nestingStacker) - localIdentity = makeLocalIdentity(nestingStacker) - localValue = f'include if exists ' # commented out will also match - if localValue in line: - localExists[profileIdentity] = localValue - - # Handle file entries - elif RE_PROFILE_FILE_ENTRY.search(line): - lineF = RE_PROFILE_FILE_ENTRY.search(line) - fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) - if fileMsg: - messages.append(fileMsg) - - elif RE_PROFILE_END.search(line): - if getCurrentProfile(nestingStacker): - if not nestingStacker: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'DEGRADED', - 'line': n, - 'reason': "Unbalanced parenthesis?", # not fully covered - 'suggestion': None}) - else: - profileIdentity = '//'.join(nestingStacker) - localExists_eol[profileIdentity] = n - del nestingStacker[-1] # remove last - - lastLineNum = n - - except PermissionError: - exceptionMsg = 'Unable to read the file (PermissionError)' - - except UnicodeDecodeError: - exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' - - except FileNotFoundError: - exceptionMsg = 'No such file or directory (FileNotFoundError)' - - if exceptionMsg: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'NOTICE', - 'line': None, - 'reason': exceptionMsg, - 'suggestion': None}) - - # Ensure proper header is present - if len(gotHeaders) < 3: - combinedHeader = '\n'.join(headers) - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': 1, - 'reason': 'No proper header', - 'suggestion': combinedHeader}) - - # Ensure ABI is present - changeAbi = False - abi = 'abi ,' - if gotAbi: - if gotAbi.strip() != abi: - changeAbi = True - else: - changeAbi = True - - if changeAbi: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': None, - 'reason': 'ABI is required', - 'suggestion': abi}) - - # Ensure singular '@{exec_path}' - if not gotAttach: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': None, - 'reason': "'@{exec_path}' must be defined as main path attachment", - 'suggestion': None}) - - # Ensure trailing vim syntax - if line: - trailingSyntax = '# vim:syntax=apparmor\n' - if line != trailingSyntax: - messages.append({'filename': fullpath, - 'profile': None, - 'severity': 'WARNING', - 'line': lastLineNum, - 'reason': 'No trailing syntax hint', - 'suggestion': trailingSyntax}) - - # Assign variables to profile attachments as paths and assign filenames - for p,d in deepcopy(file_data).items(): - file_data[p]['filename'] = fullpath - attachment = d.get('attachment') - if attachment: - if attachment.startswith('@{'): - if fileVars.get(attachment): - file_data[p]['attach_paths'] = fileVars[attachment] # incoming set - else: - messages.append({'filename': fullpath, - 'profile': p, - 'severity': 'ERROR', - 'line': None, - 'reason': f"Unknown global variable as profile attachment: {attachment}", - 'suggestion': None}) - - else: - if isinstance(file_data[p].get('attachment'), set): - raise ValueError("Expecting 'str' or 'None', not 'set'") - file_data[p]['attach_paths'] = {file_data[p]['attachment']} - - # Check if profile block does not have corresponding 'local' include - for p,d in file_data.items(): - if not localExists.get(p): # not found previously - if '//' in p: - identity = p.split('//') - else: - identity = [p] - - localIdentity = makeLocalIdentity(identity) - filename = file_data[p]['filename'] - messages.append({'filename': filename, - 'profile': p, - 'severity': 'WARNING', - 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? - 'reason': "The (sub)profile block does not have expected 'local' include", - 'suggestion': f'include if exists '}) - - # Track multiple definitions inside single file - for profile in duplicateProfilesCounter: - counter = duplicateProfilesCounter.count(profile) - if counter >= 2: - messages.append({'filename': fullpath, - 'profile': profile, - 'severity': 'DEGRADED', - 'line': None, - 'reason': "Profile has been defined {counter} times in the same file", - 'suggestion': None}) - - return (messages, file_data) - -def findAllProfileFilenames(profile_dir): - - profiles = set() - for path in pathlib.Path(profile_dir).iterdir(): - if path.is_file() and not is_skippable_file(path): - profiles.add(path.resolve()) - - # Not default, dig deeper - if not profiles: - nestedDirs = ( - 'groups', - 'profiles-a-f', - 'profiles-g-l', - 'profiles-m-r', - 'profiles-s-z', - ) - for d in nestedDirs: - dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) - for p in dirpath.rglob("*"): - if p.is_file(): - profiles.add(p) - - return profiles - -def handleArgs(): - """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" - - allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] - aaRoot = '/etc/apparmor.d' - - parser = argparse.ArgumentParser() - parser.add_argument('-d', '--aa-root-dir', action='store', - default=aaRoot, - help='Target different AppArmor root directory rather than default') - parser.add_argument('-p', '--profile', action='append', - help='Handle only specified profile') -# parser.add_argument('-s', '--severity', action='append', -# choices=allSeverities, -# help='Handle only specified severity event') - - args = parser.parse_args() - -# if not args.severity: -# args.severity = allSeverities - - return args - -def main(argv): - - args = handleArgs() - - messages = [] - - profile_dir = args.aa_root_dir - if not args.profile: - profiles = findAllProfileFilenames(profile_dir) - else: - profiles = set() - for p in args.profile: - absolutePath = pathlib.Path(p).resolve() - profiles.add(absolutePath) - - profile_data = {} - for path in sorted(profiles): - if not is_skippable_file(path): - readApparmorFile_Out = readApparmorFile(path) - profilesInFile = readApparmorFile_Out[1] - messages.extend(readApparmorFile_Out[0]) - profile_data.update(profilesInFile) - - for m in messages: - if m.get('suggestion'): - if m['suggestion'].endswith('\n'): - m['suggestion'] = m.get('suggestion').removesuffix('\n') - m['filename'] = str(m.get('filename')) - print(json.dumps(m, indent=2)) - - if messages: - sys.exit(1) - - return None - -if __name__ == '__main__': - - if not LIBAPPARMOR: - raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: -$ sudo apt install python3-apparmor""") - - main(sys.argv) diff --git a/tests/requirements.sh b/tests/requirements.sh index 0801ff27d..c12f9249c 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -5,7 +5,7 @@ # Dependencies for the bats integration tests -set -eu -o pipefail +set -eu # shellcheck source=/dev/null _lsb_release() { @@ -16,16 +16,10 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) - sudo pacman -Syu --noconfirm \ - bats bats-support \ - pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) - sudo apt update -y - sudo apt install -y \ - bats bats-support \ - cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ - network-manager systemd-container flatpak util-linux-extra + sudo apt-get install -y \ + cpuid dfc systemd-userdbd systemd-homed tlp ;; opensuse*) ;; diff --git a/tests/sbin.list b/tests/sbin.list deleted file mode 100644 index 16073f0d2..000000000 --- a/tests/sbin.list +++ /dev/null @@ -1,884 +0,0 @@ -a2enmod -a2query -aa-audit -aa-autodep -aa-cleanprof -aa-complain -aa-decode -aa-disable -aa-enforce -aa-genprof -aa-load -aa-logprof -aa-mergeprof -aa-notify -aa-remove-unknown -aa-status -aa-teardown -aa-unconfined -aa-update-browser -accessdb -acpi_genl -acpid -acpidump -add-shell -addgnupghome -addpart -adduser -agetty -alsa -alsa-info -alsa-info.sh -alsa-init -alsabat-test -alsactl -anacron -apache2 -apache2ctl -apparmor_parser -apparmor_status -applygnupgdefaults -aptd -argdist-bpfcc -arp -arpd -aspell-autobuildhash -atd -audisp-af_unix -audisp-filter -audisp-syslog -audit -auditctl -auditd -augenrules -aureport -ausearch -autodep -automount -autrace -avahi-daemon -avahi-dnsconfd -badblocks -bashreadline-bpfcc -bashreadline.bt -bcache-super-show -bindsnoop-bpfcc -biolatency-bpfcc -biolatency-kp.bt -biolatency.bt -biolatpcts-bpfcc -biopattern-bpfcc -biosdecode -biosnoop-bpfcc -biosnoop.bt -biostacks.bt -biotop-bpfcc -bitesize-bpfcc -bitesize.bt -blkdeactivate -blkdiscard -blkid -blkmapd -blkpr -blkzone -blockdev -blogctl -blogd -blogger -bpflist-bpfcc -bpftool -brctl -bridge -brltty-setup -btrfs -btrfs-convert -btrfs-find-root -btrfs-image -btrfsdist-bpfcc -btrfsslower-bpfcc -btrfstune -cachestat-bpfcc -cachetop-bpfcc -capable-bpfcc -capable.bt -capsh -cfdisk -cgdisk -chat -chcpu -check_forensic -check_mail_queue -check-bios-nx -checkproc -chgpasswd -chkstat-polkit -chmem -chpasswd -chronyd -chroot -cifs.idmap -cifs.upcall -cobjnew-bpfcc -coldreboot -compactsnoop-bpfcc -complain -config.postfix -cppw -cpudist-bpfcc -cpuunclaimed-bpfcc -cpuwalk.bt -cracklib-check -cracklib-format -cracklib-packer -cracklib-unpacker -cracklib-update -crda -create-cracklib-dict -criticalstat-bpfcc -cron -cryptdisks_start -cryptdisks_stop -cryptsetup -ctrlaltdel -cups-browsed -cups-genppd.5.3 -cups-genppdupdate -cupsaccept -cupsctl -cupsd -cupsfilter -dbslower-bpfcc -dbstat-bpfcc -dcb -dcsnoop-bpfcc -dcsnoop.bt -dcstat-bpfcc -ddns-confgen -deadlock-bpfcc -debugfs -decode -delpart -deluser -devlink -dhcpcd -dirtop-bpfcc -disable -dkms -dmevent_tool -dmeventd -dmfilemapd -dmidecode -dmraid -dmsetup -dnsmasq -dockerd -dosfsck -dosfslabel -dpkg-preconfigure -dpkg-reconfigure -drsnoop-bpfcc -dump.exfat -dump.f2fs -dumpe2fs -e2freefrag -e2fsck -e2image -e2label -e2mmpstatus -e2scrub -e2scrub_all -e2undo -e4crypt -e4defrag -eapol_test -ec_access -efibootdump -efibootmgr -enforce -ephemeral-disk-warning -escapesrc -ethtool -eventlogadm -execsnoop-bpfcc -execsnoop.bt -exfat2img -exfatlabel -exicyclog -exigrep -exim_checkaccess -exim_convert4r4 -exim_dbmbuild -exim_dumpdb -exim_fixdb -exim_id_update -exim_lock -exim_msgdate -exim_tidydb -exim4 -eximstats -exinext -exipick -exiqgrep -exiqsumm -exitsnoop-bpfcc -exiwhat -ext4dist-bpfcc -ext4slower-bpfcc -f2fsslower-bpfcc -faillock -fanatic -fancontrol -fanctl -fatlabel -fatresize -fbtest -fdformat -fdisk -filefrag -filegone-bpfcc -filelife-bpfcc -fileslower-bpfcc -filetop-bpfcc -findfs -firewalld -fixparts -flushb -fonts-config -fsadm -fsck -fsck. -fsck.btrfs -fsck.cramfs -fsck.exfat -fsck.ext2 -fsck.ext3 -fsck.ext4 -fsck.fat -fsck.minix -fsck.msdos -fsck.reiserfs -fsck.vfat -fsck.xfs -fsfreeze -fstab-decode -fstrim -funccount-bpfcc -funcinterval-bpfcc -funclatency-bpfcc -funcslower-bpfcc -g13-syshelp -gdisk -gdm -gdm3 -genccode -gencmn -genl -gennorm2 -genprof -gensprep -getcap -gethostlatency-bpfcc -gethostlatency.bt -getpcaps -getsysinfo -getweb -gnome-menus-blacklist -gpart -gparted -gpartedbin -gpm -groupadd -groupdel -groupmems -groupmod -grpck -grpconv -grpunconv -grub-install -grub-macbless -grub-mkconfig -grub-mkdevicemap -grub-probe -grub-reboot -grub-set-default -grub2-bios-setup -grub2-check-default -grub2-install -grub2-macbless -grub2-mkconfig -grub2-ofpathname -grub2-once -grub2-probe -grub2-reboot -grub2-set-default -grub2-sparc64-setup -grub2-switch-to-blscfg -hardirqs-bpfcc -haveged -hc-ifscan -hdparm -httxt2dbm -hv_fcopy_daemon -hv_get_dhcp_info -hv_get_dns_info -hv_kvp_daemon -hv_set_ifconfig -hv_vss_daemon -hwclock -hwinfo -iconvconfig -icupkg -ifconfig -ifrename -ifstat -import-openSUSE-build-key -inject-bpfcc -inputattach -install_acx100_firmware -install_intersil_firmware -install-sgmlcatalog -installkernel -integritysetup -invoke-rc.d -ip6tables-legacy-batch -ipmaddr -ipp-usb -ippevepcl -ippeveprinter -ippeveps -ipset -iptables-apply -iptables-legacy-batch -iptunnel -irqbalance -irqbalance-ui -isadump -isaset -iscsi_discovery -iscsi-iname -iscsiadm -iscsid -iscsistart -isosize -ispell-autobuildhash -isserial -issue-generator -iucode_tool -iw -iwconfig -iwevent -iwgetid -iwlist -iwpriv -iwspy -javacalls-bpfcc -javaflow-bpfcc -javagc-bpfcc -javaobjnew-bpfcc -javastat-bpfcc -javathreads-bpfcc -kbdrate -kbdsettings -kdump-config -kerneloops -kexec -kexec-bootloader -kexec-load-kernel -key.dns_resolver -killall5 -killproc -killsnoop-bpfcc -killsnoop.bt -klockstat-bpfcc -klogd -kpartx -kvm-ok -kvmexit-bpfcc -ldattach -ldconfig -ldconfig.real -libguestfs-make-fixed-appliance -libgvc6-config-update -libvirt-dbus -libvirtd -llcstat-bpfcc -lnstat -loads.bt -locale-gen -logprof -logrotate -logrotate-all -logsave -losetup -lpadmin -lpc -lpinfo -lpmove -lsvmbus -luksformat -lvm -lvm_import_vdo -lvmconfig -lvmdump -lvmpolld -lwepgen -lxc -lxd -make-bcache -make-ssl-cert -mariadbd -mcelog -mdadm -mdflush-bpfcc -mdflush.bt -mdmon -memleak-bpfcc -mii-tool -mk_isdnhwdb -mkdict -mkdosfs -mke2fs -mkfs -mkfs. -mkfs.bfs -mkfs.btrfs -mkfs.cramfs -mkfs.exfat -mkfs.ext2 -mkfs.ext3 -mkfs.ext4 -mkfs.f2fs -mkfs.fat -mkfs.minix -mkfs.xfs -mkhomedir_helper -mkill -mkinitramfs -mklost+found -mkntfs -mkpostfixcert -mkreiserfs -mksubvolume -mkswap -ModemManager -mount.cifs -mount.ddi -mount.fuse -mount.fuse3 -mount.lowntfs-3g -mount.nfs -mount.nfs4 -mount.ntfs -mount.ntfs-3g -mount.smb3 -mountsnoop-bpfcc -mountstats -mpathpersist -multipath -multipathc -multipathd -mysqld -mysqld_qslower-bpfcc -nameif -naptime.bt -needrestart -netqtop-bpfcc -NetworkManager -newusers -nfnl_osf -nfsconf -nfsdcld -nfsdist-bpfcc -nfsidmap -nfsiostat -nfsslower-bpfcc -nfsstat -nft -nginx -nmbd -nodegc-bpfcc -nodestat-bpfcc -nologin -notify -nss-mdns-config -nstat -ntfsclone -ntfscp -ntfslabel -ntfsresize -ntfsundelete -nvme -offcputime-bpfcc -offwaketime-bpfcc -on_ac_power -oomkill-bpfcc -oomkill.bt -openconnect -opensnoop-bpfcc -opensnoop.bt -openvpn -overlayroot-chroot -ownership -pam_extrausers_chkpwd -pam_extrausers_update -pam_getenv -pam_namespace_helper -pam_timestamp_check -pam-auth-update -pam-config -paperconfig -parted -partprobe -partx -pbl -pccardctl -pcscd -pdata_tools -perlcalls-bpfcc -perlflow-bpfcc -perlstat-bpfcc -pg_updatedicts -php-fpm8.3 -phpcalls-bpfcc -phpenmod -phpflow-bpfcc -phpquery -phpstat-bpfcc -pidpersec-bpfcc -pidpersec.bt -pivot_root -plipconfig -pluginviewer -plymouth-set-default-theme -plymouthd -postalias -postcat -postconf -postdrop -postfix -postkick -postlock -postlog -postmap -postmulti -postqueue -postsuper -posttls-finger -ppchcalls-bpfcc -pppd -pppdump -pppoe-discovery -pppstats -pptp -pptpsetup -profile-bpfcc -pwck -pwconv -pwhistory_helper -pwmconfig -pwunconv -pythoncalls-bpfcc -pythonflow-bpfcc -pythongc-bpfcc -pythonstat-bpfcc -qemu-ga -qmqp-source -qshape -rarp -rcfirewalld -rcopenvpn -rcpcscd -rcxdm -rcxvnc -rdma -rdmaucma-bpfcc -rdmsr -readahead-bpfcc -readprofile -realm -regdbdump -remove-default-ispell -remove-default-wordlist -remove-shell -request-key -reset-trace-bpfcc -resize2fs -resizepart -resolvconf -rfkill -rmt-tar -rndc -rndc-confgen -rngd -route -routel -rpc.gssd -rpc.idmapd -rpc.statd -rpc.svcgssd -rpcbind -rpcctl -rpcdebug -rpmconfigcheck -rsyncd -rsyslogd -rtacct -rtcwake -rtkitctl -rtmon -rubycalls-bpfcc -rubyflow-bpfcc -rubygc-bpfcc -rubyobjnew-bpfcc -rubystat-bpfcc -runc -runqlat-bpfcc -runqlat.bt -runqlen-bpfcc -runqlen.bt -runqslower-bpfcc -runuser -rvmtab -saned -sasldblistusers2 -saslpasswd2 -save_y2logs -schema2ldif -select-default-ispell -select-default-wordlist -sendmail -sensors-detect -service -set_polkit_default_privs -setcap -setuids.bt -setup-nsssysinit.sh -setvesablank -setvtrgb -sfdisk -sgdisk -shadowconfig -shim-install -shmsnoop-bpfcc -showconsole -showmount -skdump -sktest -slabratetop-bpfcc -slattach -sm-notify -smart_agetty -smartctl -smartd -smbd -smtp-sink -smtp-source -snapperd -snmpd -snmptrapd -sofdsnoop-bpfcc -softirqs-bpfcc -solisten-bpfcc -spice-vdagentd -split-logfile -ss -sshd -sshd-gen-keys-start -sshd.hmac -ssllatency.bt -sslsniff-bpfcc -sslsnoop.bt -sssd -stackcount-bpfcc -start-statd -start-stop-daemon -startproc -statsnoop-bpfcc -statsnoop.bt -status -sudo_logsrvd -sudo_sendlog -sulogin -swapin.bt -swaplabel -swapoff -swapon -switch_root -sync-available -syncsnoop-bpfcc -syncsnoop.bt -sysconf_addword -syscount-bpfcc -syscount.bt -sysctl -syslog2eximlog -sysusers2shadow -tarcat -tc -tclcalls-bpfcc -tclflow-bpfcc -tclobjnew-bpfcc -tclstat-bpfcc -tcpaccept-bpfcc -tcpaccept.bt -tcpcong-bpfcc -tcpconnect-bpfcc -tcpconnect.bt -tcpconnlat-bpfcc -tcpdrop-bpfcc -tcpdrop.bt -tcplife-bpfcc -tcplife.bt -tcpretrans-bpfcc -tcpretrans.bt -tcprtt-bpfcc -tcpstates-bpfcc -tcpsubnet-bpfcc -tcpsynbl-bpfcc -tcpsynbl.bt -tcptop-bpfcc -tcptracer-bpfcc -tcptraceroute.db -thermald -threadsnoop-bpfcc -threadsnoop.bt -tipc -tlp -tplist-bpfcc -trace-bpfcc -tsig-keygen -ttysnoop-bpfcc -tune.exfat -tune2fs -tuned -tuned-adm -tunelp -u-d-c-print-pci-ids -ucalls -uflow -ufw -ugc -umount.nfs -umount.nfs4 -umount.udisks2 -unbound -unconfined -undump.bt -unix_chkpwd -unix_update -unix2_chkpwd -uobjnew -update-ca-certificates -update-catalog -update-cracklib -update-default-ispell -update-default-wordlist -update-dictcommon-aspell -update-dictcommon-hunspell -update-exim4.conf -update-exim4.conf.template -update-fonts-alias -update-fonts-dir -update-fonts-scale -update-grub -update-grub-gfxpayload -update-gsfontmap -update-icon-caches -update-ieee-data -update-inetd -update-info-dir -update-initramfs -update-java-alternatives -update-language -update-locale -update-mime -update-passwd -update-pciids -update-rc.d -update-secureboot-policy -update-shells -update-smart-drivedb -update-texmf -update-texmf-config -update-tl-stacked-conffile -update-xmlcatalog -upgrade-from-grub-legacy -usb_modeswitch -usb_modeswitch_dispatcher -usbmuxd -useradd -userdel -usermod -ustat -uthreads -uuidd -validlocale -vconfig -vcstime -vdpa -veritysetup -vfscount-bpfcc -vfscount.bt -vfsstat-bpfcc -vfsstat.bt -vhangup -vipw -virt-what -virt-what-cvm -virtiostat-bpfcc -virtlockd -virtlogd -visudo -vmcore-dmesg -vncsession -vpddecode -vpnc -vpnc-disconnect -wakeuptime-bpfcc -wipefs -wiper.sh -wpa_action -wpa_cli -wpa_passphrase -wpa_supplicant -wqlat-bpfcc -writeback.bt -wrmsr -xfs_admin -xfs_bmap -xfs_copy -xfs_db -xfs_estimate -xfs_freeze -xfs_fsr -xfs_growfs -xfs_info -xfs_io -xfs_logprint -xfs_mdrestore -xfs_metadump -xfs_mkfile -xfs_ncheck -xfs_property -xfs_protofile -xfs_quota -xfs_repair -xfs_rtcp -xfs_scrub -xfs_scrub_all -xfs_spaceman -xfsdist-bpfcc -xfsdist.bt -xfsslower-bpfcc -xkbctrl -xtables-legacy-multi -xtables-nft-multi -yast2 -zdump -zerofree -zfsdist-bpfcc -zfsslower-bpfcc -zic -zramctl -zypp-refresh -zypper-log