177 lines
5.2 KiB
Text
177 lines
5.2 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = /{usr/,}bin/pacman
|
|
profile pacman @{exec_path} {
|
|
include <abstractions/base>
|
|
include <abstractions/consoles>
|
|
include <abstractions/disks-read>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/openssl>
|
|
include <abstractions/ssl_certs>
|
|
|
|
capability audit_write,
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fowner,
|
|
capability fsetid,
|
|
capability kill,
|
|
capability mknod,
|
|
capability net_admin,
|
|
capability setfcap,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_chroot,
|
|
capability sys_resource,
|
|
|
|
# network unix stream,
|
|
# network unix dgram,
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
network inet dgram,
|
|
network inet6 dgram,
|
|
network netlink raw,
|
|
|
|
unix (receive) type=stream,
|
|
|
|
ptrace (read),
|
|
|
|
@{exec_path} mr,
|
|
|
|
/{usr/,}bin/gpg{,2} rCx -> gpg,
|
|
/{usr/,}bin/gpgconf rCx -> gpg,
|
|
/{usr/,}bin/gpgsm rCx -> gpg,
|
|
|
|
/{usr/,}bin/sync mrix,
|
|
|
|
# Pacman hooks & install scripts
|
|
/{usr/,}{s,}bin/ldconfig rix,
|
|
/{usr/,}bin/{,ba}sh rix,
|
|
/{usr/,}bin/cat rix,
|
|
/{usr/,}bin/chgrp rix,
|
|
/{usr/,}bin/chmod rix,
|
|
/{usr/,}bin/dot rix,
|
|
/{usr/,}bin/env rix,
|
|
/{usr/,}bin/filecap rix,
|
|
/{usr/,}bin/find rix,
|
|
/{usr/,}bin/gdbus rix,
|
|
/{usr/,}bin/getent rix,
|
|
/{usr/,}bin/gettext rix,
|
|
/{usr/,}bin/ghc-pkg-* rix,
|
|
/{usr/,}bin/grep rix,
|
|
/{usr/,}bin/head rix,
|
|
/{usr/,}bin/iscsi-iname rix,
|
|
/{usr/,}bin/killall rix,
|
|
/{usr/,}bin/ln rix,
|
|
/{usr/,}bin/perl rix,
|
|
/{usr/,}bin/pkill rix,
|
|
/{usr/,}bin/cp rix,
|
|
/{usr/,}bin/rm rix,
|
|
/{usr/,}bin/sed rix,
|
|
/{usr/,}bin/setcap rix,
|
|
/{usr/,}bin/touch rix,
|
|
/{usr/,}bin/tput rix,
|
|
/{usr/,}bin/vercmp rix,
|
|
/{usr/,}bin/xmlcatalog rix,
|
|
/{usr/,}lib/ghc-*/bin/ghc-pkg rix,
|
|
/{usr/,}bin/appstreamcli rPx,
|
|
/{usr/,}bin/arch-audit rPx,
|
|
/{usr/,}bin/archlinux-java rPx,
|
|
/{usr/,}bin/bootctl rPx,
|
|
/{usr/,}bin/dconf rPx,
|
|
/{usr/,}bin/fc-cache{,-32} rPx,
|
|
/{usr/,}bin/gdk-pixbuf-query-loaders rPx,
|
|
/{usr/,}bin/glib-compile-schemas rPx,
|
|
/{usr/,}bin/groupadd rPx,
|
|
/{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
|
|
/{usr/,}bin/install-catalog rPx,
|
|
/{usr/,}bin/install-info rPx,
|
|
/{usr/,}bin/journalctl rPx,
|
|
/{usr/,}bin/locale-gen rPx,
|
|
/{usr/,}bin/mkinitcpio rPx,
|
|
/{usr/,}bin/pacdiff rPx,
|
|
/{usr/,}bin/pacman-key rPx,
|
|
/{usr/,}bin/sbctl rPx,
|
|
/{usr/,}bin/sysctl rPx,
|
|
/{usr/,}bin/systemctl rPx -> child-systemctl,
|
|
/{usr/,}bin/systemd-* rPx,
|
|
/{usr/,}bin/update-ca-trust rPx,
|
|
/{usr/,}bin/update-desktop-database rPx,
|
|
/{usr/,}bin/update-mime-database rPx,
|
|
/{usr/,}lib/systemd/systemd-* rPx,
|
|
/{usr/,}lib/vlc/vlc-cache-gen rPx,
|
|
/usr/share/libalpm/scripts/* rPUx,
|
|
|
|
# Install/update packages
|
|
/ r,
|
|
/*{,/} rw,
|
|
/boot/** rwl -> /boot/**,
|
|
/etc/** rwl -> /etc/**,
|
|
/opt/** rwl -> /opt/**,
|
|
/srv/** rwl -> /srv/**,
|
|
/usr/** rwlk -> /usr/**,
|
|
/var/** rwlk -> /var/**,
|
|
|
|
@{PROC}/ r,
|
|
@{run}/ r,
|
|
@{sys}/{,**} r,
|
|
/mnt r,
|
|
|
|
# Read packages files
|
|
@{user_pkg_dirs}/**/ r,
|
|
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
|
|
|
|
owner /var/lib/pacman/{,**} rwl,
|
|
owner /tmp/alpm_*/{,**} rw,
|
|
owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
|
|
owner /tmp/checkup-db-[0-9]*/db.lck rw,
|
|
|
|
@{PROC}/@{pids}/ r,
|
|
@{PROC}/@{pids}/cmdline r,
|
|
@{PROC}/@{pids}/stat r,
|
|
@{PROC}/1/environ r,
|
|
@{PROC}/sys/kernel/osrelease r,
|
|
@{PROC}/uptime r,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/mounts r,
|
|
|
|
@{run}/utmp rk,
|
|
|
|
owner /dev/tty[0-9]* rw,
|
|
|
|
# Silencer,
|
|
deny /tmp/ r,
|
|
deny @{HOME}/ r,
|
|
|
|
profile gpg {
|
|
include <abstractions/base>
|
|
|
|
capability dac_read_search,
|
|
|
|
/{usr/,}bin/gpg{,2} mr,
|
|
/{usr/,}bin/gpgconf mr,
|
|
/{usr/,}bin/gpgsm mr,
|
|
|
|
/{usr/,}bin/dirmngr rix,
|
|
/{usr/,}bin/gpg-agent rix,
|
|
/{usr/,}bin/gpg-connect-agent rix,
|
|
|
|
/etc/pacman.d/gnupg/ rw,
|
|
/etc/pacman.d/gnupg/** rwkl,
|
|
|
|
@{HOME}/@{XDG_GPG_DIR}/*.conf r,
|
|
|
|
deny network inet stream,
|
|
deny network inet6 stream,
|
|
}
|
|
|
|
include if exists <usr/pacman.d>
|
|
include if exists <local/pacman>
|
|
}
|