From 0528144d0b134729318c45d1c132acd9c8fb04ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 28 Jan 2025 23:37:36 +0100 Subject: [PATCH] feat(profile): general update. --- apparmor.d/groups/apt/dpkg-preconfigure | 3 +++ apparmor.d/groups/bus/dbus-accessibility | 1 + apparmor.d/groups/bus/dbus-session | 3 ++- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/gnome/gnome-shell | 8 +++----- apparmor.d/groups/gnome/session-migration | 4 +++- apparmor.d/groups/gnome/yelp | 1 + apparmor.d/groups/grub/grub-check-signatures | 4 +++- apparmor.d/groups/grub/grub-install | 12 ++++++++++-- apparmor.d/groups/kde/dolphin | 4 ++++ apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/systemd/systemd-networkd | 7 ++++--- apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/profiles-a-f/boltd | 3 ++- apparmor.d/profiles-a-f/frontend | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 5 +++-- apparmor.d/profiles-s-z/setpci | 1 + apparmor.d/profiles-s-z/snap | 10 ++++++++++ apparmor.d/profiles-s-z/snapd | 9 ++++----- apparmor.d/profiles-s-z/syncthing | 8 ++++---- 20 files changed, 65 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 34163333b..94b7603fa 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -41,8 +41,11 @@ profile dpkg-preconfigure @{exec_path} { /etc/debconf.conf r, /etc/default/grub r, /etc/inputrc r, + /etc/locale.gen r, /etc/shadow r, + /var/lib/locales/supported.d/{,*} r, + owner @{tmp}/*.template.* rw, owner @{tmp}/*.config.* rwPUx, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 35a507559..e699d416d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -76,6 +76,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_score_adj r, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 014f7afd4..f87e71c81 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -74,8 +74,9 @@ profile dbus-session flags=(attach_disconnected) { @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/oom_score_adj r, + owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/oom_score_adj r, /dev/ptmx rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 5e3d3ee78..9b3db683f 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{lib}/{,polkit-1/}polkitd +@{exec_path} = @{lib}/polkitd @{lib}/polkit-1/polkitd profile polkitd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 462733874..f8888f95b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,15 +83,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus # System bus @@ -163,10 +165,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=Introspect peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/*/SearchProvider - interface=org.gnome.Shell.SearchProvider2 - peer=(name=@{busname}), - @{exec_path} mr, @{bin}/unzip rix, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index d519dca6e..c2df97896 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,12 +9,14 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include + include @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/*.sh rix, + /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index f0dd3b46c..f172eac21 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -14,6 +14,7 @@ profile yelp @{exec_path} { network netlink raw, + #aa:dbus own bus=accessibility name=org.gnome.Yelp #aa:dbus own bus=session name=org.gnome.Yelp @{exec_path} mr, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 1a1110091..d33b33265 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -22,7 +22,9 @@ profile grub-check-signatures @{exec_path} { /usr/share/debconf/confmodule r, - owner @{tmp}/tmp.*/ rw, + owner @{tmp}/tmp.@{rand10}/ rw, + + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 83e30cbf6..e52e96b8a 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -25,20 +25,28 @@ profile grub-install @{exec_path} flags=(complain) { @{bin}/udevadm rPx, /usr/share/grub/{,**} r, + /usr/share/locale-langpack/{,**} r, /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/EFI/ubuntu/* w, - /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/ r, /boot/EFI/*/grubx*.efi rw, + /boot/efi/EFI/ r, + /boot/efi/EFI/BOOT/{,**} rw, + /boot/efi/EFI/ubuntu/* w, /boot/grub/{,**} rw, + @{sys}/devices/**/hid r, + @{sys}/devices/**/path r, + @{sys}/devices/**/uid r, + @{sys}/firmware/efi/ r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, + @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, @{PROC}/devices r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 8465da560..d01965bb0 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -40,6 +40,7 @@ profile dolphin @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, /usr/share/misc/termcap r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/machine-id r, @@ -71,6 +72,7 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, + owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/dolphinrc rwl -> @{user_config_dirs}/#@{int}, @@ -89,6 +91,8 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{tmp}/dolphin.@{rand6} rwl, + @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index d37b53ddd..c37ee870b 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -72,6 +72,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/platform/*/i2c-@{int}/name r, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/i2c-@{int} rwk, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 7b271c9de..0ca507140 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -68,9 +68,10 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/pressure/* r, - @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + @{PROC}/sys/net/ipv{4,6}/** rw, + owner @{PROC}/@{pid}/fdinfo/@{int} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index f52a2fc6c..d71ccf1a1 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -95,6 +95,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { @{run}/systemd/notify rw, @{run}/systemd/seats/seat@{int} r, + @{att}/@{run}/systemd/notify w, @{att}/@{run}/udev/control rw, @{run}/udev/ rw, diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd index b70b72088..8f55bb375 100644 --- a/apparmor.d/profiles-a-f/boltd +++ b/apparmor.d/profiles-a-f/boltd @@ -25,7 +25,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) { owner @{run}/boltd/{,**} rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify w, + @{run}/udev/data/+thunderbolt:* r, @{sys}/bus/ r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index ac8a6a5a8..3d7ee07f8 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -74,9 +74,12 @@ profile frontend @{exec_path} flags=(complain) { /etc/inputrc r, /etc/shadow r, - owner @{tmp}/file* w, owner /var/cache/debconf/* rwk, + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + @{HOME}/.Xauthority r, @{run}/user/@{uid}/pk-debconf-socket rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 03dfe9749..ac3ee0c26 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -49,11 +49,12 @@ profile libreoffice @{exec_path} { @{bin}/gpgconf rPx, @{bin}/gpgsm rPx, + @{lib}/jvm/java*/bin/java rix, + @{lib}/jvm/java*/lib/** rm, @{lib}/libreoffice/program/javaldx rix, @{lib}/libreoffice/program/oosplash rix, @{lib}/libreoffice/program/soffice.bin rix, - @{lib}/jvm/java*/bin/java rix, - @{lib}/jvm/java*/lib/** rm, + @{lib}/libreoffice/program/xpdfimport rix, @{lib}/libreoffice/{,**} rm, @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w, diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 72c9b8a93..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/config w, include if exists } diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index cdb01d14a..90b2ceef3 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -14,6 +14,7 @@ profile snap @{exec_path} { include include include + include include include include @@ -24,6 +25,8 @@ profile snap @{exec_path} { network netlink raw, + ptrace read peer=snap.snap-store.snap-store, + unix (send, receive) type=stream peer=(label=apt), mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, @@ -32,6 +35,7 @@ profile snap @{exec_path} { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" dbus send bus=session path=/org/freedesktop/portal/documents @@ -39,6 +43,11 @@ profile snap @{exec_path} { member=GetMountPoint peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{bin}/mount rix, @@ -83,6 +92,7 @@ profile snap @{exec_path} { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 2788ed4a3..dc80b17a4 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -47,8 +47,8 @@ profile snapd @{exec_path} { umount /tmp/syscheck-mountpoint-@{int}/, umount /snap/*/*/, - ptrace (read) peer=snap, - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, + ptrace read peer=snap{,.*}, unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, @@ -155,16 +155,15 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/system.slice/{,**/} r, + @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/user.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, @{sys}/kernel/security/apparmor/profiles r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r, - @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index f668f5a00..f69057cdc 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/syncthing profile syncthing @{exec_path} { include + include include include @@ -28,15 +29,14 @@ profile syncthing @{exec_path} { /etc/mime.types r, - owner @{HOME}/ r, - owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk, - owner @{user_config_dirs}/syncthing/{,**} rwk, - owner @{user_state_dirs}/syncthing/{,**} rwk, + @{HOME}/ + @{HOME}/** rwk, /home/ r, @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r,