From 209688fe865001ea2415119bc73c4efb55d8e151 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 27 Nov 2023 19:35:42 +0000 Subject: [PATCH] feat(profile): general update. --- apparmor.d/abstractions/bwrap-app | 1 + apparmor.d/abstractions/dbus-gtk | 2 ++ apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/gnome/gdm-xsession | 2 +- .../groups/gnome/gnome-control-center-goa-helper | 5 ++++- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/kde/xdm-xsession | 10 ++-------- apparmor.d/groups/ssh/sshd | 6 +++--- apparmor.d/groups/systemd/systemd-resolved | 15 +++++++-------- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-s-z/snap | 4 +++- apparmor.d/profiles-s-z/sudo | 9 +++++---- apparmor.d/profiles-s-z/transmission-gtk | 3 +++ apparmor.d/profiles-s-z/x11-xsession | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- 16 files changed, 37 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/bwrap-app b/apparmor.d/abstractions/bwrap-app index 68643758b..f2ceabe9b 100644 --- a/apparmor.d/abstractions/bwrap-app +++ b/apparmor.d/abstractions/bwrap-app @@ -109,6 +109,7 @@ /dev/hidraw@{int} rw, /dev/input/ r, + /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/dbus-gtk b/apparmor.d/abstractions/dbus-gtk index 817e4fc69..485e0729d 100644 --- a/apparmor.d/abstractions/dbus-gtk +++ b/apparmor.d/abstractions/dbus-gtk @@ -1,6 +1,8 @@ # apparmor.d - Full set of apparmor profiles # SPDX-License-Identifier: GPL-2.0-only + abi , + dbus (send) bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 134b7c039..d3f55cf75 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -43,6 +43,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability mknod, capability perfmon, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 121652353..0ff4b0660 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -40,7 +40,7 @@ profile gdm-xsession @{exec_path} { @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/dpkg-query rpx, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/gpgconf rPx, @{bin}/gsettings rPx, @{bin}/im-launch rPx, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 4e9d22867..d6f1c9eb2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -27,11 +27,13 @@ profile gnome-control-center-goa-helper @{exec_path} { network inet6 stream, network netlink raw, + signal (send) set=(kill) peer=bwrap, + @{exec_path} mr, @{bin}/bwrap rPUx, - @{lib}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix, + @{lib}/webkit2gtk-*/WebKitNetworkProcess rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/themes/{,**} r, @@ -43,6 +45,7 @@ profile gnome-control-center-goa-helper @{exec_path} { owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl, + owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk, owner @{user_share_dirs}/webkitgtk/{,**} rw, owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 06ac23af1..951724424 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -69,7 +69,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/Xorg rPx, /etc/sddm/Xsession rPx, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/sway rPUx, @{bin}/xauth rCx -> xauth, @{bin}/xsetroot rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 8365c16f1..2230a5761 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -36,7 +36,7 @@ profile sddm-xsession @{exec_path} { @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/numlockx rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/xdm-xsession b/apparmor.d/groups/kde/xdm-xsession index 82872c72b..3a1155395 100644 --- a/apparmor.d/groups/kde/xdm-xsession +++ b/apparmor.d/groups/kde/xdm-xsession @@ -36,7 +36,7 @@ profile xdm-xsession @{exec_path} { @{bin}/whoami rix, @{bin}/dbus-update-activation-environment rCx -> dbus, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/pidof rPx, @{bin}/startplasma-x11 rPx, @{bin}/systemctl rPx -> child-systemctl, @@ -77,13 +77,7 @@ profile xdm-xsession @{exec_path} { owner @{user_share_dirs}/sddm/xorg-session.log rw, - owner @{run}/user/@{uid}/gnupg/ rw, - owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw, - owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw, - owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw, - owner @{run}/user/@{uid}/gnupg/sshcontrol r, - @{run}/user/@{uid}/xauth_@{rand6} rl, + @{run}/user/@{uid}/xauth_@{rand6} rl, owner /tmp/ssh-*/ rw, owner /tmp/ssh-*/agent.* rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 071ad9147..8d3db19a4 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -54,10 +54,10 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{systemd}, - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession} - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login1), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 2cf7ecf28..f9f92b2db 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -29,22 +29,21 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + dbus bind bus=system name=org.freedesktop.resolve1, + + dbus receive bus=system path=/org/freedesktop/resolve1 + interface=org.freedesktop.{resolve1.Manager,DBus.Peer,DBus.Properties}, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,GetConnectionUnixUser} peer=(name=org.freedesktop.DBus), - dbus receive bus=system path=/org/freedesktop/resolve[0-9] - interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties}, - - dbus receive bus=system path=/org/freedesktop/login[0-9]* - interface=org.freedesktop.login[0-9]*.Manager + dbus receive bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager member={PrepareForSleep,PrepareForShutdown} peer=(name=:*, label=systemd-logind), - dbus bind bus=system - name=org.freedesktop.resolve[0-9], - @{exec_path} mr, /etc/systemd/resolved.conf r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 1b5564c02..4a72812c6 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -137,6 +137,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} r, @{etc_rw}/libvirt/{,**} rw, + /etc/gnutls/config r, /etc/mdevctl.d/{,**} r, /etc/sasl2/qemu.conf r, /etc/xml/catalog r, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 0cbb8e37b..0332b2e7b 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -50,7 +50,9 @@ profile snap @{exec_path} { @{bin}/systemctl rPx -> child-systemctl, /snap/{,**} rw, - # @{lib_dirs}/snap-confine rPx -> /usr/lib/snapd/snap-confine, + /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx, + @{lib}/snapd/snap-confine rPx, + @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 72a985a2d..9a1faa04c 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -1,6 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov -# Copyright (C) 2022 Alexandre Pujol +# Copyright (C) 2021-2023 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -8,6 +8,7 @@ abi , include @{exec_path} = @{bin}/sudo +#@{bin}/su profile sudo @{exec_path} { include include @@ -40,10 +41,10 @@ profile sudo @{exec_path} { signal (send) set=(cont,hup) peer=su, signal (send) set=(winch), - dbus send bus=system path=/org/freedesktop/login[0-9] - interface=org.freedesktop.login[0-9].Manager + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.logi1.Manager member=CreateSession - peer=(name=org.freedesktop.login[0-9]), + peer=(name=org.freedesktop.login1), dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission-gtk index 0da33cf66..e28ce51d9 100644 --- a/apparmor.d/profiles-s-z/transmission-gtk +++ b/apparmor.d/profiles-s-z/transmission-gtk @@ -33,6 +33,9 @@ profile transmission-gtk @{exec_path} { @{exec_path} mr, + @{bin}/xdg-open rPx -> child-open, + @{lib}/gio-launch-desktop rPx -> child-open, + /usr/share/X11/xkb/{,**} r, owner @{user_torrents_dirs}/ r, diff --git a/apparmor.d/profiles-s-z/x11-xsession b/apparmor.d/profiles-s-z/x11-xsession index ee78404a8..c5defcf30 100644 --- a/apparmor.d/profiles-s-z/x11-xsession +++ b/apparmor.d/profiles-s-z/x11-xsession @@ -36,7 +36,7 @@ profile x11-xsession @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/udevadm rCx -> udevadm, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/xrdb rPx, @{bin}/numlockx rPx, @{bin}/xhost rPx, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 283553289..f5440805e 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -44,7 +44,7 @@ profile xinit @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/udevadm rCx -> udevadm, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/glxinfo rPx, @{bin}/numlockx rPx, @{bin}/X rPx,