feat(profile): general update.

roddhjav · Dec 13, 2023 · a1b86b5 · nobody43 · Jan 18, 2024 · roddhjav
1 parent ecb7f2e
commit a1b86b5
Show file tree

Hide file tree

Showing 31 changed files with 75 additions and 131 deletions.
diff --git a/apparmor.d/abstractions/apt-common b/apparmor.d/abstractions/apt-common
@@ -4,6 +4,9 @@
 
   abi <abi/3.0>,
 
+  /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/tupletable r,
+
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,
 
@@ -20,9 +23,6 @@
   /var/cache/apt/pkgcache.bin r,
   /var/cache/apt/srcpkgcache.bin r,
 
-  /usr/share/dpkg/cputable r,
-  /usr/share/dpkg/tupletable r,
-
   /var/lib/dpkg/status r,
   /var/lib/ubuntu-advantage/apt-esm/{,**} r,
 

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1
@@ -0,0 +1,10 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  dbus send bus=system path=/org/freedesktop/network1
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.network1, label=systemd-networkd),
+
+  include if exists <abstractions/bus/org.freedesktop.network1.d>
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
@@ -40,6 +40,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/user-read>
   include <abstractions/vulkan>
 
+#   userns,
+
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
   capability sys_ptrace,

diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor
@@ -12,15 +12,10 @@ profile dconf-editor @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
 
   @{exec_path} mr,
 
-  /usr/share/glib-2.0/schemas/{,*} r,
-  /usr/share/X11/xkb/{,**} r,
-
   # When GSETTINGS_BACKEND=keyfile
   owner @{user_config_dirs}/glib-2.0/ rw,
   owner @{user_config_dirs}/glib-2.0/settings/ rw,

diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
@@ -35,7 +35,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
        member=Introspect
        peer=(name=:*, label=gnome-shell),
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
   @{bin}/pactl                   rix,
   @{bin}/pipewire-media-session  rPx,

diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
@@ -85,6 +85,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   @{run}/lightdm/{,**} rw,
 
         /tmp/ r,
+        /tmp/server-[0-9].xkm rw,
   owner /tmp/.tX[0-9]-lock rwk,
   owner /tmp/.X[0-9]-lock rwkl -> /tmp/.tX[0-9]-lock,
   owner /tmp/server-* rwk,

diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify
@@ -36,10 +36,6 @@ profile evolution-alarm-notify @{exec_path} {
   /usr/share/evolution-data-server/{,**} r,
   /usr/share/{,zoneinfo-}icu/{,**} r,
 
-  # freedesktop.org-strict
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/*ubuntu/applications/ r,
-
   /etc/timezone r,
 
   include if exists <local/evolution-alarm-notify>

diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -15,33 +15,21 @@ profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
-  include <abstractions/wayland>
 
   @{exec_path} mr,
 
   /usr/share/egl/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
   /usr/share/libdrm/*.ids r,
-  /usr/share/mime/mime.cache r,
   /usr/share/pixmaps/{,**} r,
-  /usr/share/X11/xkb/** r,
 
   /var/lib/flatpak/exports/share/icons/{,**} r,
   /var/lib/flatpak/exports/share/mime/mime.cache r,
 
-  /var/lib/snapd/desktop/icons/{,**} r,
-
-  owner @{user_share_dirs}/icons/{,**} r,
-
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
 

diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
@@ -48,7 +48,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter/applications/*.desktop r,
-  /usr/share/gvfs/remote-volume-monitors/{,*} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
   /usr/share/osinfo/{,**} r,

diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav
@@ -24,6 +24,7 @@ profile gvfsd-dav @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/mime/mime.cache r,
 

diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network
@@ -13,6 +13,8 @@ profile gvfsd-network @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/dconf-write>
 
+  dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
+
   dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
        interface=org.gtk.vfs.Spawner
        member=Spawned
@@ -38,9 +40,6 @@ profile gvfsd-network @{exec_path} {
        member=GetConnection
        peer=(name=:*, label=gnome-control-center),
 
-  dbus bind bus=session
-       name=org.gtk.vfs.mountpoint_[0-9]*,
-
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
@@ -11,6 +11,7 @@ include <tunables/global>
 profile networkctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.network1>
 
   capability net_admin,
   capability sys_module,

diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
@@ -72,6 +72,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
 
   / r,
   /boot/{,**} r,
+  /efi/{,**} r,
   /swap/swapfile r,
   /swapfile r,
 

diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -14,13 +14,11 @@ profile check-new-release-gtk @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
-  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -35,12 +33,8 @@ profile check-new-release-gtk @{exec_path} {
   @{bin}/lsb_release  rPx -> lsb_release,
 
   /usr/share/distro-info/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/themes/{,**} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
   /usr/share/dconf/profile/gdm r,
 
   /etc/update-manager/{,**} r,

diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
@@ -59,6 +59,7 @@ profile cockpit-bridge @{exec_path} {
   @{sys}/class/hwmon/ r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
+  @{sys}/fs/cgroup/ r,
   @{sys}/fs/cgroup/**/ r,
   @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
   @{sys}/fs/cgroup/**/memory* r,

diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp
@@ -27,16 +27,17 @@ profile cockpit-pcp @{exec_path} {
   /var/lib/pcp/{,**} rw,
 
   /var/log/pcp/pmlogger/ r,
+  /var/log/pcp/pmlogger/** r,
 
   @{sys}/fs/cgroup/{,**/} r,
   @{sys}/fs/cgroup/**/{memory,cpu}* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
 
+        @{PROC}/@{pid}/net/dev r,
         @{PROC}/diskstats r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/@{pid}/net/dev r,
 
   include if exists <local/cockpit-pcp>
 }
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
@@ -32,9 +32,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
+  mount /var/lib/docker/overlay2/**/,
   mount options=(rw, bind) -> /run/docker/netns/*,
-  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
   mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
   mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
   mount options=(rw, rslave) -> /,

diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -15,17 +16,18 @@ profile amixer @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/pipewire/client.conf r,
+  /usr/share/pipewire/client-rt.conf r,
 
-  /var/lib/dbus/machine-id r,
   /etc/machine-id r,
+  /etc/pipewire/client-rt.conf.d/{,*} r,
+  /var/lib/dbus/machine-id r,
 
   owner @{HOME}/.Xauthority r,
 
   owner @{user_config_dirs}/pulse/ r,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  # file_inherit
   owner /dev/tty@{int} rw,
 
   include if exists <local/amixer>

diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged
@@ -1,32 +1,31 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2009-2012 Steve Kostecke <[email protected]>;
-#               2011-2014 Jérémy Bobbio <[email protected]>;
-#               2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
+# Copyright (C) 2011-2014 Jérémy Bobbio <[email protected]>;
+# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-3.0-only
 
-# Version of program profiled: 1.9.14
-
 abi <abi/3.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{bin}/haveged
 profile haveged @{exec_path} {
   include <abstractions/base>
 
-  # Required for ioctl RNDADDENTROPY
   capability sys_admin,
 
-  owner @{PROC}/@{pid}/status r,
-
   @{exec_path} mr,
 
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/poolsize r,
-  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
-  /dev/random w,
-
   @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
   @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
 
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/poolsize r,
+        @{PROC}/sys/kernel/random/write_wakeup_threshold w,
+  owner @{PROC}/@{pid}/status r,
+
+  /dev/random w,
+
   include if exists <local/haveged>
 }
diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,

diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,23 +13,20 @@ profile ifconfig @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # To be able to manage network interfaces.
   capability net_admin,
-
-  # Needed?
-  audit deny capability sys_module,
+  capability sys_module,
 
   network inet dgram,
   network inet6 dgram,
 
   @{exec_path} mr,
 
-  @{PROC}/net/dev r,
-  @{PROC}/net/if_inet6 r,
+  /etc/networks r,
+
   @{PROC}/@{pid}/net/dev r,
   @{PROC}/@{pid}/net/if_inet6 r,
-
-  /etc/networks r,
+  @{PROC}/net/dev r,
+  @{PROC}/net/if_inet6 r,
 
   include if exists <local/ifconfig>
 }
diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -27,14 +28,14 @@ profile initd-kmod @{exec_path} {
   /etc/modules-load.d/*.conf r,
   /etc/modules r,
 
-
   profile run-parts {
     include <abstractions/base>
 
     @{bin}/run-parts mr,
 
     /etc/modules-load.d/ r,
 
+    include if exists <local/initd-kmod_run-parts>
   }
 
   profile systemctl {
@@ -54,6 +55,7 @@ profile initd-kmod @{exec_path} {
     owner @{run}/systemd/ask-password/ rw,
     owner @{run}/systemd/ask-password-block/* rw,
 
+    include if exists <local/initd-kmod_systemctl>
   }
 
   include if exists <local/initd-kmod>

diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd
@@ -15,7 +15,10 @@ profile jitterentropy-rngd @{exec_path} {
   @{exec_path} mr,
 
   @{PROC}/sys/kernel/random/entropy_avail r,
+  @{PROC}/sys/kernel/random/poolsize r,
   @{PROC}/sys/kernel/random/write_wakeup_threshold r,
 
+  /dev/random w,
+
   include if exists <local/jitterentropy-rngd>
 }