feat(profiles): general update.

roddhjav · Nov 22, 2023 · 31bc5a6 · 31bc5a6
1 parent a49d839
commit 31bc5a6
Show file tree

Hide file tree

Showing 16 changed files with 53 additions and 100 deletions.
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
@@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability sys_tty_config,
 
   signal (receive) set=term peer=gdm,
+  signal (receive) set=hup peer=@{systemd},
   signal (send) set=hup peer=at-spi*,
   signal (send) set=hup peer=dbus-daemon,
   signal (send) set=hup peer=dbus-run-session,

diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
@@ -34,6 +34,7 @@ profile gnome-software @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/baobab              rPUx,
   @{bin}/bwrap               rPUx,
   @{bin}/fusermount{,3}      rCx -> fusermount,
   @{bin}/gpg{,2}             rCx -> gpg,

diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
 
-  /var/lib/gdm/.config/dconf/user r,
+  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
 
   owner @{PROC}/@{pid}/cmdline r,
 

diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
@@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab r,
   @{run}/mount/utab r,
 
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/sys/fs/fanotify/max_user_marks r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
   owner @{PROC}/@{pid}/mountinfo r,

diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
@@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   mount -> /,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   @{lib}/** r,

diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
@@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} {
 
   network netlink raw,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   /etc/systemd/journald.conf r,

diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled
@@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} {
 
   capability sys_ptrace,
 
-  ptrace (read) peer=unconfined,
-
   @{exec_path} mr,
 
   /var/lib/portables/{,**} rw,
 
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/boot_id r,
-
   include if exists <local/systemd-portabled>
 }
diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
 
   audit capability net_admin,
 
+  signal (receive) set=(term cont) peer=default,
   signal (receive) set=(term cont) peer=logrotate,
 
   @{exec_path} mr,

diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism
@@ -1,17 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-20223 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/blueman-mechanism
-@{exec_path} += @{lib}/blueman/blueman-mechanism
+@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
 profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/python>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
 
   capability mknod,
   capability net_admin,

diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/borg
 profile borg @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   capability dac_read_search,
@@ -20,6 +21,11 @@ profile borg @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
+  mount fstype=fuse -> @{MOUNTS}/,
+  mount fstype=fuse -> @{MOUNTS}/*/,
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+
   @{exec_path} r,
 
   @{bin}/ r,
@@ -30,23 +36,23 @@ profile borg @{exec_path} {
   @{bin}/ldconfig               rix,
   @{bin}/uname                  rix,
 
-  @{bin}/pass                   rPUx,
-  @{bin}/ssh                    rPx,
   @{bin}/ccache                 rCx -> ccache,
   @{bin}/fusermount{,3}         rCx -> fusermount,
+  @{bin}/pass                   rPx,
+  @{bin}/ssh                    rPx,
 
-  mount fstype=fuse -> @{MOUNTS}/,
-  mount fstype=fuse -> @{MOUNTS}/*/,
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-
-  /dev/fuse rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/sys/kernel/random/boot_id r,
+  # Dirs that can be backed up
+  /            r,
+  /etc/{,**}   r,
+  /home/{,**}  r,
+  @{MOUNTS}/{,**} r,
+  /root/{,**}  r,
+  /srv/{,**}   r,
+  /var/{,**}   r,
 
-  @{run}/systemd/userdb/ r,
-  @{run}/resolvconf/resolv.conf r,
+  # The backup dirs
+  owner @{MOUNTS}/ r,
+  owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/borg/ rw,
@@ -57,36 +63,19 @@ profile borg @{exec_path} {
 
   # If /tmp/ isn't accessible, then /var/tmp/ is used.
   owner /tmp/* rw,
-  owner /tmp/tmp*/ rw,
-  owner /tmp/tmp*/idx rw,
-  owner /tmp/tmp*/file rw,
   owner /tmp/borg-cache-*/ rw,
   owner /tmp/borg-cache-*/* rw,
+  owner /tmp/tmp*/ rw,
+  owner /tmp/tmp*/file rw,
+  owner /tmp/tmp*/idx rw,
   owner /var/tmp/* rw,
   owner /var/tmp/tmp*/ rw,
-  owner /var/tmp/tmp*/idx rw,
   owner /var/tmp/tmp*/file rw,
+  owner /var/tmp/tmp*/idx rw,
 
-  # Dirs that can be backed up
-  /            r,
-  /etc/{,**}   r,
-  /home/{,**}  r,
-  @{MOUNTS}/{,**} r,
-  /root/{,**}  r,
-  /srv/{,**}   r,
-  /var/{,**}   r,
-
-  # The backup dirs
-  owner @{MOUNTS}/ r,
-  owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
-
-  # borg serve on server's side
-  owner /home/borg/*/ rw,
-  owner /home/borg/*/{,**} rw,
-
-  # For exporting the key
-  owner /**/key w,
+  owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/fuse rw,
 
   profile ccache {
     include <abstractions/base>
@@ -97,29 +86,31 @@ profile borg @{exec_path} {
     @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
     @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
 
-    /media/ccache/*/** rw,
-
     /etc/debian_version r,
 
+    @{MOUNTS}/** rw,
+
+    include if exists <local/borg_ccache>
   }
 
   profile fusermount {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    # To mount anything:
     capability sys_admin,
 
+    umount @{MOUNTS}/,
+    umount @{MOUNTS}/*/,
+
     @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 
-    umount @{MOUNTS}/,
-    umount @{MOUNTS}/*/,
-
     @{PROC}/@{pids}/mounts r,
 
     /dev/fuse rw,
+
+    include if exists <local/borg_fusermount>
   }
 
   include if exists <usr/borg.d>

diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} {
   capability dac_read_search,
   capability sys_nice,
 
+  network inet stream,
+  network inet6 stream,
+
   dbus receive bus=system path=/
        interface=org.opensuse.CupsPkHelper.Mechanism,
 

diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /usr/share/language-tools/language-{options,validate}
-profile language-validate @{exec_path} {
+profile language-validate @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability setgid,

diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,9 +14,6 @@ profile netcap @{exec_path} {
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
-
-  # To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
-  # users than root, for instance systemd-timesync.
   capability dac_read_search,
 
   ptrace (read),

diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl
@@ -20,7 +20,7 @@ profile pactl @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  /var/lib/gdm/.config/pulse/cookie rk,
+  /var/lib/gdm{3,}/.config/pulse/cookie rk,
 
   owner @{HOME}/.Xauthority r,
 

diff --git a/apparmor.d/profiles-m-r/redshift b/apparmor.d/profiles-m-r/redshift
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
@@ -20,6 +20,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability net_admin,
   capability setgid,
   capability setuid,
   capability sys_admin,