From f1118cd3b0879ca4b9438a544378b39870e9e034 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:14:39 +0000 Subject: [PATCH 01/76] Create profile_check.py --- tests/profile_check.py | 463 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 463 insertions(+) create mode 100644 tests/profile_check.py diff --git a/tests/profile_check.py b/tests/profile_check.py new file mode 100644 index 000000000..5cc39d6b9 --- /dev/null +++ b/tests/profile_check.py @@ -0,0 +1,463 @@ +#!/usr/bin/env python3 +# SPDX-License-Identifier: GPL-2.0-only + +# KNOWN ISSUES: +# No guards for file type - expects AppArmor +# Diffirent suggestions for single line are mutually exclusive +# Suggestion could point to changed profile name, based on other suggestion + +import sys +import argparse +import pathlib +import shlex +import json +from copy import deepcopy + +def sanitizeProfileName(name): + + if name.startswith('/') or name.startswith('@{'): + name = pathlib.Path(name).stem + + if ' ' in name: + name = re.sub(r'\s+', '-', name) + + return name + +def makeLocalIdentity(nestingStacker_): + + newStacker = [] + for i in nestingStacker_: + i = sanitizeProfileName(i) + newStacker.append(i) + + identity = '_'.join(newStacker) # separate each (sub)profile identity with underscores + + return identity + +def getCurrentProfile(stacker): + + if stacker: + profile = stacker[-1] + else: + profile = None + + return profile + +def handleFileMessages(l, file, profile, lineNum): + + wholeFileAccessProfiles = ( +# '', + ) + suggestOwner = ( # TODO: switch to AARE + r'^@{HOME}', + r'^/home/\w+/', + r'^/run/user/\d+/', + r'^/tmp/', + r'^/var/tmp/', + r'^/dev/shm/', + ) + + lG = l.groupdict() + reason_ = None + if lG.get('path'): + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + for r in suggestOwner: + if re.match(r, lG.get('path')) and not lG.get('owner'): + indentRe = re.match(r'^\s+', l.group()) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + severity_ = 'NOTICE' + reason_ = "'owner' is likely required" + suggestion_ = indent + 'owner ' + l.group().lstrip() + break + + elif lG.get('bare_file') and profile not in wholeFileAccessProfiles: + severity_ = 'ERROR' + reason_ = 'Whole filesystem access is too broad' + suggestion_ = None + + if reason_: # something matched + msg = ({'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_}) + else: + msg = None + + return msg + +def readApparmorFile(fullpath): + '''AA file could contain multiple AA profiles''' + headers = ( + '# AppArmor.d - Full set of apparmor profiles', + '# Copyright (C) ', + '# SPDX-License-Identifier: GPL-2.0-only', + ) + + file_data = {} + fileVars = {} + nestingStacker = [] + duplicateProfilesCounter = [] + localExists = {} + localExists_eol = {} + messages = [] + exceptionMsg = None + line = None + gotAbi = False + gotHeaders = {} + gotAttach = False + isAfterProfileStart = False + try: + with open(fullpath, 'r') as f: + for n,line in enumerate(f, start=1): + if isAfterProfileStart: + isAfterProfileStart = False + expectedIndent = len(nestingStacker) * ' ' + indentRe = re.match(r'^\s+', line) + if indentRe: + indent = indentRe.group() + else: + indent = '' + + if indent != expectedIndent: + spacesCount = len(nestingStacker) * 2 + nesingCount = len(nestingStacker) + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': f"Expected {spacesCount} spaces for {nesingCount} nesting", + 'suggestion': f"{expectedIndent}{line}"}) + + if line.endswith(' \n'): + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Redundant trailing whitespace", + 'suggestion': line.rstrip()}) + + if '\t' in line: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "Tabs are not allowed", + 'suggestion': line.replace('\t', '')}) + + if len(gotHeaders) < 3 and not nestingStacker: + for nH,i in enumerate(headers): + if line.startswith(i): + gotHeaders[nH] = True + + if RE_ABI.search(line): + gotAbi = line + + elif RE_PROFILE_START.search(line) or RE_PROFILE_HAT_DEF.search(line): + isAfterProfileStart = True + m = parse_profile_start_line(line, fullpath) + if m.get('profile'): + nestingStacker.append(m.get('profile')) # set early + + if m.get('attachment') != '@{exec_path}' and not gotAttach: # can be only singular + gotAttach = True + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + + profileMsg = {'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "A short named profile must be defined", + 'suggestion': None} + if m.get('plainprofile'): + messages.append(profileMsg) + elif m.get('namedprofile'): + if m.get('namedprofile').startswith('/'): + messages.append(profileMsg) + + if m.get('flags'): + m['flags'] = set(shlex.split(m.pop('flags').replace(',', ''))) + if 'complain' in m['flags']: + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'WARNING', + 'line': n, + 'reason': "'complain' flag must be defined in 'dists/flags'", + 'suggestion': None}) + else: + m['flags'] = set() + + if m.get('profile'): + duplicateProfilesCounter.append(m.get('profile')) + profileIdentity = '//'.join(nestingStacker) + file_data[profileIdentity] = m + + elif RE_PROFILE_VARIABLE.search(line): + lineV = RE_PROFILE_VARIABLE.search(line).groups() + + name = strip_quotes(lineV[0]) + operation = lineV[1] + val = separate_vars(lineV[2]) + if fileVars.get(name): + fileVars[name].update(set(val)) + if operation == '=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be appended with '+='", + 'suggestion': None}) + else: + fileVars[name] = set(val) + if operation == '+=': + messages.append({'filename': fullpath, + 'profile': getCurrentProfile(nestingStacker), + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Tunable must be defined with '='", + 'suggestion': None}) + + elif RE_INCLUDE.search(line): + if nestingStacker: + profileIdentity = '//'.join(nestingStacker) + localIdentity = makeLocalIdentity(nestingStacker) + localValue = f'include if exists ' # commented out will also match + if localValue in line: + localExists[profileIdentity] = localValue + + # Handle file entries + elif RE_PROFILE_FILE_ENTRY.search(line): + lineF = RE_PROFILE_FILE_ENTRY.search(line) + fileMsg = handleFileMessages(lineF, fullpath, getCurrentProfile(nestingStacker), n) + if fileMsg: + messages.append(fileMsg) + + elif RE_PROFILE_END.search(line): + if getCurrentProfile(nestingStacker): + if not nestingStacker: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'DEGRADED', + 'line': n, + 'reason': "Unbalanced parenthesis?", # not fully covered + 'suggestion': None}) + else: + profileIdentity = '//'.join(nestingStacker) + localExists_eol[profileIdentity] = n + del nestingStacker[-1] # remove last + + except PermissionError: + exceptionMsg = 'Unable to read the file (PermissionError)' + + except UnicodeDecodeError: + exceptionMsg = 'Unable to read the file (UnicodeDecodeError)' + + except FileNotFoundError: + exceptionMsg = 'No such file or directory (FileNotFoundError)' + + if exceptionMsg: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'NOTICE', + 'line': None, + 'reason': exceptionMsg, + 'suggestion': None}) + + # Ensure proper header is present + if len(gotHeaders) < 3: + combinedHeader = '\n'.join(headers) + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': 1, + 'reason': 'No proper header', + 'suggestion': combinedHeader}) + + # Ensure ABI is present + changeAbi = False + abi = 'abi ,' + if gotAbi: + if gotAbi.strip() != abi: + changeAbi = True + else: + changeAbi = True + + if changeAbi: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'ABI is required', + 'suggestion': abi}) + + # Ensure trailing vim syntax + if line: + trailingSyntax = '# vim:syntax=apparmor' + if line != trailingSyntax: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': 'No trailing syntax hint', + 'suggestion': trailingSyntax}) + + # Assign variables to profile attachments as paths and assign filenames + for p,d in deepcopy(file_data).items(): + file_data[p]['filename'] = fullpath + attachment = d.get('attachment') + if attachment: + if attachment.startswith('@{'): + if fileVars.get(attachment): + file_data[p]['attach_paths'] = fileVars[attachment] # incoming set + else: + messages.append({'filename': fullpath, + 'profile': p, + 'severity': 'ERROR', + 'line': None, + 'reason': f"Unknown global variable as profile attachment: {attachment}", + 'suggestion': None}) + + else: + if isinstance(file_data[p].get('attachment'), set): + raise ValueError("Expecting 'str' or 'None', not 'set'") + file_data[p]['attach_paths'] = {file_data[p]['attachment']} + + # Check if profile block does not have corresponding 'local' include + for p,d in file_data.items(): + if not localExists.get(p): # not found previously + if '//' in p: + identity = p.split('//') + else: + identity = [p] + + localIdentity = makeLocalIdentity(identity) + filename = file_data[p]['filename'] + messages.append({'filename': filename, + 'profile': p, + 'severity': 'WARNING', + 'line': localExists_eol.get(p), # None? Unbalanced parenthesis? + 'reason': "The (sub)profile block does not have expected 'local' include", + 'suggestion': f'include if exists '}) + + # Track multiple definitions inside single file + for profile in duplicateProfilesCounter: + counter = duplicateProfilesCounter.count(profile) + if counter >= 2: + messages.append({'filename': fullpath, + 'profile': profile, + 'severity': 'DEGRADED', + 'line': None, + 'reason': "Profile has been defined {counter} times in the same file", + 'suggestion': None}) + + return (messages, file_data) + +def findAllProfileFilenames(profile_dir): + + profiles = set() + for path in pathlib.Path(profile_dir).iterdir(): + if path.is_file() and not is_skippable_file(path): + profiles.add(path.resolve()) + + # Not default, dig deeper + if not profiles: + nestedDirs = ( + 'groups', + 'profiles-a-f', + 'profiles-g-l', + 'profiles-m-r', + 'profiles-s-z', + ) + for d in nestedDirs: + dirpath = pathlib.Path(pathlib.Path(profile_dir).resolve(), pathlib.Path(d)) + for p in dirpath.rglob("*"): + if p.is_file(): + profiles.add(p) + + return profiles + +def handleArgs(): + """DEGRADED are purposed for fatal errors - when the profile set will fail to load entirely""" + + allSeverities = ['DEBUG', 'NOTICE', 'WARNING', 'ERROR', 'CRITICAL', 'DEGRADED'] + aaRoot = '/etc/apparmor.d' + + parser = argparse.ArgumentParser() + parser.add_argument('-d', '--aa-root-dir', action='store', + default=aaRoot, + help='Target different AppArmor root directory rather than default') + parser.add_argument('-p', '--profile', action='append', + help='Handle only specified profile') +# parser.add_argument('-s', '--severity', action='append', +# choices=allSeverities, +# help='Handle only specified severity event') + + args = parser.parse_args() + +# if not args.severity: +# args.severity = allSeverities + + return args + +def main(argv): + + args = handleArgs() + + messages = [] + + profile_dir = args.aa_root_dir + if not args.profile: + profiles = findAllProfileFilenames(profile_dir) + else: + profiles = set() + for p in args.profile: + absolutePath = pathlib.Path(p).resolve() + profiles.add(absolutePath) + + profile_data = {} + for path in sorted(profiles): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) + + for m in messages: + m['filename'] = str(m.get('filename')) + print(json.dumps(m, indent=2)) + + if messages: + sys.exit(1) + + return None + +if __name__ == '__main__': + '''Safeguard errors does NOT cover loosening existing profiles after loading!''' + try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ModuleNotFoundError: + from apparmor.aa import separate_vars + + except ModuleNotFoundError: + raise ModuleNotFoundError(f"""Can't find 'python3-apparmor' package! Install with: +$ sudo apt install python3-apparmor""") + + main(sys.argv) From 46c5381cd01253d58a74a508292da20d51d92cfa Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Mon, 18 Nov 2024 23:31:22 +0000 Subject: [PATCH 02/76] Update profile_check.py --- tests/profile_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 5cc39d6b9..00f98ec02 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -445,7 +445,7 @@ def main(argv): return None if __name__ == '__main__': - '''Safeguard errors does NOT cover loosening existing profiles after loading!''' + try: from apparmor.regex import * from apparmor.aa import is_skippable_file From 59d79804785f65896938ec49643fb9c34a4a3820 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Tue, 19 Nov 2024 18:49:49 +0000 Subject: [PATCH 03/76] polishing --- tests/profile_check.py | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 00f98ec02..ed4316280 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -49,9 +49,11 @@ def handleFileMessages(l, file, profile, lineNum): # '', ) suggestOwner = ( # TODO: switch to AARE - r'^@{HOME}', + r'^@{HOME}/', r'^/home/\w+/', + r'^@{run}/user/@{uid}/', r'^/run/user/\d+/', + r'^@{tmp}/', r'^/tmp/', r'^/var/tmp/', r'^/dev/shm/', @@ -60,7 +62,7 @@ def handleFileMessages(l, file, profile, lineNum): lG = l.groupdict() reason_ = None if lG.get('path'): - if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: + if lG.get('path').startswith('/**') and profile not in wholeFileAccessProfiles: # false positives severity_ = 'ERROR' reason_ = 'Whole filesystem access is too broad' suggestion_ = None @@ -84,12 +86,12 @@ def handleFileMessages(l, file, profile, lineNum): suggestion_ = None if reason_: # something matched - msg = ({'filename': file, - 'profile': profile, - 'severity': severity_, - 'line': lineNum, - 'reason': reason_, - 'suggestion': suggestion_}) + msg = {'filename': file, + 'profile': profile, + 'severity': severity_, + 'line': lineNum, + 'reason': reason_, + 'suggestion': suggestion_} else: msg = None @@ -98,7 +100,7 @@ def handleFileMessages(l, file, profile, lineNum): def readApparmorFile(fullpath): '''AA file could contain multiple AA profiles''' headers = ( - '# AppArmor.d - Full set of apparmor profiles', + '# apparmor.d - Full set of apparmor profiles', '# Copyright (C) ', '# SPDX-License-Identifier: GPL-2.0-only', ) @@ -129,14 +131,14 @@ def readApparmorFile(fullpath): indent = '' if indent != expectedIndent: - spacesCount = len(nestingStacker) * 2 - nesingCount = len(nestingStacker) + spacesCount = len(nestingStacker) * 2 + nestingCount = len(nestingStacker) messages.append({'filename': fullpath, 'profile': getCurrentProfile(nestingStacker), 'severity': 'WARNING', 'line': n, - 'reason': f"Expected {spacesCount} spaces for {nesingCount} nesting", - 'suggestion': f"{expectedIndent}{line}"}) + 'reason': f"Expected {spacesCount} spaces for {nestingCount} nesting", + 'suggestion': f"{expectedIndent}{line.lstrip()}"}) if line.endswith(' \n'): messages.append({'filename': fullpath, @@ -152,7 +154,7 @@ def readApparmorFile(fullpath): 'severity': 'WARNING', 'line': n, 'reason': "Tabs are not allowed", - 'suggestion': line.replace('\t', '')}) + 'suggestion': line.replace('\t', ' ')}) if len(gotHeaders) < 3 and not nestingStacker: for nH,i in enumerate(headers): From c9b1dde54243e9bced493810f82507aa74fa3dd0 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:57:13 +0000 Subject: [PATCH 04/76] Update profile_check.py --- tests/profile_check.py | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index ed4316280..c793543e3 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -13,6 +13,21 @@ import json from copy import deepcopy +try: + from apparmor.regex import * + from apparmor.aa import is_skippable_file + from apparmor.rule.file import FileRule, FileRuleset + from apparmor.common import convert_regexp + try: + from apparmor.rule.variable import separate_vars + except ImportError: + from apparmor.aa import separate_vars + + LIBAPPARMOR = True + +except ImportError: + LIBAPPARMOR = False + def sanitizeProfileName(name): if name.startswith('/') or name.startswith('@{'): @@ -118,6 +133,7 @@ def readApparmorFile(fullpath): gotHeaders = {} gotAttach = False isAfterProfileStart = False + lastLineNum = None try: with open(fullpath, 'r') as f: for n,line in enumerate(f, start=1): @@ -262,6 +278,8 @@ def readApparmorFile(fullpath): localExists_eol[profileIdentity] = n del nestingStacker[-1] # remove last + lastLineNum = n + except PermissionError: exceptionMsg = 'Unable to read the file (PermissionError)' @@ -308,12 +326,12 @@ def readApparmorFile(fullpath): # Ensure trailing vim syntax if line: - trailingSyntax = '# vim:syntax=apparmor' + trailingSyntax = '# vim:syntax=apparmor\n' if line != trailingSyntax: messages.append({'filename': fullpath, 'profile': None, 'severity': 'WARNING', - 'line': None, + 'line': lastLineNum, 'reason': 'No trailing syntax hint', 'suggestion': trailingSyntax}) @@ -448,18 +466,8 @@ def main(argv): if __name__ == '__main__': - try: - from apparmor.regex import * - from apparmor.aa import is_skippable_file - from apparmor.rule.file import FileRule, FileRuleset - from apparmor.common import convert_regexp - try: - from apparmor.rule.variable import separate_vars - except ModuleNotFoundError: - from apparmor.aa import separate_vars - - except ModuleNotFoundError: - raise ModuleNotFoundError(f"""Can't find 'python3-apparmor' package! Install with: + if not LIBAPPARMOR: + raise ImportError(f"""Can't find 'python3-apparmor' package! Install with: $ sudo apt install python3-apparmor""") main(sys.argv) From 93085ece96499c43e695f398de2bf3b987422249 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Sat, 23 Nov 2024 18:35:53 +0000 Subject: [PATCH 05/76] Update profile_check.py --- tests/profile_check.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/profile_check.py b/tests/profile_check.py index c793543e3..90f5b56b2 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -456,6 +456,9 @@ def main(argv): profile_data.update(profilesInFile) for m in messages: + if m.get('suggestion'): + if m['suggestion'].endswith('\n'): + m['suggestion'] = m.get('suggestion').removesuffix('\n') m['filename'] = str(m.get('filename')) print(json.dumps(m, indent=2)) From f75fa9a3a6707053f90ab53f67367cc0adef6da7 Mon Sep 17 00:00:00 2001 From: nobody43 <15267739+nobody43@users.noreply.github.com> Date: Sat, 23 Nov 2024 19:54:17 +0000 Subject: [PATCH 06/76] fix exec_path bug, ignore skipable files --- tests/profile_check.py | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/tests/profile_check.py b/tests/profile_check.py index 90f5b56b2..9b61e6367 100644 --- a/tests/profile_check.py +++ b/tests/profile_check.py @@ -186,14 +186,8 @@ def readApparmorFile(fullpath): if m.get('profile'): nestingStacker.append(m.get('profile')) # set early - if m.get('attachment') != '@{exec_path}' and not gotAttach: # can be only singular + if m.get('attachment') == '@{exec_path}' and not gotAttach: # can be only singular gotAttach = True - messages.append({'filename': fullpath, - 'profile': getCurrentProfile(nestingStacker), - 'severity': 'WARNING', - 'line': n, - 'reason': "'@{exec_path}' must be defined as main path attachment", - 'suggestion': None}) profileMsg = {'filename': fullpath, 'profile': getCurrentProfile(nestingStacker), @@ -324,6 +318,15 @@ def readApparmorFile(fullpath): 'reason': 'ABI is required', 'suggestion': abi}) + # Ensure singular '@{exec_path}' + if not gotAttach: + messages.append({'filename': fullpath, + 'profile': None, + 'severity': 'WARNING', + 'line': None, + 'reason': "'@{exec_path}' must be defined as main path attachment", + 'suggestion': None}) + # Ensure trailing vim syntax if line: trailingSyntax = '# vim:syntax=apparmor\n' @@ -450,10 +453,11 @@ def main(argv): profile_data = {} for path in sorted(profiles): - readApparmorFile_Out = readApparmorFile(path) - profilesInFile = readApparmorFile_Out[1] - messages.extend(readApparmorFile_Out[0]) - profile_data.update(profilesInFile) + if not is_skippable_file(path): + readApparmorFile_Out = readApparmorFile(path) + profilesInFile = readApparmorFile_Out[1] + messages.extend(readApparmorFile_Out[0]) + profile_data.update(profilesInFile) for m in messages: if m.get('suggestion'): From 784fe5fdad68f9bcd2c40b111abaa7fca49a6b0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Nov 2024 22:18:39 +0000 Subject: [PATCH 07/76] feat(profile): small profile update. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 1 + apparmor.d/groups/gnome/loupe | 6 +++++- apparmor.d/profiles-a-f/cctk | 1 + apparmor.d/profiles-g-l/libreoffice | 1 + apparmor.d/profiles-s-z/scrcpy | 1 - 6 files changed, 9 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 0bae4e0d2..666387d0a 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -186,6 +186,7 @@ @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/statm r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, @@ -201,7 +202,6 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, - owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 75ec9517c..3c60c1cf6 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -41,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPUx, @{bin}/fusermount{,3} rCx -> fusermount, + / r, owner @{att}/ r, owner @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index fb7bef34a..10853ea8f 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { / r, + owner @{user_cache_dirs}/glycin/{,**} rw, + @{run}/mount/utab r, @{sys}/fs/cgroup/user.slice/cpu.max r, @@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal (receive) set=(kill) peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-image-rs rix, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk index 40c5199b3..af7436f39 100644 --- a/apparmor.d/profiles-a-f/cctk +++ b/apparmor.d/profiles-a-f/cctk @@ -11,6 +11,7 @@ profile cctk @{exec_path} { include include + capability dac_read_search, capability mknod, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 6e1a2d07a..63634d788 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -84,6 +84,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, + owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, owner @{tmp}/@{u64} rw, owner @{tmp}/*.tmp/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy index 3d33e8a3e..83af575dd 100644 --- a/apparmor.d/profiles-s-z/scrcpy +++ b/apparmor.d/profiles-s-z/scrcpy @@ -25,7 +25,6 @@ profile scrcpy @{exec_path} { @{bin}/adb rPx, /usr/share/scrcpy/{,*} r, - /usr/share/icons/{,**} r, /etc/machine-id r, From c6064a774ca2e40074743daab2600447b82b7a8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:16:03 +0100 Subject: [PATCH 08/76] tests(integration): add more tests. --- tests/bats/chsh.bats | 28 +++++++++++++++++++++++ tests/bats/lsusb.bats | 28 +++++++++++++++++++++++ tests/bats/useradd.bats | 49 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+) create mode 100644 tests/bats/chsh.bats create mode 100644 tests/bats/lsusb.bats create mode 100644 tests/bats/useradd.bats diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats new file mode 100644 index 000000000..42cfa1151 --- /dev/null +++ b/tests/bats/chsh.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=chsh +@test "chsh: [l]ist available shells" { + chsh --list-shells + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a specific login [s]hell for the current user" { + chsh --shell /usr/bin/bash + aa_check +} + +# bats test_tags=chsh +@test "chsh: Set a login [s]hell for a specific user" { + sudo chsh --shell /usr/bin/sh root + aa_check +} diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats new file mode 100644 index 000000000..530841a20 --- /dev/null +++ b/tests/bats/lsusb.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=lsusb +@test "lsusb: List all the USB devices available" { + lsusb + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List the USB hierarchy as a tree" { + lsusb -t + aa_check +} + +# bats test_tags=lsusb +@test "lsusb: List verbose information about USB devices" { + lsusb --verbose + aa_check +} diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats new file mode 100644 index 000000000..833e01606 --- /dev/null +++ b/tests/bats/useradd.bats @@ -0,0 +1,49 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified shell" { + sudo useradd --shell /bin/bash --create-home user2 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user with the specified user ID" { + sudo useradd --uid 3000 user3 + aa_check +} + +# bats test_tags=useradd +@test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { + sudo useradd --groups adm user4 + aa_check +} + + +# bats test_tags=useradd +@test "useradd: Create a new system user without the home directory" { + sudo useradd --system sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user" { + sudo userdel user3 + sudo userdel user4 + sudo userdel sys2 + aa_check +} + +# bats test_tags=userdel +@test "userdel: Remove a user along with the home directory and mail spool" { + sudo userdel --remove user2 + aa_check +} From d40b11218570cc3723eaafb024d5923b65b37c89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Oct 2024 13:38:42 +0100 Subject: [PATCH 09/76] fix(test): minor fixes. --- apparmor.d/profiles-a-f/chsh | 11 +++-------- apparmor.d/profiles-s-z/useradd | 4 ++-- tests/bats/chsh.bats | 2 +- tests/bats/lsusb.bats | 6 +++--- 4 files changed, 9 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index 61885ed4e..f73ae6709 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,26 +10,19 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include include + include - # To write records to the kernel auditing log. capability audit_write, - - # To set the right permission to the files in the /etc/ dir. capability chown, capability fsetid, - - # gpasswd is a SETUID binary capability setuid, network netlink raw, @{exec_path} mr, - owner @{PROC}/@{pid}/loginuid r, - /etc/shells r, /etc/passwd rw, @@ -44,6 +37,8 @@ profile chsh @{exec_path} { # modify the /etc/passwd or /etc/shadow password database. /etc/.pwd.lock rwk, + owner @{PROC}/@{pid}/loginuid r, + include if exists } diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 42ab87607..0fbb9aa6d 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,9 +53,9 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.* w, + @{HOME}/.** w, /var/lib/*/{,*} rw, - /etc/skel/{,.*} r, + /etc/skel/{,.**} r, profile pam_tally2 { include diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index 42cfa1151..5365fea60 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -11,7 +11,7 @@ setup_file() { # bats test_tags=chsh @test "chsh: [l]ist available shells" { - chsh --list-shells + chsh --list-shells || true aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 530841a20..8f646d89e 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -11,18 +11,18 @@ setup_file() { # bats test_tags=lsusb @test "lsusb: List all the USB devices available" { - lsusb + lsusb || true aa_check } # bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { - lsusb -t + lsusb -t || true aa_check } # bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { - lsusb --verbose + lsusb --verbose || true aa_check } From d85416e2e64c841412ae6a57fef85b821cfd43e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:36:18 +0000 Subject: [PATCH 10/76] feat(profile): update systemd profiles. --- apparmor.d/groups/systemd/hostnamectl | 2 ++ apparmor.d/groups/systemd/systemd-cgls | 1 + apparmor.d/groups/systemd/systemd-logind | 3 ++- apparmor.d/groups/systemd/systemd-modules-load | 1 + apparmor.d/groups/systemd/systemd-oomd | 3 ++- apparmor.d/groups/systemd/systemd-timesyncd | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 1 + 7 files changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 65e6ed11f..91fc31b51 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -14,6 +14,8 @@ profile hostnamectl @{exec_path} { capability net_admin, + unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system, + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index e74280f67..b25f861b5 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/systemd-cgls profile systemd-cgls @{exec_path} { include + include capability sys_ptrace, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 53dd0acf8..206c09571 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -94,10 +94,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{att}/@{run}/systemd/notify w, + @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, @{run}/systemd/inhibit/@{int}{,.ref} rw, - @{run}/systemd/notify rw, @{run}/systemd/seats/ rw, @{run}/systemd/seats/.#seat* rw, @{run}/systemd/seats/seat@{int} rw, diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load index abb437f83..d3527c22b 100644 --- a/apparmor.d/groups/systemd/systemd-modules-load +++ b/apparmor.d/groups/systemd/systemd-modules-load @@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} { include capability net_admin, + capability perfmon, capability sys_module, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index e5dce916c..469f72b03 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -24,9 +24,10 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, - @{run}/systemd/notify rw, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/memory.* r, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index de544c9d7..9f9136bca 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { owner /var/lib/systemd/timesync/clock rw, + @{att}/@{run}/systemd/notify rw, + @{run}/resolvconf/*.conf r, @{run}/systemd/netif/state r, - @{run}/systemd/notify rw, @{run}/systemd/timesyncd.conf.d/{,**} r, owner @{run}/systemd/timesync/synchronized rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index dae5ae67e..b8a0c7e4c 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -21,6 +21,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { capability fsetid, capability mknod, capability net_admin, + capability perfmon, capability sys_admin, capability sys_module, capability sys_ptrace, From 06dd90bae138886476914d2e65f7b36100013a23 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:37:28 +0000 Subject: [PATCH 11/76] feat(abs): cover more commonly attached path. --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/base.d/complete | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 33c422bb0..1f37de00d 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,6 +7,8 @@ abi , + @{att}/@{run}/systemd/journal/socket w, + deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 3e10a94f5..3b5ecaf41 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -33,6 +33,4 @@ @{PROC}/sys/kernel/core_pattern r, - deny /apparmor/.null rw, - # vim:syntax=apparmor From 771673c91fa575e8755f808681c89f07b32bca2f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:42:31 +0000 Subject: [PATCH 12/76] feat(profile): update some core profiles. --- apparmor.d/groups/freedesktop/polkitd | 2 ++ apparmor.d/groups/freedesktop/upower | 2 ++ apparmor.d/groups/freedesktop/xdg-permission-store | 1 + apparmor.d/groups/network/netplan.script | 2 ++ apparmor.d/groups/ubuntu/apport | 8 +++++--- apparmor.d/groups/virt/containerd | 11 +++++++---- apparmor.d/profiles-a-f/chsh | 1 + apparmor.d/profiles-s-z/snap | 5 +++++ apparmor.d/profiles-s-z/snap-update-ns | 6 ++++++ apparmor.d/profiles-s-z/snapd-apparmor | 1 + apparmor.d/profiles-s-z/uuidd | 1 + 11 files changed, 33 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 089e61744..a8df0261c 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -53,6 +53,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { /var/lib/polkit{,-1}/localauthority/{,**} r, owner /var/lib/polkit{,-1}/.cache/ rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 1cb7c9583..2aeb4ee88 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -10,6 +10,8 @@ include @{exec_path} = @{bin}/upower profile upower @{exec_path} { include + include + include # Needed? audit capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 441692ded..08cfc840c 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -43,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/ rw, owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/flatpak/db/background rw, + owner @{user_share_dirs}/flatpak/db/desktop-used-apps r, owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 53297493e..65d644e7b 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -49,6 +49,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, + @{att}/@{run}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index cd0187119..11aad0da3 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -22,9 +22,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_ptrace, - ptrace (read) peer=gnome-shell, - ptrace (read) peer=snap.cups.cupsd, - ptrace (read) peer=tracker-extract, + ptrace read, @{exec_path} mr, @@ -36,6 +34,10 @@ profile apport @{exec_path} flags=(attach_disconnected) { /usr/share/apport/{,**} r, /etc/apport/report-ignore/{,**} r, + /etc/login.defs r, + + /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/*.list r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 627515640..4f73ff985 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -83,6 +83,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/docker/containerd/{,**} rwk, @{run}/netns/ w, @{run}/netns/cni-@{uuid} rw, + @{run}/nri/ w, + @{run}/nri/nri.sock rw, @{run}/systemd/notify w, /tmp/cri-containerd.apparmor.d@{int} rwl, @@ -94,12 +96,13 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pid}/task/@{tid}/ns/net rw, @{PROC}/sys/net/core/somaxconn r, - owner @{PROC}/@{pids}/attr/current r, - owner @{PROC}/@{pids}/cgroup r, - owner @{PROC}/@{pids}/mountinfo r, - owner @{PROC}/@{pids}/uid_map r, + owner @{PROC}/@{pid}/attr/current r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/uid_map r, /dev/bsg/ r, /dev/bus/ r, diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index f73ae6709..f8a2af5c4 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include + include include include include diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index 912ab1a8b..a86304000 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -29,6 +29,7 @@ profile snap @{exec_path} { mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/, #aa:dbus own bus=session name=io.snapcraft.Launcher + #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" @@ -45,6 +46,7 @@ profile snap @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -108,6 +110,9 @@ profile snap @{exec_path} { network unix stream, + owner @{run}/user/@{uid}/systemd/notify rw, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 3021a1ad7..345c089e3 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -23,11 +23,17 @@ profile snap-update-ns @{exec_path} { mount -> /tmp/.snap/**, mount -> /usr/**, mount -> /var/lib/dhcp/, + umount /snap/**, umount /var/lib/dhcp/, + umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, + @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, + /usr/share/xml/iso-codes/ w, + /var/lib/snapd/mount/{,*} r, / r, diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor index e7a3b4946..6d873982b 100644 --- a/apparmor.d/profiles-s-z/snapd-apparmor +++ b/apparmor.d/profiles-s-z/snapd-apparmor @@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} { @{bin}/systemd-detect-virt rPx, @{bin}/apparmor_parser rPx, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, @{lib_dirs}/snapd/info r, diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index 56b89fa2a..c1e14d013 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,6 +17,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, + @{run}/uuidd/request w, @{att}/@{run}/uuidd/request w, include if exists From 245e26f1107c364a3f8a68ddbf3376be9f9c5bcb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 20:43:52 +0000 Subject: [PATCH 13/76] feat(profile): fractal uses bwrap for loading image. --- apparmor.d/profiles-a-f/fractal | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7f14df0e0..6dfb84452 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -21,10 +21,14 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + signal send set=kill peer=fractal//bwrap, + @{exec_path} mr, @{open_path} rPx -> child-open-help, + @{bin}/bwrap rCx -> bwrap, + /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, @@ -37,6 +41,22 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, + profile bwrap flags=(attach_disconnected) { + include + include + + signal receive set=kill peer=fractal, + + @{bin}/bwrap mr, + @{lib}/glycin-loaders/*/glycin-* rix, + + owner @{PROC}/@{pid}/fd/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + include if exists + } + include if exists } From 9aca44908cba73b2dfb13c6c99dbc1145fbd33ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 21:42:31 +0000 Subject: [PATCH 14/76] tests: add more integration tests for core tools. --- tests/bats/chsh.bats | 2 +- tests/bats/common.bash | 5 ++- tests/bats/cpuid.bats | 28 +++++++++++++++ tests/bats/df.bats | 6 ++++ tests/bats/dfc.bats | 34 +++++++++++++++++++ tests/bats/homectl.bats | 58 ++++++++++++++++++++++++++++++++ tests/bats/hostnamectl.bats | 27 +++++++++++++++ tests/bats/ip.bats | 18 ++++++---- tests/bats/sync.bats | 22 ++++++++++++ tests/bats/systemd-ac-power.bats | 23 +++++++++++++ tests/bats/systemd-analyze.bats | 29 ++++++++++++++++ tests/bats/systemd-cat.bats | 22 ++++++++++++ tests/bats/systemd-cgls.bats | 29 ++++++++++++++++ tests/bats/systemd-id128.bats | 41 ++++++++++++++++++++++ tests/bats/systemd-sysusers.bats | 28 +++++++++++++++ tests/bats/upower.bats | 29 ++++++++++++++++ tests/bats/userdbctl.bats | 41 ++++++++++++++++++++++ tests/bats/uuidd.bats | 29 ++++++++++++++++ tests/bats/w.bats | 22 ++++++++++++ 19 files changed, 484 insertions(+), 9 deletions(-) create mode 100644 tests/bats/cpuid.bats create mode 100644 tests/bats/dfc.bats create mode 100644 tests/bats/homectl.bats create mode 100644 tests/bats/hostnamectl.bats create mode 100644 tests/bats/sync.bats create mode 100644 tests/bats/systemd-ac-power.bats create mode 100644 tests/bats/systemd-analyze.bats create mode 100644 tests/bats/systemd-cat.bats create mode 100644 tests/bats/systemd-cgls.bats create mode 100644 tests/bats/systemd-id128.bats create mode 100644 tests/bats/systemd-sysusers.bats create mode 100644 tests/bats/upower.bats create mode 100644 tests/bats/userdbctl.bats create mode 100644 tests/bats/uuidd.bats create mode 100644 tests/bats/w.bats diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index 5365fea60..f66eb1f97 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -17,7 +17,7 @@ setup_file() { # bats test_tags=chsh @test "chsh: Set a specific login [s]hell for the current user" { - chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash aa_check } diff --git a/tests/bats/common.bash b/tests/bats/common.bash index c08d13758..f99c3c197 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -6,6 +6,9 @@ export BATS_LIB_PATH=${BATS_LIB_PATH:-/usr/lib/bats} load "$BATS_LIB_PATH/bats-support/load" +# User password for sudo commands +export PASSWORD=${PASSWORD:-user} + export XDG_CACHE_DIR=".cache" export XDG_CONFIG_DIR=".config" export XDG_DATA_DIR=".local/share" @@ -100,7 +103,7 @@ aa_check() { local now duration logs now=$(date +%s) - duration=$((now - _START + 2)) + duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats new file mode 100644 index 000000000..1b1226e2b --- /dev/null +++ b/tests/bats/cpuid.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=cpuid +@test "cpuid: Display information for all CPUs" { + cpuid + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display information only for the current CPU" { + cpuid -1 + aa_check +} + +# bats test_tags=cpuid +@test "cpuid: Display raw hex information with no decoding" { + cpuid -r + aa_check +} diff --git a/tests/bats/df.bats b/tests/bats/df.bats index be2843213..ea9d3f44f 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -21,6 +21,12 @@ setup_file() { aa_check } +# bats test_tags=df +@test "df: Display the filesystem and its disk usage containing the given file or directory" { + df apparmor.d/ + aa_check +} + # bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats new file mode 100644 index 000000000..8a1d18918 --- /dev/null +++ b/tests/bats/dfc.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=dfc +@test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { + dfc + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { + dfc -a + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems without color" { + dfc -c never + aa_check +} + +# bats test_tags=dfc +@test "dfc: Display filesystems containing "ext" in the filesystem type" { + dfc -t ext + aa_check +} diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats new file mode 100644 index 000000000..2fee79079 --- /dev/null +++ b/tests/bats/homectl.bats @@ -0,0 +1,58 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=homectl +@test "homectl: Display help" { + homectl --no-pager --help + aa_check +} + +# bats test_tags=homectl +@test "homectl: Create a user account and their associated home directory" { + sudo homectl create user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: List user accounts and their associated home directories" { + homectl list + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the password for a specific user" { + sudo homectl passwd user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Run a shell or a command with access to a specific home directory" { + sudo homectl with user2 -- ls -al /home/user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Lock or unlock a specific home directory" { + sudo homectl lock user2 + aa_check +} + +# bats test_tags=homectl +@test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { + sudo homectl resize user2 1G + aa_check +} + +# bats test_tags=homectl +@test "homectl: Remove a specific user and the associated home directory" { + sudo homectl remove user2 + aa_check +} diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats new file mode 100644 index 000000000..dd4102575 --- /dev/null +++ b/tests/bats/hostnamectl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup() { + aa_setup +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the hostname of the computer" { + hostnamectl +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Get the location of the computer" { + hostnamectl location +} + +# bats test_tags=hostnamectl +@test "hostnamectl: Set the hostname of the computer" { + name=$(hostnamectl hostname) + sudo hostnamectl set-hostname "new" + sudo hostnamectl set-hostname "$name" +} diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 980495d2d..47f16ccde 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -15,15 +15,9 @@ setup_file() { aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief network layer info" { - ip -brief address - aa_check -} - # bats test_tags=ip @test "ip: List interfaces with brief link layer info" { - ip -brief link + ip link aa_check } @@ -39,3 +33,13 @@ setup_file() { aa_check } +# bats test_tags=ip +@test "ip: Manage network namespace" { + sudo ip netns add foo + sudo ip netns list + sudo ip netns exec foo bash -c "pwd" + sudo ip netns delete foo + aa_check +} + + diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats new file mode 100644 index 000000000..fba657ff7 --- /dev/null +++ b/tests/bats/sync.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on all disks" { + sync + aa_check +} + +# bats test_tags=sync +@test "sync: Flush all pending write operations on a single file to disk" { + sudo sync / + aa_check +} diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats new file mode 100644 index 000000000..78f68d13a --- /dev/null +++ b/tests/bats/systemd-ac-power.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Report whether we are connected to an external power source." { + systemd-ac-power || true + aa_check +} + +# bats test_tags=systemd-ac-power +@test "systemd-ac-power: Check if battery is discharging and low" { + systemd-ac-power --low || true + aa_check +} + diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats new file mode 100644 index 000000000..3f6144a78 --- /dev/null +++ b/tests/bats/systemd-analyze.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: List all running units, ordered by the time they took to initialize" { + systemd-analyze --no-pager blame + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Print a tree of the time-critical chain of units" { + systemd-analyze --no-pager critical-chain + aa_check +} + +# bats test_tags=systemd-analyze +@test "systemd-analyze: Show security scores of running units" { + systemd-analyze --no-pager security + aa_check +} + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats new file mode 100644 index 000000000..595a6002d --- /dev/null +++ b/tests/bats/systemd-cat.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { + systemd-cat pwd + aa_check +} + +# bats test_tags=systemd-cat +@test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { + echo apparmor.d-test-suite | systemd-cat + aa_check +} diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats new file mode 100644 index 000000000..b5bb89de6 --- /dev/null +++ b/tests/bats/systemd-cgls.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the whole control group hierarchy on your system" { + systemd-cgls --no-pager + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display a control group tree of a specific resource controller" { + systemd-cgls --no-pager io + aa_check +} + +# bats test_tags=systemd-cgls +@test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { + systemd-cgls --no-pager --unit systemd-logind + aa_check +} + diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats new file mode 100644 index 000000000..3b18bd032 --- /dev/null +++ b/tests/bats/systemd-id128.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier" { + systemd-id128 new + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current machine" { + systemd-id128 machine-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current boot" { + systemd-id128 boot-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" { + systemd-id128 invocation-id + aa_check +} + +# bats test_tags=systemd-id128 +@test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { + systemd-id128 new --uuid + aa_check +} + diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats new file mode 100644 index 000000000..f4230d6b6 --- /dev/null +++ b/tests/bats/systemd-sysusers.bats @@ -0,0 +1,28 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { + systemd-sysusers --cat-config + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { + systemd-sysusers --dry-run + aa_check +} + +# bats test_tags=systemd-sysusers +@test "systemd-sysusers: Create users and groups from all configuration file" { + sudo systemd-sysusers + aa_check +} diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats new file mode 100644 index 000000000..73afc18e6 --- /dev/null +++ b/tests/bats/upower.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=upower +@test "upower: Display power and battery information" { + upower --dump + aa_check +} + +# bats test_tags=upower +@test "upower: List all power devices" { + upower --enumerate + aa_check +} + +# bats test_tags=upower +@test "upower: Display version" { + upower --version + aa_check +} + diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats new file mode 100644 index 000000000..6169de44b --- /dev/null +++ b/tests/bats/userdbctl.bats @@ -0,0 +1,41 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known user records" { + userdbctl --no-pager user + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific user" { + userdbctl --no-pager user "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all known groups" { + userdbctl --no-pager group + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: Show details of a specific group" { + sudo userdbctl --no-pager group "$USER" + aa_check +} + +# bats test_tags=userdbctl +@test "userdbctl: List all services currently providing user/group definitions to the system" { + userdbctl --no-pager services + aa_check +} + diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats new file mode 100644 index 000000000..e13653e3e --- /dev/null +++ b/tests/bats/uuidd.bats @@ -0,0 +1,29 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=uuidd +@test "uuidd: Generate a random UUID" { + uuidd --random + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a bulk number of random UUIDs" { + uuidd --random --uuids 10 + aa_check +} + +# bats test_tags=uuidd +@test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { + uuidd --time + aa_check +} + diff --git a/tests/bats/w.bats b/tests/bats/w.bats new file mode 100644 index 000000000..7f358aac7 --- /dev/null +++ b/tests/bats/w.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +setup_file() { + aa_setup +} + +# bats test_tags=w +@test "w: Display information about all users who are currently logged in" { + w + aa_check +} + +# bats test_tags=w +@test "w: Display information about a specific user" { + w root + aa_check +} From 562fcc88a93de54605de8989b8cf8f284b437905 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 21:43:42 +0000 Subject: [PATCH 15/76] tests(ci): install integration tests requirements. --- .github/workflows/main.yml | 1 + tests/requirements.sh | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 tests/requirements.sh diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b07fc8990..c4f143f05 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,6 +83,7 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + bash tests/requirements.sh - name: Install apparmor.d run: | diff --git a/tests/requirements.sh b/tests/requirements.sh new file mode 100644 index 000000000..91adc0031 --- /dev/null +++ b/tests/requirements.sh @@ -0,0 +1,27 @@ +#!/usr/bin/env bash +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Dependencies for the bats integration tests + +set -eu + +# shellcheck source=/dev/null +_lsb_release() { + . /etc/os-release || exit 1 + echo "$ID" +} +DISTRIBUTION="$(_lsb_release)" + +case "$DISTRIBUTION" in +arch) + ;; +debian | ubuntu | whonix) + sudo apt-get install -y \ + cpuid dfc systemd-userdbd + ;; +opensuse*) + ;; +*) ;; +esac From b30d0779928acd8c3496ade5e8bc26853bc4df0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:18:11 +0000 Subject: [PATCH 16/76] feat(profile): improve support for some profiles. Most of the rules have come from the integration tests. --- apparmor.d/abstractions/bus/org.freedesktop.hostname1 | 5 +++++ apparmor.d/groups/bus/ibus-engine-simple | 3 +-- apparmor.d/groups/bus/ibus-x11 | 3 +-- apparmor.d/groups/cron/cron-apport | 2 +- apparmor.d/groups/freedesktop/polkitd | 1 + apparmor.d/groups/freedesktop/upower | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 +++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 1 + apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gpg/dirmngr | 1 + apparmor.d/groups/gpg/keyboxd | 1 + apparmor.d/groups/network/netplan.script | 5 ++++- apparmor.d/groups/systemd/systemd-analyze | 2 ++ apparmor.d/groups/systemd/systemd-cgls | 4 ++++ apparmor.d/groups/systemd/systemd-hostnamed | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 1 + apparmor.d/groups/systemd/systemd-oomd | 1 + apparmor.d/groups/systemd/systemd-resolved | 3 ++- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/systemd/systemd-userdbd | 3 +++ apparmor.d/profiles-a-f/cpuid | 1 + apparmor.d/profiles-a-f/fprintd | 1 - apparmor.d/profiles-g-l/ip | 5 ++++- apparmor.d/profiles-g-l/lspci | 1 + apparmor.d/profiles-m-r/pinentry-gnome3 | 1 + apparmor.d/profiles-s-z/snap | 1 + apparmor.d/profiles-s-z/sync | 5 ++--- apparmor.d/profiles-s-z/uuidd | 4 ++-- 29 files changed, 50 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 8957c4cdd..7dcb187f1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -14,6 +14,11 @@ member={Get,GetAll} peer=(name=org.freedesktop.hostname1), + dbus receive bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index ab3b2b2fd..f9f9870f8 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-engine-simple profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 1096594aa..39d5ecccb 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-x11 profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport index 61aeaf881..1579115a7 100644 --- a/apparmor.d/groups/cron/cron-apport +++ b/apparmor.d/groups/cron/cron-apport @@ -18,7 +18,7 @@ profile cron-apport @{exec_path} { / r, /var/crash/ r, - /var/crash/*.crash w, + /var/crash/* w, include if exists } diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index a8df0261c..14edf32cc 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -54,6 +54,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner /var/lib/polkit{,-1}/.cache/ rw, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 2aeb4ee88..931b47509 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,8 +13,7 @@ profile upower @{exec_path} { include include - # Needed? - audit capability sys_nice, + #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 8d8ae6662..489a04260 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -63,8 +63,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, + / r, + @{att}/.flatpak-info r, + owner @{att}/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d4fa3dc1d..ff398f25e 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include signal receive set=term peer=gdm, + signal receive set=hup peer=gdm-session-worker, unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a2dd6d908..d8ae32fd9 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr index 167e8757c..2fbdfb086 100644 --- a/apparmor.d/groups/gpg/dirmngr +++ b/apparmor.d/groups/gpg/dirmngr @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/dirmngr profile dirmngr @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd index a6eadd904..51ec8b134 100644 --- a/apparmor.d/groups/gpg/keyboxd +++ b/apparmor.d/groups/gpg/keyboxd @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/gnupg/keyboxd profile keyboxd @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 65d644e7b..7f558a1c4 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -36,7 +36,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include - @{run}/udev/control rw, + capability net_admin, + + @{att}/@{run}/udev/control rw, + @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 09d432b2f..65feae3f2 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system, + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index b25f861b5..9bfde3e6e 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -10,6 +10,8 @@ include profile systemd-cgls @{exec_path} { include include + include + include capability sys_ptrace, @@ -17,6 +19,8 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index a169a59d6..878884ad1 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { /etc/machine-info rw, /etc/os-release r, + @{att}/@{run}/systemd/notify rw, + @{run}/systemd/default-hostname rw, - @{run}/systemd/notify rw, @{run}/udev/data/+dmi:* r, # for motherboard info @{sys}/devices/virtual/dmi/id/ r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 32f02f0d0..058c59db4 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/X11/xorg.conf.d/.#*.confd* rw, /etc/X11/xorg.conf.d/*.conf rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 206c09571..012a89789 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -95,6 +95,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, @{run}/systemd/inhibit/.#* rw, diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 469f72b03..912888664 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -25,6 +25,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { /etc/systemd/oomd.conf.d/{,**} r, @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{run}/systemd/io.system.ManagedOOM rw, @{run}/systemd/io.systemd.ManagedOOM rw, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index 4f9f965f5..f6867f437 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -41,8 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { /etc/systemd/resolved.conf r, /etc/systemd/resolved.conf.d/{,*} r, + @{att}/@{run}/systemd/notify w, + @{run}/systemd/netif/links/* r, - @{run}/systemd/notify rw, @{run}/systemd/resolve/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e2b6caaa7..dd964f3b1 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { /etc/.#timezone* rw, /etc/timezone rw, - @{run}/systemd/notify rw, + @{att}/@{run}/systemd/notify rw, /dev/rtc@{int} r, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index ce698dc96..c57327bcb 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -30,6 +30,9 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/machine-id r, + @{att}/@{run}/systemd/notify w, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{run}/systemd/userdb/{,**} rw, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid index c374d4685..332c1735c 100644 --- a/apparmor.d/profiles-a-f/cpuid +++ b/apparmor.d/profiles-a-f/cpuid @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/cpuid profile cpuid @{exec_path} { include + include capability mknod, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index b3034dfef..182d9013d 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -29,7 +29,6 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/systemd/journal/socket rw, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 2797ae2ba..56c6f5f5e 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -30,8 +30,10 @@ profile ip @{exec_path} flags=(attach_disconnected) { umount /sys/, @{exec_path} mrix, + + # To run command with 'ip netns exec' @{shells_path} rUx, - @{bin}/sudo rPx, + @{bin}/sudo rPx, @{att}/ r, @@ -40,6 +42,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { /usr/share/iproute2/{,**} r, + @{run}/netns/ r, @{run}/netns/* rw, owner @{run}/netns/ rwk, diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci index 3f0fe5d95..b390346bb 100644 --- a/apparmor.d/profiles-g-l/lspci +++ b/apparmor.d/profiles-g-l/lspci @@ -35,6 +35,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/slots/ r, @{sys}/bus/pci/slots/@{int}-@{int}/address r, + @{sys}/bus/pci/slots/@{int}/address r, @{sys}/devices/@{pci}/** r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f332ef21f..a955a9c6d 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pinentry-gnome3 profile pinentry-gnome3 @{exec_path} { include + include include signal (receive) set=(int) peer=gpg-agent, diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap index a86304000..aa1f6b2b8 100644 --- a/apparmor.d/profiles-s-z/snap +++ b/apparmor.d/profiles-s-z/snap @@ -42,6 +42,7 @@ profile snap @{exec_path} { @{exec_path} mrix, @{bin}/mount rix, + @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 907def2b1..85a408df8 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -13,9 +13,8 @@ profile sync @{exec_path} { @{exec_path} mr, - # Common paths where sync is used to flush all write operations on a single file to disk - # TODO: /** rw, ? - /boot/initrd-*-default rw, + # All paths where sync can be used to flush all write operations on a single file to disk + /** rw, include if exists } diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd index c1e14d013..4d75a70ed 100644 --- a/apparmor.d/profiles-s-z/uuidd +++ b/apparmor.d/profiles-s-z/uuidd @@ -17,8 +17,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, - @{run}/uuidd/request w, - @{att}/@{run}/uuidd/request w, + @{run}/uuidd/request rw, + @{att}/@{run}/uuidd/request rw, include if exists } From 469677e096412be976ca7cf624e76d5c2829ac2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:18:41 +0000 Subject: [PATCH 17/76] feat(profile): add homectl. --- apparmor.d/groups/systemd/homectl | 39 +++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/groups/systemd/homectl diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl new file mode 100644 index 000000000..aaae97d64 --- /dev/null +++ b/apparmor.d/groups/systemd/homectl @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/homectl +profile homectl @{exec_path} { + include + include + include + include + include + + capability net_admin, + capability sys_resource, + + signal send peer=child-pager, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + + @{exec_path} mr, + + @{bin}/pkttyagent rpx, + + @{pager_path} rPx -> child-pager, + + /etc/machine-id r, + + owner @{PROC}/@{pids}/cgroup r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 93ade2237d791816513bd9b9b8ef66c6448fc985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:25:08 +0000 Subject: [PATCH 18/76] fix(profile): linting issue. --- apparmor.d/profiles-s-z/snap-update-ns | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns index 345c089e3..3ce5bfdd4 100644 --- a/apparmor.d/profiles-s-z/snap-update-ns +++ b/apparmor.d/profiles-s-z/snap-update-ns @@ -27,7 +27,7 @@ profile snap-update-ns @{exec_path} { umount /snap/**, umount /var/lib/dhcp/, umount @{lib}/@{multiarch}/webkit2gtk-@{version}/, - umount /usr/share/xml/iso-codes/, + umount /usr/share/xml/iso-codes/, @{exec_path} mr, From 9ddfc9e32c0e1591b857045943889882b9206ff7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Nov 2024 22:31:16 +0000 Subject: [PATCH 19/76] build(debian): disable make check by default on pkg build. Enable it manually in github action. --- .github/workflows/main.yml | 10 ++++++++++ debian/rules | 3 +++ 2 files changed, 13 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c4f143f05..27c8e3d85 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -3,6 +3,16 @@ name: Ubuntu on: [push, pull_request, workflow_dispatch] jobs: + check: + runs-on: ubuntu-24.04 + steps: + - name: Check out repository code + uses: actions/checkout@v4 + + - name: Run basic profile linter check + run: | + make check + build: runs-on: ${{ matrix.os }} strategy: diff --git a/debian/rules b/debian/rules index 6e7d2d6e4..a30a693df 100755 --- a/debian/rules +++ b/debian/rules @@ -8,3 +8,6 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: + +# do not run 'make check' by default as it can be long for dev package +override_dh_auto_test: From 72f75b96d3e7c9307a0d138996e9c505ce587285 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 11:25:04 +0000 Subject: [PATCH 20/76] feat(profile): small profile improvments. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/profiles-a-f/blkid | 1 + apparmor.d/profiles-g-l/issue-generator | 2 +- apparmor.d/profiles-s-z/useradd | 1 + apparmor.d/profiles-s-z/w | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 115aefd78..41b08a80b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -4,7 +4,7 @@ abi , - dbus send bus=system path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid index 903e2cb62..27207bdb7 100644 --- a/apparmor.d/profiles-a-f/blkid +++ b/apparmor.d/profiles-a-f/blkid @@ -41,6 +41,7 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{PROC}/swaps r, # Other possible location of the cache file + /dev/.blkid.tab.old rwl -> /dev/.blkid.tab, /dev/.blkid.tab{,-@{rand6}} rw, /dev/blkid.tab.old rwl -> /dev/blkid.tab, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 3602a1a1e..8f2d53f76 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -28,7 +28,7 @@ profile issue-generator @{exec_path} { /etc/sysconfig/issue-generator r, @{run}/agetty.reload w, - @{run}/issue r, + @{run}/issue rw, @{run}/issue.@{rand10} rw, @{run}/issue.d/{,**} r, diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 0fbb9aa6d..5768f1343 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -54,6 +54,7 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, @{HOME}/.** w, + @{HOME}/**/ r, /var/lib/*/{,*} rw, /etc/skel/{,.**} r, diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w index 3745015c1..b23a7bc23 100644 --- a/apparmor.d/profiles-s-z/w +++ b/apparmor.d/profiles-s-z/w @@ -24,7 +24,7 @@ profile w @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{run}/systemd/sessions/ r, - @{run}/systemd/sessions/@{int} r, + @{run}/systemd/sessions/* r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, From 349ca7648145f7ea998e0040169b9a798d73fc84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:23:36 +0000 Subject: [PATCH 21/76] feat(tunable): add p_dbus_* variables. This allow for better integration for system when dbus is not confined. --- apparmor.d/abstractions/bus-accessibility | 4 ++-- apparmor.d/abstractions/bus-session | 4 ++-- apparmor.d/abstractions/bus-system | 4 ++-- apparmor.d/abstractions/bus/org.a11y | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/freedesktop/pipewire | 2 +- apparmor.d/groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/polkitd | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 6 +++--- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 10 +++++----- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/nautilus | 4 ++-- apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-resolved | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rtkit-daemon | 2 +- apparmor.d/profiles-s-z/udisksd | 2 +- apparmor.d/tunables/multiarch.d/profiles | 5 +++++ docs/development/guidelines.md | 2 +- 33 files changed, 47 insertions(+), 42 deletions(-) diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility index ee0a16b99..eba12457f 100644 --- a/apparmor.d/abstractions/bus-accessibility +++ b/apparmor.d/abstractions/bus-accessibility @@ -7,12 +7,12 @@ dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), dbus send bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-accessibility), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), owner @{run}/user/@{uid}/at-spi/ rw, owner @{run}/user/@{uid}/at-spi/bus rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 811787bad..95325d7d3 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -11,12 +11,12 @@ dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system index 0bfe96818..870443002 100644 --- a/apparmor.d/abstractions/bus-system +++ b/apparmor.d/abstractions/bus-system @@ -7,12 +7,12 @@ dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{run}/dbus/system_bus_socket rw, diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 357c06473..bb31a079c 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -36,7 +36,7 @@ dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=GetAddress - peer=(name=org.a11y.Bus, label=dbus-accessibility), + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 9e1737a2a..9f611cf3d 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{bin}/** Px, @{lib}/** Px, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 19f187cc3..9d7ba9b7b 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -43,7 +43,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus/Bus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fd9707093..9838ba40b 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -20,7 +20,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { signal receive set=hup peer=gdm-session-worker, #aa:dbus own bus=accessibility name=org.a11y.atspi - #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility + #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}" dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index 539a2a57d..42758585f 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ffdfe08a0..26a07d8aa 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index ec1633a9e..383360ad4 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -29,7 +29,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f6f4c12aa..e2b1b22d9 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index 212898a84..fa1e44d00 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixProcessID - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd index 14edf32cc..5e3d3ee78 100644 --- a/apparmor.d/groups/freedesktop/polkitd +++ b/apparmor.d/groups/freedesktop/polkitd @@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 489a04260..57b17b655 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -47,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index b0f5e81a5..6bafb132b 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f74afdeac..068469606 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus* - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 42c1265ae..babd12c3d 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment} - peer=(name=org.freedesktop.DBus label=dbus-session), + peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8ae32fd9..7cc739491 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), # Session bus dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/ interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetNameOwner,ListNames} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket @@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/*/SearchProvider interface=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3c2ef3dac..d9b0e5e27 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/ interface=org.freedesktop.DBus member=ListNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 51bcf2e10..c7478292c 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetId - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index e4990a3e3..890e5b34e 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/dbus interface=org.freedesktop.DBus member=NameHasOwner - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index e20ea48b3..de4644bdd 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -70,7 +70,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index 7e0422c5a..c9f0c6373 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} { dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=UpdateActivationEnvironment - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index dcb60493e..3cea03c9c 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -33,7 +33,7 @@ profile busctl @{exec_path} { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 878884ad1..46786c659 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -25,7 +25,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=GetConnectionUnixUser - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 012a89789..6b01f5147 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved index f6867f437..f693cbee4 100644 --- a/apparmor.d/groups/systemd/systemd-resolved +++ b/apparmor.d/groups/systemd/systemd-resolved @@ -34,7 +34,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 6cee42be9..45b2ccfb4 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -42,7 +42,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), dbus send bus=system path=/org/freedesktop/UDisks2/Manager interface=org.freedesktop.UDisks2.Manager diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index b97c5e9a8..6847476e3 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -43,7 +43,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon index ddb62cb5f..d3a88d78a 100644 --- a/apparmor.d/profiles-m-r/rtkit-daemon +++ b/apparmor.d/profiles-m-r/rtkit-daemon @@ -26,7 +26,7 @@ profile rtkit-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index b89d9c72f..530373efd 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -67,7 +67,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixUser,GetConnectionUnixProcessID} - peer=(name=org.freedesktop.DBus, label=dbus-system), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), @{exec_path} mr, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index a24cefc01..2d1fccb32 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -11,4 +11,9 @@ @{p_systemd}=unconfined @{p_systemd_user}=unconfined +# Name of the dbus daemon profiles +@{p_dbus_system}=dbus-system +@{p_dbus_session}=dbus-session +@{p_dbus_accessibility}=dbus-accessibility + # vim:syntax=apparmor diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md index f207e58a2..fad901581 100644 --- a/docs/development/guidelines.md +++ b/docs/development/guidelines.md @@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.: dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName} - peer=(name=org.freedesktop.DBus, label=dbus-session), + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), ``` If there is no predictable label it can be omitted. From b36a980461b64898be980d8d0a9ba8dbb328bb54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:31:17 +0000 Subject: [PATCH 22/76] ci(github): set local tunable for github actions. --- .github/workflows/main.yml | 1 + tests/github.local | 9 +++++++++ 2 files changed, 10 insertions(+) create mode 100644 tests/github.local diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 27c8e3d85..59449cb4c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -97,6 +97,7 @@ jobs: - name: Install apparmor.d run: | + sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service diff --git a/tests/github.local b/tests/github.local new file mode 100644 index 000000000..b4119bc56 --- /dev/null +++ b/tests/github.local @@ -0,0 +1,9 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Local tunables addition for bats integration tests on Github Action + +@{p_dbus_system}+=unconfined +@{p_dbus_session}+=unconfined +@{p_dbus_accessibility}+=unconfined From c5367943cbe71ad82d8c405f5ddc60fb2510645e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 12:37:02 +0000 Subject: [PATCH 23/76] fix(profile): ensure useradd can fully populate the skelleton. --- apparmor.d/profiles-s-z/useradd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd index 5768f1343..d27a34207 100644 --- a/apparmor.d/profiles-s-z/useradd +++ b/apparmor.d/profiles-s-z/useradd @@ -53,7 +53,7 @@ profile useradd @{exec_path} { # To create user dirs and copy files from /etc/skel/ to them @{HOME}/ rw, - @{HOME}/.** w, + @{HOME}/** wl, @{HOME}/**/ r, /var/lib/*/{,*} rw, /etc/skel/{,.**} r, From 1467c2c1aa434ae82c2ba3b916d26a3965249e40 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 13 Nov 2024 13:31:06 +0000 Subject: [PATCH 24/76] fix(profile): minor fixes. --- apparmor.d/profiles-g-l/ip | 8 +++++--- apparmor.d/profiles-s-z/sync | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 56c6f5f5e..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,11 +20,13 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount options=(rw, rshared) -> @{run}/netns/, - mount options=(rw, rslave) -> /, + mount fstype=sysfs -> /sys/, + mount options=(rw bind) / -> @{run}/netns/*, + mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, mount options=(rw, bind) /etc/netns/*/resolv.conf -> /etc/resolv.conf, - mount fstype=sysfs -> /sys/, + mount options=(rw, rshared) -> @{run}/netns/, + mount options=(rw, rslave) -> /, umount @{run}/netns/*, umount /sys/, diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync index 85a408df8..9b47b4df2 100644 --- a/apparmor.d/profiles-s-z/sync +++ b/apparmor.d/profiles-s-z/sync @@ -14,7 +14,7 @@ profile sync @{exec_path} { @{exec_path} mr, # All paths where sync can be used to flush all write operations on a single file to disk - /** rw, + /{,**} rw, include if exists } From 87f6c116f1ea016f19b41842c774ea73ce37ec2f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:04:27 +0000 Subject: [PATCH 25/76] feat: profiles and integration tests improvments. Add the udbus variable to be used in `unix bind` rule for dbus. --- apparmor.d/abstractions/app/sudo | 8 ++++---- apparmor.d/abstractions/app/systemctl | 2 +- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/groups/_full/systemd-user | 4 ++-- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/bus/dbus-system | 2 +- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/network/ModemManager | 8 ++++++-- apparmor.d/groups/network/NetworkManager | 9 +++++++-- apparmor.d/groups/network/netplan.script | 16 ++++++++++++++-- apparmor.d/groups/network/nm-online | 1 + apparmor.d/groups/network/nmcli | 4 ++++ apparmor.d/groups/ssh/ssh-keygen | 1 + apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/hostnamectl | 1 + apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-analyze | 2 +- apparmor.d/groups/systemd/systemd-cgls | 2 +- apparmor.d/groups/systemd/systemd-homed | 3 +++ apparmor.d/groups/systemd/systemd-hostnamed | 2 +- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-oomd | 2 +- apparmor.d/groups/systemd/systemd-timedated | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- apparmor.d/groups/systemd/systemd-update-utmp | 2 +- .../groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/ubuntu/update-notifier | 4 ++-- apparmor.d/profiles-g-l/login | 2 +- apparmor.d/profiles-m-r/needrestart-apt-pinvoke | 2 ++ apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/snapd | 2 +- apparmor.d/profiles-s-z/sudo | 2 -- apparmor.d/profiles-s-z/udisksd | 4 ++++ apparmor.d/tunables/multiarch.d/system | 3 +++ docs/development/directives.md | 2 +- tests/bats/homectl.bats | 1 + tests/bats/snap.bats | 1 - tests/bats/systemd-id128.bats | 6 ------ tests/requirements.sh | 2 +- 43 files changed, 81 insertions(+), 47 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 385ded540..4c7de6ba5 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,10 +24,10 @@ network netlink raw, # PAM - dbus send bus=system path=/org/freedesktop/login1 - interface=org.freedesktop.logi1.Manager - member=CreateSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + unix bind type=stream addr=@@{udbus}/bus/sudo/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl index 7857f9921..8489bb275 100644 --- a/apparmor.d/abstractions/app/systemctl +++ b/apparmor.d/abstractions/app/systemctl @@ -10,7 +10,7 @@ ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemctl/, + unix bind type=stream addr=@@{udbus}/bus/systemctl/, @{bin}/systemctl mr, diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 1f37de00d..9a53d1548 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -7,8 +7,10 @@ abi , + @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, + deny /apparmor/.null rw, deny @{att}/apparmor/.null rw, include if exists diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 32228f21b..919c53457 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { ptrace read peer=@{p_systemd}, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system, - unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, + unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9d7ba9b7b..eb94791d7 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{hex16}/bus/apt/system, + unix (bind) type=stream addr=@@{udbus}/bus/apt/system, unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index e4f6b61ea..d0fdad4b7 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-http, - unix type=stream addr=@@{hex16}/bus/unattended-upgr/system, + unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @{exec_path} mr, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 6ef4e44ea..e4eef2753 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -33,7 +33,7 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4ca2b21b6..59e6df788 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal (send) set=hup peer=xorg, signal (send) set=hup peer=xwayland, - unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system, + unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8ac535f16..b92ad8e68 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,9 +25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+pnp:* r, + @{run}/udev/data/+serial*:* r, @{run}/udev/data/+usb:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @@ -43,9 +47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/revision r, - @{sys}/devices/virtual/net/*/ r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, include if exists diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index de4644bdd..de3a180bb 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -47,6 +47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + dbus send bus=system path=/org/freedesktop/nm_dispatcher + interface=org.freedesktop.nm_dispatcher + peer=(name=org.freedesktop.nm_dispatcher), + dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects @@ -128,10 +132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+rfkill:* r, @{run}/udev/data/n@{int} r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, + @{sys}/devices/**/@{uuid}/net/*/{,**} r, + @{sys}/devices/**/uevent r, + @{sys}/devices/virtual/net/{,**} r, @{PROC}/@{pids}/stat r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script index 7f558a1c4..989f2ee09 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan.script @@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, @{lib}/netplan/generate rix, @@ -22,15 +24,25 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, - @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw, + @{run}/netplan/ r, + + @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw, + + @{run}/systemd/network/ r, + @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw, @{run}/systemd/system/ r, @{run}/systemd/system/netplan-* rw, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r, + @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw, @{run}/systemd/system/systemd-networkd.service.wants/ rw, @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw, + @{run}/udev/rules.d/ r, - @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw, + @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + + @{sys}/devices/**/net/*/address r, profile udevadm { include diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 27a511dc4..189afd74d 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -11,6 +11,7 @@ profile nm-online @{exec_path} { include include include + include dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index a964ab958..43a9d0dca 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -9,10 +9,14 @@ include @{exec_path} = @{bin}/nmcli profile nmcli @{exec_path} { include + include + include capability dac_read_search, capability sys_nice, + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 05a21d41f..14cbd3c87 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, /tmp/snapd@{int}/*_*{,.pub} w, + /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2f704fb37..b4ecc068e 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { ptrace (read,trace) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/sshd/system, + unix (bind) type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 3cea03c9c..6516a500c 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -22,7 +22,7 @@ profile busctl @{exec_path} { ptrace (read), - unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl, + unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl, signal (send) set=(cont) peer=child-pager, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 91fc31b51..2429d235e 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -10,6 +10,7 @@ include profile hostnamectl @{exec_path} { include include + include include capability net_admin, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index dee55195d..a4bab2be3 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd # No label available diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 65feae3f2..039f8dc64 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -22,7 +22,7 @@ profile systemd-analyze @{exec_path} { signal (send) peer=child-pager, - unix bind type=stream addr=@@{hex16}/bus/systemd-analyze/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system, #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls index 9bfde3e6e..33191171e 100644 --- a/apparmor.d/groups/systemd/systemd-cgls +++ b/apparmor.d/groups/systemd/systemd-cgls @@ -19,7 +19,7 @@ profile systemd-cgls @{exec_path} { signal send set=cont peer=child-pager, - unix bind type=stream addr=@@{hex16}/bus/systemd-cgls/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index 5fe748abd..205012cd2 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> @{run}/, mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, + #aa:dbus own bus=system name=org.freedesktop.home1 @{exec_path} mr, @@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/home/{,**} rw, @{run}/systemd/userdb/io.systemd.home r, @{run}/systemd/user-home-mount/{,**} rw, + @{run}/systemd/notify w, @{sys}/bus/ r, @{sys}/fs/ r, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 46786c659..cd77b9826 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -18,7 +18,7 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { network unix stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system, #aa:dbus own bus=system name=org.freedesktop.hostname1 diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 058c59db4..205d8a55f 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b01f5147..f7e0af838 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index f38564ae1..3eaedfaac 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { network packet dgram, network packet raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, #aa:dbus own bus=system name=org.freedesktop.network1 diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd index 912888664..d16c67f7d 100644 --- a/apparmor.d/groups/systemd/systemd-oomd +++ b/apparmor.d/groups/systemd/systemd-oomd @@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index dd964f3b1..e070afe4e 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index 9f9136bca..b603b2411 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 8703709c4..9d512b495 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -17,7 +17,7 @@ profile systemd-update-utmp @{exec_path} { network netlink raw, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-update-/, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-update-/, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 84dfb27ee..9c7fe975b 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -25,7 +25,7 @@ profile systemd-user-runtime-dir @{exec_path} { mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/, umount @{run}/user/@{uid}/, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-user-ru/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-user-ru/system, @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 36fae9ce3..4ffaf60e0 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -22,7 +22,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user, + unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell @@ -87,7 +87,7 @@ profile update-notifier @{exec_path} { include include - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/system, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/system, dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login index cbaac35b7..9b32614a9 100644 --- a/apparmor.d/profiles-g-l/login +++ b/apparmor.d/profiles-g-l/login @@ -32,7 +32,7 @@ profile login @{exec_path} flags=(attach_disconnected) { signal (send) set=(hup term), - unix type=stream addr=@@{hex16}/bus/login/system, + unix type=stream addr=@@{udbus}/bus/login/system, ptrace read, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 0a9e1dc33..5f3912105 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -13,6 +13,8 @@ profile needrestart-apt-pinvoke @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5bf8fceb8..7e63560ec 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -21,7 +21,7 @@ profile qemu-ga @{exec_path} { ptrace (read) peer=@{p_systemd}, - unix type=stream addr=@@{hex16}/bus/shutdown/system, + unix type=stream addr=@@{udbus}/bus/shutdown/system, #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index d51c65d4d..63a1568b5 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace (read) peer=snap, ptrace (read) peer=@{p_systemd}, - unix (bind) type=stream addr=@@{hex16}/bus/systemctl/, + unix (bind) type=stream addr=@@{udbus}/bus/systemctl/, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index ca9f66d27..1e6748235 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -31,8 +31,6 @@ profile sudo @{exec_path} flags=(attach_disconnected) { signal (send) set=(winch) peer=pacman, signal (send) set=(winch, hup, term) peer=rpm, - unix bind type=stream addr=@@{hex16}/bus/sudo/system/, - @{bin}/@{shells} rUx, @{lib}/** PUx, /opt/*/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 530373efd..9155adf84 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -113,9 +113,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, + @{run}/udev/data/+acpi:* r, # for acpi @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, @{run}/udev/data/+scsi:* r, + @{run}/udev/data/+vmbus:* r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, @@ -128,6 +130,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w, @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw, @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/net/*/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/bdi/**/read_ahead_kb r, @{sys}/devices/virtual/block/*/{,**} rw, @{sys}/devices/virtual/block/loop@{int}/uevent rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0dc816899..78bb73b03 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -122,6 +122,9 @@ # Dbus unique name @{busname}=:1.@{u16} :not.active.yet +# Unix dbus address prefix +@{udbus}=@{hex15} @{hex16} + # Universally unique identifier @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} diff --git a/docs/development/directives.md b/docs/development/directives.md index 53c7e7dcd..841bc6608 100644 --- a/docs/development/directives.md +++ b/docs/development/directives.md @@ -140,7 +140,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho include capability dac_override, capability kill, - unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom, + unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom, #aa:dbus own bus=system name=org.freedesktop.oom1 /etc/systemd/oomd.conf r, /etc/systemd/oomd.conf.d/{,**} r, diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 2fee79079..2ce622147 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -7,6 +7,7 @@ load common setup_file() { aa_setup + skip } # bats test_tags=homectl diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index a54dda828..ef6a292da 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -7,7 +7,6 @@ load common setup_file() { aa_setup - skip } # bats test_tags=snap diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats index 3b18bd032..9a9def4da 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -27,12 +27,6 @@ setup_file() { aa_check } -# bats test_tags=systemd-id128 -@test "systemd-id128: Print the identifier of the current service invocation (this is available in systemd services)" { - systemd-id128 invocation-id - aa_check -} - # bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { systemd-id128 new --uuid diff --git a/tests/requirements.sh b/tests/requirements.sh index 91adc0031..c12f9249c 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -19,7 +19,7 @@ arch) ;; debian | ubuntu | whonix) sudo apt-get install -y \ - cpuid dfc systemd-userdbd + cpuid dfc systemd-userdbd systemd-homed tlp ;; opensuse*) ;; From a6225df9c9aabbdde7966738dd3d0d03d4130170 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:34:04 +0000 Subject: [PATCH 26/76] ci(github): restart some services to ensure they are confined. --- .github/workflows/main.yml | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 59449cb4c..89b0039ac 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -15,6 +15,7 @@ jobs: build: runs-on: ${{ matrix.os }} + needs: check strategy: matrix: os: @@ -93,19 +94,42 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - bash tests/requirements.sh - name: Install apparmor.d run: | - sudo install -Dm0644 tests/github.local /etc/apparmor.d/tunables/global.d/github.local sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true sudo systemctl restart apparmor.service + - name: Restart some services to ensure they are confined + run: | + services=( + containerd cron + dbus docker + ModemManager multipathd + networkd-dispatcher + packagekit polkit + snapd + systemd-journald systemd-hostnamed systemd-logind systemd-networkd + systemd-resolved systemd-udevd + udisks2 + ) + sudo systemctl daemon-reload + for service in "${services[@]}"; do + sudo systemctl restart "$service" || systemctl status "$service.service" || true + done + sudo ps auxZ | grep -v '\[.*\]' + sudo aa-log -s --raw + + - name: Install integration dependencies + run: | + bash tests/requirements.sh + - name: Run the bats integration tests run: | make bats - - name: Show final AppArmor logs + - name: Show final AppArmor logs and processes security context if: always() run: | sudo aa-log -s --raw + sudo ps auxZ | grep -v '\[.*\]' From 57aa1b7459928a0cb6f64a4ddd55008595214167 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 19:49:22 +0000 Subject: [PATCH 27/76] fix(profile): minor improvment to ensure tests passes. --- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-methods-file | 3 ++- apparmor.d/groups/apt/apt-methods-mirror | 1 + apparmor.d/groups/bus/dbus-system | 3 +++ apparmor.d/profiles-a-f/apparmor_parser | 1 + 5 files changed, 10 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index eb94791d7..369dd3bbd 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) { signal (send) peer=apt-methods-*, - unix (bind) type=stream addr=@@{udbus}/bus/apt/system, + unix bind type=stream addr=@@{udbus}/bus/apt-get/system, + unix bind type=stream addr=@@{udbus}/bus/apt/system, + unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 6d3e9d408..3c2489a32 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} { @{lib}/apt/apt-helper rix, - /etc/apt/apt.conf.d/{,*} r, + /etc/apt/apt-mirrors.txt r, /etc/apt/apt.conf r, + /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index 5acecd67a..d8e3adce3 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} { @{exec_path} mr, + /etc/apt/apt-mirrors.txt r, /etc/apt/mirrors/* r, # For shell pwd diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index e4eef2753..a569a7342 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -34,6 +34,9 @@ profile dbus-system flags=(attach_disconnected) { ptrace (read) peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + dbus receive bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index b2c181042..19c0f6902 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -45,6 +45,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit + deny /apparmor/.null rw, include if exists } From d48ef023bcdb2ec282b4ee047de7fb338531fd60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 20:00:04 +0000 Subject: [PATCH 28/76] ci(github): split the final step in two. --- .github/workflows/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 89b0039ac..c7a76f871 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,8 +128,12 @@ jobs: run: | make bats - - name: Show final AppArmor logs and processes security context + - name: Show final AppArmor logs if: always() run: | sudo aa-log -s --raw + + - name: Show final processes security context + if: always() + run: | sudo ps auxZ | grep -v '\[.*\]' From 7c96657860d4566ea2293e5fc81e0d931b2c282e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 20:44:34 +0000 Subject: [PATCH 29/76] fix: missing @{udbus} in unix bind. --- apparmor.d/groups/systemd/hostnamectl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index 2429d235e..3107d2d8e 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - unix bind type=stream addr=@@{hex16}/bus/hostnamectl/system, + unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system, #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed From 971d9daaf22d5185d6d6bdd2d0f66a34b640813b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:27:04 +0000 Subject: [PATCH 30/76] tests: cleanup the basic structure of integration tests. --- tests/bats/aa-enforce.bats | 8 ------ tests/bats/aa-status.bats | 14 ---------- tests/bats/blkid.bats | 8 ------ tests/bats/chsh.bats | 9 ------ tests/bats/common.bash | 12 +++++++- tests/bats/cpuid.bats | 10 ------- tests/bats/df.bats | 14 ---------- tests/bats/dfc.bats | 12 -------- tests/bats/fc-cache.bats | 11 -------- tests/bats/fc-list.bats | 6 ---- tests/bats/flatpak.bats | 18 ------------ tests/bats/gpgconf.bats | 14 ---------- tests/bats/groupadd.bats | 12 -------- tests/bats/groups.bats | 8 ------ tests/bats/homectl.bats | 16 ----------- tests/bats/hostnamectl.bats | 7 ----- tests/bats/id.bats | 15 ---------- tests/bats/ip.bats | 43 +++++++++++++++-------------- tests/bats/lsblk.bats | 20 -------------- tests/bats/lscpu.bats | 10 ------- tests/bats/lspci.bats | 14 ---------- tests/bats/lsusb.bats | 10 ------- tests/bats/ps.bats | 16 ----------- tests/bats/pstree.bats | 10 ------- tests/bats/snap.bats | 18 ------------ tests/bats/sync.bats | 8 ------ tests/bats/systemd-ac-power.bats | 8 ------ tests/bats/systemd-analyze.bats | 11 +------- tests/bats/systemd-cat.bats | 8 ------ tests/bats/systemd-cgls.bats | 10 ------- tests/bats/systemd-detect-virt.bats | 9 +++--- tests/bats/systemd-id128.bats | 12 -------- tests/bats/systemd-sysusers.bats | 10 ------- tests/bats/uname.bats | 20 -------------- tests/bats/upower.bats | 10 ------- tests/bats/uptime.bats | 12 -------- tests/bats/useradd.bats | 17 ------------ tests/bats/userdbctl.bats | 14 ---------- tests/bats/users.bats | 8 ------ tests/bats/uuidd.bats | 11 -------- tests/bats/uuidgen.bats | 9 ------ tests/bats/w.bats | 8 ------ tests/bats/who.bats | 10 ------- tests/cmd/main.go | 7 ++++- tests/cmd/tests.go | 13 +++------ 45 files changed, 49 insertions(+), 501 deletions(-) diff --git a/tests/bats/aa-enforce.bats b/tests/bats/aa-enforce.bats index 05f311ca1..d6b549b1e 100644 --- a/tests/bats/aa-enforce.bats +++ b/tests/bats/aa-enforce.bats @@ -10,26 +10,18 @@ setup_file() { skip } -# bats test_tags=aa-enforce @test "aa-enforce: Disable profile" { sudo aa-disable pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Enforce a profile" { sudo aa-enforce pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Complain a profile" { sudo aa-complain pass - aa_check } -# bats test_tags=aa-enforce @test "aa-enforce: Audit a profile" { sudo aa-audit pass - aa_check } diff --git a/tests/bats/aa-status.bats b/tests/bats/aa-status.bats index 8adcd1580..fbfb6667d 100644 --- a/tests/bats/aa-status.bats +++ b/tests/bats/aa-status.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=aa-status @test "aa-status: Check status" { sudo aa-status - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded policies" { sudo aa-status --profiled - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforicing policies" { sudo aa-status --enforced - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded non-enforcing policies" { sudo aa-status --complaining - aa_check } -# bats test_tags=aa-status @test "aa-status: Display the number of loaded enforcing policies that kill tasks" { sudo aa-status --kill - aa_check } diff --git a/tests/bats/blkid.bats b/tests/bats/blkid.bats index 65160f188..6dcf4b4d7 100644 --- a/tests/bats/blkid.bats +++ b/tests/bats/blkid.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=blkid @test "blkid: List all partitions" { sudo blkid - aa_check } -# bats test_tags=blkid @test "blkid: List all partitions in a table, including current mountpoints" { sudo blkid -o list - aa_check } diff --git a/tests/bats/chsh.bats b/tests/bats/chsh.bats index f66eb1f97..a9f5a6978 100644 --- a/tests/bats/chsh.bats +++ b/tests/bats/chsh.bats @@ -5,24 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=chsh @test "chsh: [l]ist available shells" { chsh --list-shells || true - aa_check } -# bats test_tags=chsh @test "chsh: Set a specific login [s]hell for the current user" { echo "$PASSWORD" | chsh --shell /usr/bin/bash - aa_check } # bats test_tags=chsh @test "chsh: Set a login [s]hell for a specific user" { sudo chsh --shell /usr/bin/sh root - aa_check } diff --git a/tests/bats/common.bash b/tests/bats/common.bash index f99c3c197..556ef871b 100644 --- a/tests/bats/common.bash +++ b/tests/bats/common.bash @@ -105,8 +105,18 @@ aa_check() { now=$(date +%s) duration=$((now - _START + 1)) logs=$(aa-log --raw --systemd --since "-${duration}s") + aa_start if [[ -n "$logs" ]]; then fail "profile $PROGRAM raised logs: $logs" fi - aa_start +} + +# Bats setup and teardown hooks + +setup_file() { + aa_setup +} + +teardown() { + aa_check } diff --git a/tests/bats/cpuid.bats b/tests/bats/cpuid.bats index 1b1226e2b..0fe2da6ac 100644 --- a/tests/bats/cpuid.bats +++ b/tests/bats/cpuid.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=cpuid @test "cpuid: Display information for all CPUs" { cpuid - aa_check } -# bats test_tags=cpuid @test "cpuid: Display information only for the current CPU" { cpuid -1 - aa_check } -# bats test_tags=cpuid @test "cpuid: Display raw hex information with no decoding" { cpuid -r - aa_check } diff --git a/tests/bats/df.bats b/tests/bats/df.bats index ea9d3f44f..a97ad53cb 100644 --- a/tests/bats/df.bats +++ b/tests/bats/df.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=df @test "df: Display all filesystems and their disk usage" { df - aa_check } -# bats test_tags=df @test "df: Display all filesystems and their disk usage in human-readable form" { df -h - aa_check } -# bats test_tags=df @test "df: Display the filesystem and its disk usage containing the given file or directory" { df apparmor.d/ - aa_check } -# bats test_tags=df @test "df: Include statistics on the number of free inodes" { df --inodes - aa_check } -# bats test_tags=df @test "df: Display filesystem types" { df --print-type - aa_check } diff --git a/tests/bats/dfc.bats b/tests/bats/dfc.bats index 8a1d18918..56871f16c 100644 --- a/tests/bats/dfc.bats +++ b/tests/bats/dfc.bats @@ -5,30 +5,18 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=dfc @test "dfc: Display filesystems and their disk usage in human-readable form with colors and graphs" { dfc - aa_check } -# bats test_tags=dfc @test "dfc: Display all filesystems including pseudo, duplicate and inaccessible filesystems" { dfc -a - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems without color" { dfc -c never - aa_check } -# bats test_tags=dfc @test "dfc: Display filesystems containing "ext" in the filesystem type" { dfc -t ext - aa_check } diff --git a/tests/bats/fc-cache.bats b/tests/bats/fc-cache.bats index 7ad92d94c..05b8f1930 100644 --- a/tests/bats/fc-cache.bats +++ b/tests/bats/fc-cache.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-cache @test "fc-cache: Generate font cache files" { fc-cache - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Force a rebuild of all font cache files, without checking if cache is up-to-date" { fc-cache -f - aa_check } -# bats test_tags=fc-cache @test "fc-cache: Erase font cache files, then generate new font cache files" { fc-cache -r - aa_check } - diff --git a/tests/bats/fc-list.bats b/tests/bats/fc-list.bats index b85b1037e..52ed43885 100644 --- a/tests/bats/fc-list.bats +++ b/tests/bats/fc-list.bats @@ -5,12 +5,6 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=fc-list @test "fc-list: Return a list of installed fonts in your system" { fc-list - aa_check } diff --git a/tests/bats/flatpak.bats b/tests/bats/flatpak.bats index 23647c932..e549e01ad 100644 --- a/tests/bats/flatpak.bats +++ b/tests/bats/flatpak.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=flatpak @test "flatpak: List installed applications, ignoring runtimes" { flatpak list --app - aa_check } -# bats test_tags=flatpak @test "flatpak: Install an application from a remote source" { flatpak install --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Show information about an installed application" { flatpak info org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Run an installed application" { flatpak run org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Update all installed applications and runtimes" { flatpak update --noninteractive - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove an installed application" { flatpak remove --noninteractive org.vim.Vim - aa_check } -# bats test_tags=flatpak @test "flatpak: Remove all unused applications" { flatpak remove --unused - aa_check } diff --git a/tests/bats/gpgconf.bats b/tests/bats/gpgconf.bats index 7d522d859..7155c5aa9 100644 --- a/tests/bats/gpgconf.bats +++ b/tests/bats/gpgconf.bats @@ -5,44 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=gpgconf @test "gpgconf: List all components" { gpgconf --list-components - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List the directories used by gpgconf" { gpgconf --list-dirs - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List all options of a component" { gpgconf --list-options gpg gpgconf --list-options gpgsm gpgconf --list-options gpg-agent gpgconf --list-options scdaemon || true gpgconf --list-options dirmngr - aa_check } -# bats test_tags=gpgconf @test "gpgconf: List programs and test whether they are runnable" { gpgconf --check-programs || true - aa_check } -# bats test_tags=gpgconf @test "gpgconf: Reload a component" { gpgconf --reload gpg gpgconf --reload gpgsm gpgconf --reload gpg-agent gpgconf --reload scdaemon || true gpgconf --reload dirmngr - aa_check } diff --git a/tests/bats/groupadd.bats b/tests/bats/groupadd.bats index f55579591..cbc0aa57e 100644 --- a/tests/bats/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -5,32 +5,20 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groupadd @test "groupadd: Create a new group" { sudo groupadd user2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new system group" { sudo groupadd --system system2 - aa_check } -# bats test_tags=groupadd @test "groupadd: Create a new group with the specific groupid" { sudo groupadd --gid 3000 user3 - aa_check } -# bats test_tags=groupadd @test "groupdel: Delete newly created group" { sudo groupdel user2 sudo groupdel system2 sudo groupdel user3 - aa_check } diff --git a/tests/bats/groups.bats b/tests/bats/groups.bats index 829e2393f..60bf6ea45 100644 --- a/tests/bats/groups.bats +++ b/tests/bats/groups.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=groups @test "groups: Print group memberships for the current user" { groups - aa_check } -# bats test_tags=groups @test "groups: Print group memberships for a list of users" { groups root - aa_check } diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 2ce622147..32ff3e575 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -10,50 +10,34 @@ setup_file() { skip } -# bats test_tags=homectl @test "homectl: Display help" { homectl --no-pager --help - aa_check } -# bats test_tags=homectl @test "homectl: Create a user account and their associated home directory" { sudo homectl create user2 - aa_check } -# bats test_tags=homectl @test "homectl: List user accounts and their associated home directories" { homectl list - aa_check } -# bats test_tags=homectl @test "homectl: Change the password for a specific user" { sudo homectl passwd user2 - aa_check } -# bats test_tags=homectl @test "homectl: Run a shell or a command with access to a specific home directory" { sudo homectl with user2 -- ls -al /home/user2 - aa_check } -# bats test_tags=homectl @test "homectl: Lock or unlock a specific home directory" { sudo homectl lock user2 - aa_check } -# bats test_tags=homectl @test "homectl: Change the disk space assigned to a specific home directory to 100 GiB" { sudo homectl resize user2 1G - aa_check } -# bats test_tags=homectl @test "homectl: Remove a specific user and the associated home directory" { sudo homectl remove user2 - aa_check } diff --git a/tests/bats/hostnamectl.bats b/tests/bats/hostnamectl.bats index dd4102575..2c15658ad 100644 --- a/tests/bats/hostnamectl.bats +++ b/tests/bats/hostnamectl.bats @@ -5,21 +5,14 @@ load common -setup() { - aa_setup -} - -# bats test_tags=hostnamectl @test "hostnamectl: Get the hostname of the computer" { hostnamectl } -# bats test_tags=hostnamectl @test "hostnamectl: Get the location of the computer" { hostnamectl location } -# bats test_tags=hostnamectl @test "hostnamectl: Set the hostname of the computer" { name=$(hostnamectl hostname) sudo hostnamectl set-hostname "new" diff --git a/tests/bats/id.bats b/tests/bats/id.bats index 5a7b58c50..a09def4a9 100644 --- a/tests/bats/id.bats +++ b/tests/bats/id.bats @@ -5,41 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=id @test "id: Display current user's ID (UID), group ID (GID) and groups to which they belong" { id - aa_check } -# bats test_tags=id @test "id: Display the current user identity" { id -un - aa_check } -# bats test_tags=id @test "id: Display the current user identity as a number" { id -u - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity" { id -gn - aa_check } -# bats test_tags=id @test "id: Display the current primary group identity as a number" { id -g - aa_check } -# bats test_tags=id @test "id: Display an arbitrary user ID (UID), group ID (GID) and groups to which they belong" { id root } diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 47f16ccde..6d5508c84 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -5,41 +5,42 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ip -@test "ip: List interfaces with detailed info" { +@test "ip-address: List network interfaces and their associated IP addresses" { ip address - aa_check } -# bats test_tags=ip -@test "ip: List interfaces with brief link layer info" { - ip link - aa_check +@test "ip-address: Filter to show only active network interfaces" { + ip address show up } -# bats test_tags=ip -@test "ip: Display the routing table" { +@test "ip-route: Display the routing table" { ip route - aa_check } -# bats test_tags=ip -@test "ip: Show neighbors (ARP table)" { +@test "ip-route-get: Print route to a destination" { + ip route get 1.1.1.1 +} + +@test "ip link: Show information about all network interfaces" { + ip link +} + +@test "ip neighbour: Display the neighbour/ARP table entries" { ip neighbour - aa_check } -# bats test_tags=ip +@test "ip rule: Display the routing policy" { + ip rule show + ip rule list +} + +@test "ip rule: Flush all deleted rules" { + ip rule flush +} + @test "ip: Manage network namespace" { sudo ip netns add foo sudo ip netns list sudo ip netns exec foo bash -c "pwd" sudo ip netns delete foo - aa_check } - - diff --git a/tests/bats/lsblk.bats b/tests/bats/lsblk.bats index 4fecf42a5..4dc3e20b7 100644 --- a/tests/bats/lsblk.bats +++ b/tests/bats/lsblk.bats @@ -5,54 +5,34 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsblk @test "lsblk: List all storage devices in a tree-like format" { lsblk - aa_check } -# bats test_tags=lsblk @test "lsblk: Also list empty devices" { lsblk -a - aa_check } -# bats test_tags=lsblk @test "lsblk: Print the SIZE column in bytes rather than in a human-readable format" { lsblk -b - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about filesystems" { lsblk -f - aa_check } -# bats test_tags=lsblk @test "lsblk: Use ASCII characters for tree formatting" { lsblk -i - aa_check } -# bats test_tags=lsblk @test "lsblk: Output info about block-device topology" { lsblk -t - aa_check } -# bats test_tags=lsblk @test "lsblk: Exclude the devices specified by the comma-separated list of major device numbers" { lsblk -e 1 - aa_check } -# bats test_tags=lsblk @test "lsblk: Display a customized summary using a comma-separated list of columns" { lsblk --output NAME,SERIAL,MODEL,TRAN,TYPE,SIZE,FSTYPE,MOUNTPOINT - aa_check } diff --git a/tests/bats/lscpu.bats b/tests/bats/lscpu.bats index ef09cfbb7..d09599065 100644 --- a/tests/bats/lscpu.bats +++ b/tests/bats/lscpu.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lscpu @test "lscpu: Display information about all CPUs" { lscpu - aa_check } -# bats test_tags=lscpu @test "lscpu: Display information in a table" { lscpu --extended - aa_check } -# bats test_tags=lscpu @test "lscpu: Display only information about offline CPUs in a table" { lscpu --extended --offline - aa_check } diff --git a/tests/bats/lspci.bats b/tests/bats/lspci.bats index bc6ea2013..021906602 100644 --- a/tests/bats/lspci.bats +++ b/tests/bats/lspci.bats @@ -5,36 +5,22 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lspci @test "lspci: Show a brief list of devices" { lspci - aa_check } -# bats test_tags=lspci @test "lspci: Display additional info" { lspci -v - aa_check } -# bats test_tags=lspci @test "lspci: Display drivers and modules handling each device" { lspci -k - aa_check } -# bats test_tags=lspci @test "lspci: Show a specific device" { lspci -s 00:00.0 - aa_check } -# bats test_tags=lspci @test "lspci: Dump info in a readable form" { lspci -vm - aa_check } diff --git a/tests/bats/lsusb.bats b/tests/bats/lsusb.bats index 8f646d89e..f5444fced 100644 --- a/tests/bats/lsusb.bats +++ b/tests/bats/lsusb.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=lsusb @test "lsusb: List all the USB devices available" { lsusb || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List the USB hierarchy as a tree" { lsusb -t || true - aa_check } -# bats test_tags=lsusb @test "lsusb: List verbose information about USB devices" { lsusb --verbose || true - aa_check } diff --git a/tests/bats/ps.bats b/tests/bats/ps.bats index 4be301f7b..bcdfbe1b8 100644 --- a/tests/bats/ps.bats +++ b/tests/bats/ps.bats @@ -5,42 +5,26 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=ps @test "ps: List all running processes" { ps aux - aa_check } -# bats test_tags=ps @test "ps: List all running processes including the full command string" { ps auxww - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user in extra full format" { ps --user "$(id -u)" -F - aa_check } -# bats test_tags=ps @test "ps: List all processes of the current user as a tree" { ps --user "$(id -u)" -f - aa_check } -# bats test_tags=ps @test "ps: Get the parent PID of a process" { ps -o ppid= -p 1 - aa_check } -# bats test_tags=ps @test "ps: Sort processes by memory consumption" { ps auxww --sort size - aa_check } diff --git a/tests/bats/pstree.bats b/tests/bats/pstree.bats index e3ed5fa80..23094478c 100644 --- a/tests/bats/pstree.bats +++ b/tests/bats/pstree.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=pstree @test "pstree: Display a tree of processes" { pstree - aa_check } -# bats test_tags=pstree @test "pstree: Display a tree of processes with PIDs" { pstree -p - aa_check } -# bats test_tags=pstree @test "pstree: Display all process trees rooted at processes owned by specified user" { pstree root - aa_check } diff --git a/tests/bats/snap.bats b/tests/bats/snap.bats index ef6a292da..1eff200a8 100644 --- a/tests/bats/snap.bats +++ b/tests/bats/snap.bats @@ -5,48 +5,30 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=snap @test "snap: Search for a package" { snap find vim - aa_check } -# bats test_tags=snap @test "snap: Install a package" { sudo snap install nano-strict - aa_check } -# bats test_tags=snap @test "snap: Update a package to another channel (track, risk, or branch)" { sudo snap refresh nano-strict --channel=edge - aa_check } -# bats test_tags=snap @test "snap: Update all packages" { sudo snap refresh - aa_check } -# bats test_tags=snap @test "snap: Display basic information about installed snap software" { sudo snap list - aa_check } -# bats test_tags=snap @test "snap: Check for recent snap changes in the system" { sudo snap changes - aa_check } -# bats test_tags=snap @test "snap: Uninstall a package" { sudo snap remove nano-strict - aa_check } diff --git a/tests/bats/sync.bats b/tests/bats/sync.bats index fba657ff7..9f2e26885 100644 --- a/tests/bats/sync.bats +++ b/tests/bats/sync.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=sync @test "sync: Flush all pending write operations on all disks" { sync - aa_check } -# bats test_tags=sync @test "sync: Flush all pending write operations on a single file to disk" { sudo sync / - aa_check } diff --git a/tests/bats/systemd-ac-power.bats b/tests/bats/systemd-ac-power.bats index 78f68d13a..30019825a 100644 --- a/tests/bats/systemd-ac-power.bats +++ b/tests/bats/systemd-ac-power.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Report whether we are connected to an external power source." { systemd-ac-power || true - aa_check } -# bats test_tags=systemd-ac-power @test "systemd-ac-power: Check if battery is discharging and low" { systemd-ac-power --low || true - aa_check } diff --git a/tests/bats/systemd-analyze.bats b/tests/bats/systemd-analyze.bats index 3f6144a78..6bb275bb6 100644 --- a/tests/bats/systemd-analyze.bats +++ b/tests/bats/systemd-analyze.bats @@ -5,25 +5,16 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-analyze @test "systemd-analyze: List all running units, ordered by the time they took to initialize" { systemd-analyze --no-pager blame - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Print a tree of the time-critical chain of units" { systemd-analyze --no-pager critical-chain - aa_check } -# bats test_tags=systemd-analyze @test "systemd-analyze: Show security scores of running units" { systemd-analyze --no-pager security - aa_check } + diff --git a/tests/bats/systemd-cat.bats b/tests/bats/systemd-cat.bats index 595a6002d..da634982a 100644 --- a/tests/bats/systemd-cat.bats +++ b/tests/bats/systemd-cat.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of the specified command to the journal (both output streams are captured)" { systemd-cat pwd - aa_check } -# bats test_tags=systemd-cat @test "systemd-cat: Write the output of a pipeline to the journal (`stderr` stays connected to the terminal)" { echo apparmor.d-test-suite | systemd-cat - aa_check } diff --git a/tests/bats/systemd-cgls.bats b/tests/bats/systemd-cgls.bats index b5bb89de6..dca00b62a 100644 --- a/tests/bats/systemd-cgls.bats +++ b/tests/bats/systemd-cgls.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the whole control group hierarchy on your system" { systemd-cgls --no-pager - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display a control group tree of a specific resource controller" { systemd-cgls --no-pager io - aa_check } -# bats test_tags=systemd-cgls @test "systemd-cgls: Display the control group hierarchy of one or more systemd units" { systemd-cgls --no-pager --unit systemd-logind - aa_check } diff --git a/tests/bats/systemd-detect-virt.bats b/tests/bats/systemd-detect-virt.bats index 0ea5fae35..41150ef7f 100644 --- a/tests/bats/systemd-detect-virt.bats +++ b/tests/bats/systemd-detect-virt.bats @@ -3,23 +3,24 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# bats test_tags=systemd-detect-virt +load common + @test "systemd-detect-virt: List detectable virtualization technologies" { systemd-detect-virt --list } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Detect virtualization, print the result and return a zero status code when running in a VM or a container, and a non-zero code otherwise" { - systemd-detect-virt + systemd-detect-virt || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Silently check without printing anything" { - systemd-detect-virt --quiet + systemd-detect-virt --quiet || true } # bats test_tags=systemd-detect-virt @test "systemd-detect-virt: Only detect hardware virtualization" { - systemd-detect-virt --vm + systemd-detect-virt --vm || true } diff --git a/tests/bats/systemd-id128.bats b/tests/bats/systemd-id128.bats index 9a9def4da..67bf5907d 100644 --- a/tests/bats/systemd-id128.bats +++ b/tests/bats/systemd-id128.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier" { systemd-id128 new - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current machine" { systemd-id128 machine-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Print the identifier of the current boot" { systemd-id128 boot-id - aa_check } -# bats test_tags=systemd-id128 @test "systemd-id128: Generate a new random identifier and print it as a UUID (five groups of digits separated by hyphens)" { systemd-id128 new --uuid - aa_check } diff --git a/tests/bats/systemd-sysusers.bats b/tests/bats/systemd-sysusers.bats index f4230d6b6..0816fd45e 100644 --- a/tests/bats/systemd-sysusers.bats +++ b/tests/bats/systemd-sysusers.bats @@ -5,24 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Print the contents of all configuration files (before each file, its name is printed as a comment)" { systemd-sysusers --cat-config - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Process configuration files and print what would be done without actually doing anything" { systemd-sysusers --dry-run - aa_check } -# bats test_tags=systemd-sysusers @test "systemd-sysusers: Create users and groups from all configuration file" { sudo systemd-sysusers - aa_check } diff --git a/tests/bats/uname.bats b/tests/bats/uname.bats index 683cef111..8723b9fe8 100644 --- a/tests/bats/uname.bats +++ b/tests/bats/uname.bats @@ -5,55 +5,35 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uname @test "uname: Print all information" { uname --all - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel name" { uname --kernel-name - aa_check } -# bats test_tags=uname @test "uname: Print the current network node host name" { uname --nodename - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel release" { uname --kernel-release - aa_check } -# bats test_tags=uname @test "uname: Print the current kernel version" { uname --kernel-version - aa_check } -# bats test_tags=uname @test "uname: Print the current machine hardware name" { uname --machine - aa_check } -# bats test_tags=uname @test "uname: Print the current processor type" { uname --processor - aa_check } -# bats test_tags=uname @test "uname: Print the current operating system name" { uname --operating-system - aa_check } diff --git a/tests/bats/upower.bats b/tests/bats/upower.bats index 73afc18e6..3917621b8 100644 --- a/tests/bats/upower.bats +++ b/tests/bats/upower.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=upower @test "upower: Display power and battery information" { upower --dump - aa_check } -# bats test_tags=upower @test "upower: List all power devices" { upower --enumerate - aa_check } -# bats test_tags=upower @test "upower: Display version" { upower --version - aa_check } diff --git a/tests/bats/uptime.bats b/tests/bats/uptime.bats index 846342f47..7b64e8d2c 100644 --- a/tests/bats/uptime.bats +++ b/tests/bats/uptime.bats @@ -5,31 +5,19 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uptime @test "uptime: Print current time, uptime, number of logged-in users and other information" { uptime - aa_check } -# bats test_tags=uptime @test "uptime: Show only the amount of time the system has been booted for" { uptime --pretty - aa_check } -# bats test_tags=uptime @test "uptime: Print the date and time the system booted up at" { uptime --since - aa_check } -# bats test_tags=uptime @test "uptime: Display version" { uptime --version - aa_check } diff --git a/tests/bats/useradd.bats b/tests/bats/useradd.bats index 833e01606..5ac024f15 100644 --- a/tests/bats/useradd.bats +++ b/tests/bats/useradd.bats @@ -5,45 +5,28 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=useradd @test "useradd: Create a new user with the specified shell" { sudo useradd --shell /bin/bash --create-home user2 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user with the specified user ID" { sudo useradd --uid 3000 user3 - aa_check } -# bats test_tags=useradd @test "useradd: Create a new user belonging to additional groups (mind the lack of whitespace)" { sudo useradd --groups adm user4 - aa_check } - -# bats test_tags=useradd @test "useradd: Create a new system user without the home directory" { sudo useradd --system sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user" { sudo userdel user3 sudo userdel user4 sudo userdel sys2 - aa_check } -# bats test_tags=userdel @test "userdel: Remove a user along with the home directory and mail spool" { sudo userdel --remove user2 - aa_check } diff --git a/tests/bats/userdbctl.bats b/tests/bats/userdbctl.bats index 6169de44b..065dba5f5 100644 --- a/tests/bats/userdbctl.bats +++ b/tests/bats/userdbctl.bats @@ -5,37 +5,23 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=userdbctl @test "userdbctl: List all known user records" { userdbctl --no-pager user - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific user" { userdbctl --no-pager user "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all known groups" { userdbctl --no-pager group - aa_check } -# bats test_tags=userdbctl @test "userdbctl: Show details of a specific group" { sudo userdbctl --no-pager group "$USER" - aa_check } -# bats test_tags=userdbctl @test "userdbctl: List all services currently providing user/group definitions to the system" { userdbctl --no-pager services - aa_check } diff --git a/tests/bats/users.bats b/tests/bats/users.bats index 097870abf..8f8ad383d 100644 --- a/tests/bats/users.bats +++ b/tests/bats/users.bats @@ -5,19 +5,11 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=users @test "users: Print logged in usernames" { users - aa_check } -# bats test_tags=users @test "users: Print logged in usernames according to a given file" { users /var/log/wmtp - aa_check } diff --git a/tests/bats/uuidd.bats b/tests/bats/uuidd.bats index e13653e3e..9e3ac5ef0 100644 --- a/tests/bats/uuidd.bats +++ b/tests/bats/uuidd.bats @@ -5,25 +5,14 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidd @test "uuidd: Generate a random UUID" { uuidd --random - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a bulk number of random UUIDs" { uuidd --random --uuids 10 - aa_check } -# bats test_tags=uuidd @test "uuidd: Generate a time-based UUID, based on the current time and MAC address of the system" { uuidd --time - aa_check } - diff --git a/tests/bats/uuidgen.bats b/tests/bats/uuidgen.bats index 8caa41862..eb6465c04 100644 --- a/tests/bats/uuidgen.bats +++ b/tests/bats/uuidgen.bats @@ -5,19 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=uuidgen @test "uuidgen: Create a random UUIDv4" { uuidgen --random - aa_check } -# bats test_tags=uuidgen @test "uuidgen: Create a UUIDv1 based on the current time" { uuidgen --time - aa_check } - diff --git a/tests/bats/w.bats b/tests/bats/w.bats index 7f358aac7..1b97ba445 100644 --- a/tests/bats/w.bats +++ b/tests/bats/w.bats @@ -5,18 +5,10 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=w @test "w: Display information about all users who are currently logged in" { w - aa_check } -# bats test_tags=w @test "w: Display information about a specific user" { w root - aa_check } diff --git a/tests/bats/who.bats b/tests/bats/who.bats index f8aaf5a17..c05995d0e 100644 --- a/tests/bats/who.bats +++ b/tests/bats/who.bats @@ -5,25 +5,15 @@ load common -setup_file() { - aa_setup -} - -# bats test_tags=who @test "who: Display the username, line, and time of all currently logged-in sessions" { who - aa_check } -# bats test_tags=who @test "who: Display all available information" { who -a - aa_check } -# bats test_tags=who @test "who: Display all available information with table headers" { who -a -H - aa_check } diff --git a/tests/cmd/main.go b/tests/cmd/main.go index 5ca948196..eb88de1ec 100644 --- a/tests/cmd/main.go +++ b/tests/cmd/main.go @@ -68,7 +68,6 @@ func run() error { if err != nil { return err } - tests = tests.Filter() if err := cfg.BatsDir.RemoveAll(); err != nil { return err @@ -76,6 +75,12 @@ func run() error { if err := cfg.BatsDir.MkdirAll(); err != nil { return err } + if err := cfg.BatsDir.Join("profiled").MkdirAll(); err != nil { + return err + } + if err := cfg.BatsDir.Join("unprofiled").MkdirAll(); err != nil { + return err + } for _, test := range tests { if err := test.Write(cfg.BatsDir); err != nil { return err diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go index 2d37324ea..1c5f55aee 100644 --- a/tests/cmd/tests.go +++ b/tests/cmd/tests.go @@ -20,16 +20,10 @@ const tmplTest = `#!/usr/bin/env bats # SPDX-License-Identifier: GPL-2.0-only load common - -setup_file() { - aa_setup -} {{ $name := .Name -}} {{ range .Commands }} -# bats test_tags={{ $name }} @test "{{ $name }}: {{ .Description }}" { {{ .Cmd }} - aa_check } {{ end }} ` @@ -77,13 +71,14 @@ func (t Test) IsInstalled() bool { } func (t Test) Write(dir *paths.Path) error { + dstDir := dir.Join("profiled") if !t.HasProfile() { - return nil + dstDir = dir.Join("unprofiled") } + path := dstDir.Join(t.Name + ".bats") - path := dir.Join(t.Name + ".bats") if paths.New("tests/bats").Join(t.Name + ".bats").Exist() { - path = dir.Join("00." + t.Name + ".bats") + path = dstDir.Join("00." + t.Name + ".bats") } content := renderBatsFile(t) if err := path.WriteFile([]byte(content)); err != nil { From 0720a67f2784eb0da9c8ccc2f8a1631674c31775 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:13:25 +0000 Subject: [PATCH 31/76] tests: cleanup the basic structure of integration tests. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 685649112..b56d69c63 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ check: .PHONY: bats bats: - @bats --print-output-on-failure tests/bats/ + @bats --pretty --print-output-on-failure tests/bats/ .PHONY: manual manual: From 6dfa033444c93e241dbf3a9ea1a21bdbfc71ba39 Mon Sep 17 00:00:00 2001 From: odomingao Date: Mon, 18 Nov 2024 12:27:33 -0300 Subject: [PATCH 32/76] Update sysctl --- apparmor.d/profiles-s-z/sysctl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl index 6dd12a023..849aeb687 100644 --- a/apparmor.d/profiles-s-z/sysctl +++ b/apparmor.d/profiles-s-z/sysctl @@ -15,6 +15,7 @@ profile sysctl @{exec_path} { capability net_admin, capability sys_admin, + capability sys_ptrace, capability sys_resource, @{exec_path} mr, From e00c15146c664f031f05b74485069510c7edaa17 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:35:39 +0000 Subject: [PATCH 33/76] fix(ci): remove forced color from github action. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index b56d69c63..911bd4027 100644 --- a/Makefile +++ b/Makefile @@ -113,7 +113,7 @@ check: .PHONY: bats bats: - @bats --pretty --print-output-on-failure tests/bats/ + @bats --timing --print-output-on-failure tests/bats/ .PHONY: manual manual: From 0c6d888f9e04ab9f8c2946af3c1cfd461608025e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:49:03 +0000 Subject: [PATCH 34/76] fix(tests): missing sudo in ip integration test. --- tests/bats/ip.bats | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 6d5508c84..163213fa3 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -35,7 +35,7 @@ load common } @test "ip rule: Flush all deleted rules" { - ip rule flush + sudo ip rule flush } @test "ip: Manage network namespace" { From e266638166882df6eda675c0915a04fd8d5bdf18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:52:12 +0000 Subject: [PATCH 35/76] fix(profile): dhcpcd executes resolvconf fix #608 --- apparmor.d/groups/network/dhcpcd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index ebb861971..c1b5d04c5 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -35,6 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, + @{bin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, From 1dad5ab09c17cccc7ed047989a131f7034cb9929 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 21:57:54 +0000 Subject: [PATCH 36/76] feat(abs): vulkan allow write access to builtin_shaders. See #577 --- apparmor.d/abstractions/vulkan-strict | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index edb258288..d4dd2fae6 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -19,6 +19,7 @@ owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw, owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw, owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache + owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w, owner @{user_share_dirs}/vulkan/ rw, owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw, From 3c75243f1577d5c7b3b34380d616e51c312f46a0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 22:16:18 +0000 Subject: [PATCH 37/76] feat(abs): add the wine abstraction. --- apparmor.d/abstractions/wine | 20 ++++++++++++++++++++ apparmor.d/profiles-s-z/steam-game-proton | 9 +-------- 2 files changed, 21 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/wine diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine new file mode 100644 index 000000000..139b03450 --- /dev/null +++ b/apparmor.d/abstractions/wine @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Basic set of resources for wine regardless of the installation method (system or through a game launcher). + + abi , + + owner @{user_share_dirs}/applications/wine/ rw, + owner @{user_share_dirs}/applications/wine/**/ rw, + + owner @{tmp}/.wine-@{uid}/ rw, + owner @{tmp}/.wine-@{uid}/** rwk, + + owner /dev/shm/wine-@{hex6}-fsync rw, + owner /dev/shm/wine-@{hex6}@{h}-fsync rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index dfa8b84da..46f296c44 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -18,6 +18,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -79,19 +80,11 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, - owner @{user_share_dirs}/applications/wine/ rw, - owner @{user_share_dirs}/applications/wine/**/ rw, - - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, owner @{tmp}/glx-icds-@{rand6}/{,**} w, owner @{tmp}/pressure-vessel-*-@{rand6}/ rw, owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w, - owner /dev/shm/wine-@{hex6}-fsync rw, - owner /dev/shm/wine-@{hex6}@{h}-fsync rw, - @{run}/host/fonts/{,**} r, @{run}/host/share/{,**} r, @{run}/host/usr/{,**} r, From 354f6ee2508b3e959bce1b7215d05b6956a02d62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 22:58:42 +0000 Subject: [PATCH 38/76] tests: remove hanged test --- tests/bats/ip.bats | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tests/bats/ip.bats b/tests/bats/ip.bats index 163213fa3..585d11b2d 100644 --- a/tests/bats/ip.bats +++ b/tests/bats/ip.bats @@ -34,10 +34,6 @@ load common ip rule list } -@test "ip rule: Flush all deleted rules" { - sudo ip rule flush -} - @test "ip: Manage network namespace" { sudo ip netns add foo sudo ip netns list From 1d41890a750de2a98166baed4b56ed56da633f72 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 23:07:41 +0000 Subject: [PATCH 39/76] feat(profile): general update. --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/bwrap | 7 +++++-- apparmor.d/groups/bus/dbus-accessibility | 4 ++++ apparmor.d/groups/bus/dbus-session | 4 ++++ apparmor.d/groups/bus/dbus-system | 1 + apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/loupe | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 2 +- apparmor.d/groups/network/networkd-dispatcher | 1 + apparmor.d/groups/pacman/yay | 1 + apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 3 ++- apparmor.d/profiles-s-z/snap-seccomp | 2 ++ apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/steam-game-proton | 1 + apparmor.d/profiles-s-z/tlp | 17 ++++++++++------- 17 files changed, 42 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index c749bf253..87865197e 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -101,7 +101,7 @@ owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, - owner @{tmp}/tmpaddon r, + owner @{tmp}/tmpaddon rw, owner @{tmp}/tmpaddon-@{int} r, owner /dev/shm/org.chromium.@{rand6} rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index b5b119d0f..65bc2837f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -44,8 +44,11 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, - @{PROC}/sys/kernel/overflowgid r, - @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/kernel/overflowgid r, + @{PROC}/sys/kernel/overflowuid r, + @{PROC}/sys/user/max_user_namespaces r, + owner @{PROC}/@{pid}/fd/ r, + @{att}/@{PROC}/sys/user/max_user_namespaces rw, owner @{att}/@{PROC}/@{pid}/cgroup r, owner @{att}/@{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 1a4b83e2e..e8f0328a2 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -28,6 +28,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=accessibility name=org.freedesktop.DBus #aa:dbus own bus=session name=org.a11y.{B,b}us + dbus receive bus=accessibility path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index ecec3cb49..014f7afd4 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,6 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus} + dbus receive bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=Hello + peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index a569a7342..0296a262f 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,6 +36,7 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus + member=Hello peer=(name=@{busname}), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index cf17391bc..798868271 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -17,6 +17,7 @@ profile gnome-session @{exec_path} { @{shells_path} rix, @{bin}/cat rix, + @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, @{bin}/grep rix, @@ -32,6 +33,7 @@ profile gnome-session @{exec_path} { @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rPx, + @{bin}/xargs rix, @{bin}/dpkg-query rpx, @{bin}/flatpak rCx -> flatpak, @@ -57,6 +59,7 @@ profile gnome-session @{exec_path} { /etc/X11/Xsession.d/*im-config_launch r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7cc739491..f52340d41 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,10 +198,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, - /usr/share/libinput*/ r, - /usr/share/libinput*/{,**/}@{int2}-*.quirks r, - /usr/share/libinput*/libinput/ r, + /usr/share/libinput*/{,**} r, /usr/share/libwacom/{,*.stylus,*.tablet} r, + /usr/share/poppler/{,**} r, /usr/share/wallpapers/** r, /usr/share/wayland-sessions/{,*.desktop} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 10853ea8f..75835395a 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -17,7 +17,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (send) set=(kill) peer=loupe//bwrap, + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 2d06a9ab3..cdc563e07 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/org.gnome.NautilusPreviewer -profile org.gnome.NautilusPreviewer @{exec_path} { +profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index de8f9ccb0..632910933 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -26,6 +26,7 @@ profile networkd-dispatcher @{exec_path} { @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, + @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix, /etc/networkd-dispatcher/{,**} r, diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay index e101fc06f..52c2de345 100644 --- a/apparmor.d/groups/pacman/yay +++ b/apparmor.d/groups/pacman/yay @@ -84,6 +84,7 @@ profile yay @{exec_path} { @{bin}/gpg{,2} mr, @{bin}/gpg-agent rPx, + @{bin}/dirmngr rPx, owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 2638ad0e3..5ae754138 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -49,7 +49,7 @@ profile evince @{exec_path} { owner @{user_config_dirs}/evince/{,*} rw, owner @{tmp}/*.pdf r, - owner @{tmp}/evince-*/{,**} rw, + owner @{tmp}/evince-@{int}/{,**} rw, owner @{tmp}/gtkprint* rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 774dfa9f8..6585f6382 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,10 +87,11 @@ profile mkinitramfs @{exec_path} { /var/tmp/ r, /var/tmp/modules_@{rand6} rw, - /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**, owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 235ef2080..6b0917f8a 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -20,6 +20,8 @@ profile snap-seccomp @{exec_path} { @{lib_dirs}/**.so* mr, + @{bin}/getent rix, + /var/lib/snapd/seccomp/bpf/{,**} rw, owner @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8ccbbf0f1..41219a4f8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -26,6 +26,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/grep rix, @{open_path} rPx -> child-open-strict, @@ -44,6 +45,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, @{PROC}/pressure/* r, + @{PROC}/@{pid}/net/unix r, owner @{PROC}/@{pid}/clear_refs w, /dev/tty rw, diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton index 46f296c44..ab82925a5 100644 --- a/apparmor.d/profiles-s-z/steam-game-proton +++ b/apparmor.d/profiles-s-z/steam-game-proton @@ -76,6 +76,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner @{share_dirs}/*.dll r, owner @{share_dirs}/bin/ r, + owner @{share_dirs}/installscriptevalutor_log.txt rw, owner @{share_dirs}/legacycompat/ r, owner @{share_dirs}/legacycompat/** mr, owner @{share_dirs}/steamapps/compatdata/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0378e62fc..153ded880 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -45,7 +45,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sort rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/systemctl rCx -> systemctl, @{bin}/touch rix, @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @@ -63,30 +63,33 @@ profile tlp @{exec_path} flags=(attach_disconnected) { /var/lib/tlp/{,**} rw, /var/lib/power-profiles-daemon/state.ini rw, + owner /tmp/tlp-run.conf_tmp@{rand6} rw, + owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, @{run}/udev/data/+platform:* r, + @{sys}/bus/pci/devices/ r, + @{sys}/devices/@{pci}/{,**/}power/control w, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, - @{sys}/module/pcie_aspm/parameters/policy rw, - @{sys}/module/snd_hda_intel/parameters/power_save rw, - @{sys}/module/snd_hda_intel/parameters/power_save_controller rw, @{sys}/firmware/acpi/platform_profile* rw, @{sys}/firmware/acpi/pm_profile* rw, + @{sys}/module/*/parameters/power_save rw, + @{sys}/module/*/parameters/power_save_controller rw, + @{sys}/module/pcie_aspm/parameters/policy rw, owner @{PROC}/sys/fs/xfs/xfssyncd_centisecs rw, owner @{PROC}/sys/kernel/nmi_watchdog rw, owner @{PROC}/sys/vm/dirty_*_centisecs rw, owner @{PROC}/sys/vm/laptop_mode rw, - /dev/disk/by-id/ r, - /dev/tty rw, - profile systemctl { include include + capability net_admin, + include if exists } From 5840e590306158c346a94fbcfe4a16d786bed70d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Nov 2024 23:43:17 +0000 Subject: [PATCH 40/76] tests: enable the homectl tests. --- tests/bats/homectl.bats | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 32ff3e575..3d506f67c 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -5,11 +5,6 @@ load common -setup_file() { - aa_setup - skip -} - @test "homectl: Display help" { homectl --no-pager --help } From 97f4c51df30566926d6cea51e61c999eea78bd6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:08:26 +0000 Subject: [PATCH 41/76] tests: add dmesg.bats --- apparmor.d/profiles-a-f/dmesg | 2 +- tests/bats/dmesg.bats | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 tests/bats/dmesg.bats diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg index 68fa13298..6abc40c37 100644 --- a/apparmor.d/profiles-a-f/dmesg +++ b/apparmor.d/profiles-a-f/dmesg @@ -17,7 +17,7 @@ profile dmesg @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{pager_path} rPx -> child-pager, /usr/share/terminfo/** r, diff --git a/tests/bats/dmesg.bats b/tests/bats/dmesg.bats new file mode 100644 index 000000000..722b3204b --- /dev/null +++ b/tests/bats/dmesg.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "dmesg: Show kernel messages" { + sudo dmesg +} + +@test "dmesg: Show kernel error messages" { + sudo dmesg --level err +} + +@test "dmesg: Show how much physical memory is available on this system" { + sudo dmesg | grep -i memory +} + +@test "dmesg: Show kernel messages with a timestamp (available in kernels 3.5.0 and newer)" { + sudo dmesg -T +} + +@test "dmesg: Show kernel messages in human-readable form (available in kernels 3.5.0 and newer)" { + sudo dmesg -H +} + +@test "dmesg: Colorize output (available in kernels 3.5.0 and newer)" { + sudo dmesg -L +} From 9711d43537fb856a1a4f883beb74bbeca9352202 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:11:57 +0000 Subject: [PATCH 42/76] tests: ensure systemd-homed is started before the homectl test. --- tests/bats/homectl.bats | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/bats/homectl.bats b/tests/bats/homectl.bats index 3d506f67c..656a3407b 100644 --- a/tests/bats/homectl.bats +++ b/tests/bats/homectl.bats @@ -5,6 +5,12 @@ load common +setup_file() { + sudo systemctl start systemd-homed + skip + aa_setup +} + @test "homectl: Display help" { homectl --no-pager --help } From c4b42f1ecebacd5a3e1de6ab99a0818878960882 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:12:31 +0000 Subject: [PATCH 43/76] tests: add fwupdmgr.bats --- tests/bats/fwupdmgr.bats | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 tests/bats/fwupdmgr.bats diff --git a/tests/bats/fwupdmgr.bats b/tests/bats/fwupdmgr.bats new file mode 100644 index 000000000..2eb8282c9 --- /dev/null +++ b/tests/bats/fwupdmgr.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "fwupdmgr: Display all devices detected by fwupd" { + fwupdmgr get-devices +} + +@test "fwupdmgr: Download the latest firmware metadata from LVFS" { + fwupdmgr refresh +} + +@test "fwupdmgr: List the updates available for devices on your system" { + fwupdmgr get-updates +} + +@test "fwupdmgr: Install firmware updates" { + fwupdmgr update +} + From 30860ad401184ebeb9f963887465a8e1a47a3cba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 20 Nov 2024 00:14:22 +0000 Subject: [PATCH 44/76] tests: add groupmod. --- tests/bats/groupadd.bats | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/tests/bats/groupadd.bats b/tests/bats/groupadd.bats index cbc0aa57e..d93b1a690 100644 --- a/tests/bats/groupadd.bats +++ b/tests/bats/groupadd.bats @@ -17,8 +17,16 @@ load common sudo groupadd --gid 3000 user3 } +@test "groupmod: Change the group name" { + sudo groupmod --new-name user22 user2 +} + +@test "groupmod: Change the group ID" { + sudo groupmod --gid 2222 user22 +} + @test "groupdel: Delete newly created group" { - sudo groupdel user2 + sudo groupdel user22 sudo groupdel system2 sudo groupdel user3 } From 70497e77a31272b9b6f3f097baaf057cbdc44040 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:15:56 +0000 Subject: [PATCH 45/76] fix(tests): ensure fwupdmgr don't fail even if the target does not support firmware update. --- tests/bats/fwupdmgr.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/bats/fwupdmgr.bats b/tests/bats/fwupdmgr.bats index 2eb8282c9..332a63743 100644 --- a/tests/bats/fwupdmgr.bats +++ b/tests/bats/fwupdmgr.bats @@ -10,14 +10,14 @@ load common } @test "fwupdmgr: Download the latest firmware metadata from LVFS" { - fwupdmgr refresh + fwupdmgr refresh || true } @test "fwupdmgr: List the updates available for devices on your system" { - fwupdmgr get-updates + fwupdmgr get-updates || true } @test "fwupdmgr: Install firmware updates" { - fwupdmgr update + fwupdmgr update || true } From 4fe13bcb1c11af3334e5bc1070ad9b5f0e38f3ed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:26:57 +0000 Subject: [PATCH 46/76] feat(profile): add fc-match & fc-pattern. --- apparmor.d/groups/freedesktop/fc-list | 2 +- tests/bats/fc-list.bats | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list index ffe996c52..6254b2456 100644 --- a/apparmor.d/groups/freedesktop/fc-list +++ b/apparmor.d/groups/freedesktop/fc-list @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fc-list +@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern profile fc-list @{exec_path} { include include diff --git a/tests/bats/fc-list.bats b/tests/bats/fc-list.bats index 52ed43885..12b1df2ca 100644 --- a/tests/bats/fc-list.bats +++ b/tests/bats/fc-list.bats @@ -8,3 +8,15 @@ load common @test "fc-list: Return a list of installed fonts in your system" { fc-list } + +@test "fc-match: Return a sorted list of best matching fonts" { + fc-match -s 'DejaVu Serif' +} + +@test "fc-pattern: Display default information about a font" { + fc-pattern --default 'DejaVu Serif' +} + +@test "fc-pattern: Display configuration information about a font" { + fc-pattern --config 'DejaVu Serif' +} From ae13890fc553a99dffc003a290f2415ecc2af4fc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:33:07 +0000 Subject: [PATCH 47/76] test(integration): add sysctl. --- tests/bats/sysctl.bats | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 tests/bats/sysctl.bats diff --git a/tests/bats/sysctl.bats b/tests/bats/sysctl.bats new file mode 100644 index 000000000..171ee98a9 --- /dev/null +++ b/tests/bats/sysctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "sysctl: Show all available variables and their values" { + sysctl -a +} + +@test "sysctl: Set a changeable kernel state variable" { + sudo sysctl -w vm.panic_on_oom=0 +} + +@test "sysctl: Get currently open file handlers" { + sysctl fs.file-nr +} + +@test "sysctl: Get limit for simultaneous open files" { + sysctl fs.file-max +} + +@test "sysctl: Apply changes from `/etc/sysctl.conf`" { + sysctl -p +} + From 25bd3550fb90f2f84f98f23ec0fcdadefdf1aeab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:39:55 +0000 Subject: [PATCH 48/76] feat(profile): add needrestart-vmlinuz-get-version & tests for needrestart. --- apparmor.d/profiles-m-r/needrestart | 11 ++++-- .../needrestart-vmlinuz-get-version | 30 ++++++++++++++++ tests/bats/needrestart.bats | 34 +++++++++++++++++++ 3 files changed, 73 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version create mode 100644 tests/bats/needrestart.bats diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 37a1c90a3..f5722ed3d 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -35,11 +35,11 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, - @{bin}/udevadm rPx, + @{bin}/udevadm rCx -> udevadm, @{bin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, - @{lib}/needrestart/iucode-scan-versions rPx, + @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, @{bin}/networkd-dispatcher r, @@ -88,6 +88,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile udevadm { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version new file mode 100644 index 000000000..f7e9d76a1 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/needrestart/vmlinuz-get-version +profile needrestart-vmlinuz-get-version @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/grep rix, + @{bin}/mktemp rix, + @{bin}/rm rix, + @{bin}/tr rix, + @{bin}/which{,.debianutils} rix, + + /boot/vmlinuz* r, + + owner @{tmp}/tmp.@{rand10} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats new file mode 100644 index 000000000..4676b36af --- /dev/null +++ b/tests/bats/needrestart.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "needrestart: List outdated processes" { + needrestart +} + +@test "needrestart: Interactively restart services" { + sudo needrestart +} + +@test "needrestart: List outdated processes in verbose mode" { + needrestart -v +} + +@test "needrestart: Check if the kernel is outdated" { + needrestart -k +} + +@test "needrestart: Check if the CPU microcode is outdated" { + needrestart -w +} + +@test "needrestart: List outdated processes in batch mode" { + needrestart -b +} + +@test "needrestart: Display help" { + needrestart --help +} From 17fe134d701ba6443b7fe6713918fa773b34833d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:02:16 +0000 Subject: [PATCH 49/76] fix(tunable): udbus can be any hex up to 16. --- apparmor.d/tunables/multiarch.d/system | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 78bb73b03..cc4192d28 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -123,7 +123,7 @@ @{busname}=:1.@{u16} :not.active.yet # Unix dbus address prefix -@{udbus}=@{hex15} @{hex16} +@{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} From 64b8cf41c7ed75a12f9922bc24f4ce1e3ed91687 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:22:52 +0000 Subject: [PATCH 50/76] fix(integration): disable needrestart test due to upstream issue. --- tests/bats/needrestart.bats | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats index 4676b36af..567f8c773 100644 --- a/tests/bats/needrestart.bats +++ b/tests/bats/needrestart.bats @@ -5,6 +5,10 @@ load common +setup_file() { + skip "mqueue raised despite the rule being present. See https://gitlab.com/apparmor/apparmor/-/issues/362" +} + @test "needrestart: List outdated processes" { needrestart } From 1ad60915e63d4d409feb96582d03406f33eb82b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:24 +0000 Subject: [PATCH 51/76] feat(abs): add abstraction/webkit. --- apparmor.d/abstractions/webkit | 31 +++++++++++++++++++++++++++++ apparmor.d/groups/browsers/epiphany | 16 +-------------- apparmor.d/profiles-a-f/foliate | 15 +------------- 3 files changed, 33 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/webkit diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit new file mode 100644 index 000000000..c4410d026 --- /dev/null +++ b/apparmor.d/abstractions/webkit @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal set of rules for webkit UI. + + abi , + + mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, + + @{bin}/xdg-dbus-proxy rix, + + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, + @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, + + owner /bindfile@{rand6} rw, + owner @{att}/.flatpak-info r, + + owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, + + owner @{run}/user/@{uid}/.flatpak/ w, + owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, + + owner @{run}/user/@{uid}/webkitgtk/ w, + owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, + owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 98f21f472..b08a6b00f 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -19,6 +19,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -28,21 +29,14 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{exec_path} mr, @{open_path} rPx -> child-open, @{bin}/bwrap rix, - @{bin}/xdg-dbus-proxy rix, - @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix, /usr/share/enchant*/{,**} r, - owner /bindfile@{rand6} rw, - owner @{att}/.flatpak-info r, - owner @{user_config_dirs}/glib-2.0/ w, owner @{user_config_dirs}/glib-2.0/settings/ w, @@ -51,14 +45,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/Serialized@{rand9} rw, owner @{tmp}/WebKit-Media-@{rand6} rw, - owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index b1c485408..f6380d125 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -15,6 +15,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_override, @@ -30,31 +31,17 @@ profile foliate @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rix, @{bin}/gjs-console rix, - @{bin}/xdg-dbus-proxy rix, @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open-help, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - /usr/share/com.github.johnfactotum.Foliate/{,**} r, - owner /bindfile@{rand6} rw, - owner /.flatpak-info r, - owner @{user_books_dirs}/{,**} r, owner @{user_torrents_dirs}/{,**} r, owner @{user_cache_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, owner @{user_share_dirs}/com.github.johnfactotum.Foliate/{,**} rwlk, - owner @{run}/user/@{uid}/.flatpak/ w, - owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw, - owner @{run}/user/@{uid}/webkitgtk/ w, - owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, - owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, - @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Nautilus.slice/dbus*org.gnome.Nautilus@*.service/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-com.github.johnfactotum.Foliate-@{int}.scope/memory.* r, From 2f70940c867de0ea1a2a73492e1475487eb28fb2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 19:53:59 +0000 Subject: [PATCH 52/76] feat(profile): add profile for tecla. --- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/tecla | 19 +++++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/tecla diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 00bc15f19..91f49c219 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -55,7 +55,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/grep rix, @{bin}/locale rix, @{bin}/sed rix, - @{bin}/tecla rix, + @{bin}/tecla rPx, @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f52340d41..462733874 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -175,6 +175,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/Xwayland rPx, + @{bin}/tecla rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper diff --git a/apparmor.d/groups/gnome/tecla b/apparmor.d/groups/gnome/tecla new file mode 100644 index 000000000..082c6c925 --- /dev/null +++ b/apparmor.d/groups/gnome/tecla @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tecla +profile tecla @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 9e791deee55668f4fd4515cde70f14f5bf7f89b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:08:48 +0000 Subject: [PATCH 53/76] feat(profile): general update. --- apparmor.d/groups/freedesktop/geoclue | 1 + .../groups/freedesktop/polkit-agent-helper | 2 +- .../groups/systemd/systemd-sleep-nvidia | 1 + .../groups/virt/containerd-shim-runc-v2 | 1 + apparmor.d/profiles-a-f/aa-notify | 2 +- apparmor.d/profiles-a-f/font-manager | 4 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gsettings | 5 +- apparmor.d/profiles-g-l/jami-gnome | 61 ------------------- apparmor.d/profiles-m-r/passimd | 4 +- apparmor.d/profiles-m-r/pidof | 2 +- apparmor.d/profiles-s-z/sudo | 12 +--- apparmor.d/profiles-s-z/udisksd | 3 + apparmor.d/profiles-s-z/virt-manager | 1 + 14 files changed, 18 insertions(+), 83 deletions(-) delete mode 100644 apparmor.d/profiles-g-l/jami-gnome diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 383360ad4..4492c7598 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper index bb6e457ff..7f5ecd107 100644 --- a/apparmor.d/groups/freedesktop/polkit-agent-helper +++ b/apparmor.d/groups/freedesktop/polkit-agent-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] @{exec_path} += @{lib}/polkit-agent-helper-[0-9] -profile polkit-agent-helper @{exec_path} { +profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia index 4ebb4851f..2ca5d7474 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-nvidia +++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia @@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} { include include + capability perfmon, capability sys_admin, capability sys_tty_config, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index bff45ca39..4c3707493 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -50,6 +50,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/kubepods/{,**} rw, @{sys}/kernel/mm/hugepages/ r, + @{PROC}/@{pid}/task/@{tid}/mountinfo r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/oom_score_adj rw, diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify index 7e901509f..53c64daf9 100644 --- a/apparmor.d/profiles-a-f/aa-notify +++ b/apparmor.d/profiles-a-f/aa-notify @@ -36,7 +36,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.inputrc r, owner @{HOME}/.terminfo/@{int}/dumb r, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, @{PROC}/ r, diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager index 81c53aafd..56941f60b 100644 --- a/apparmor.d/profiles-a-f/font-manager +++ b/apparmor.d/profiles-a-f/font-manager @@ -11,11 +11,9 @@ include profile font-manager @{exec_path} { include include + include include - include - include include - include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 45b2ccfb4..aa95a00d5 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -58,7 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{bin}/gpgsm rCx -> gpg, /usr/share/fwupd/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/* r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 4ac891769..e2a9ae515 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{bin}/gsettings -profile gsettings @{exec_path} { +profile gsettings @{exec_path} flags=(attach_disconnected) { include + include include include @@ -22,8 +23,6 @@ profile gsettings @{exec_path} { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome deleted file mode 100644 index 3a1e504a8..000000000 --- a/apparmor.d/profiles-g-l/jami-gnome +++ /dev/null @@ -1,61 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/jami-gnome -profile jami-gnome @{exec_path} { - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - @{exec_path} mr, - - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, - @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, - - /usr/share/ring/{,**} r, - /usr/share/sounds/jami-gnome/{,**} r, - - owner @{user_cache_dirs}/ rw, - owner @{user_cache_dirs}/jami-gnome/ rw, - owner @{user_cache_dirs}/jami-gnome/** rw, - - owner @{user_share_dirs}/jami/ rw, - owner @{user_share_dirs}/jami/** rwkl -> @{user_share_dirs}/jami/, - - owner @{user_config_dirs}/autostart/jami-gnome.desktop w, - - owner @{user_share_dirs}/ r, - owner @{user_share_dirs}/webkitgtk/deviceidhashsalts/1/ r, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v0 w, - owner @{user_share_dirs}/webkitgtk/databases/indexeddb/v1/ w, - - @{sys}/firmware/acpi/pm_profile r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/fs/cgroup/** r, - - owner @{PROC}/@{pid}/statm r, - owner @{PROC}/@{pid}/smaps r, - deny owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - @{PROC}/zoneinfo r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd index 4e64e5fb9..c0aafeaf9 100644 --- a/apparmor.d/profiles-m-r/passimd +++ b/apparmor.d/profiles-m-r/passimd @@ -26,9 +26,7 @@ profile passimd @{exec_path} flags=(attach_disconnected) { /etc/passim.conf r, - /var/lib/passim/{,**} r, - /var/lib/passim/data/{,**} rw, - + owner /var/lib/passim/{,**} rw, owner /var/log/passim/* rw, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof index 2a7b63038..5da955cba 100644 --- a/apparmor.d/profiles-m-r/pidof +++ b/apparmor.d/profiles-m-r/pidof @@ -28,7 +28,7 @@ profile pidof @{exec_path} { @{PROC}/sys/kernel/osrelease r, @{PROC}/uptime r, - owner /dev/tty@{int} rw, + /dev/tty@{int} rw, include if exists } diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo index 1e6748235..b2074ba04 100644 --- a/apparmor.d/profiles-s-z/sudo +++ b/apparmor.d/profiles-s-z/sudo @@ -21,15 +21,9 @@ profile sudo @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - ptrace (read), - - signal (send,receive) peer=cockpit-bridge, - signal (send) peer=@{p_systemd}, - signal (send) set=(cont,hup,winch) peer=su, - signal (send) set=(winch) peer=child-pager, - signal (send) set=(winch) peer=journalctl, - signal (send) set=(winch) peer=pacman, - signal (send) set=(winch, hup, term) peer=rpm, + ptrace read, + + signal send set=(winch, hup, term), @{bin}/@{shells} rUx, @{lib}/** PUx, diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd index 9155adf84..909112a70 100644 --- a/apparmor.d/profiles-s-z/udisksd +++ b/apparmor.d/profiles-s-z/udisksd @@ -48,6 +48,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, + mount fstype=vfat -> /boot/efi/, + # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, mount / -> @{MOUNTS}/*/, @@ -56,6 +58,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, + umount /boot/efi/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index bce236989..0a67b365b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -89,6 +89,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, From c7955cacd8e9d1d2859ef32c59480056757ceedf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 21 Nov 2024 20:59:06 +0000 Subject: [PATCH 54/76] feat(tunable): unify some XDG and user dirs varibale name. --- apparmor.d/abstractions/deny-sensitive-home | 2 +- apparmor.d/groups/virt/virtiofsd | 6 +- apparmor.d/profiles-a-f/browserpass | 4 +- apparmor.d/profiles-g-l/keepassxc | 8 +-- apparmor.d/profiles-m-r/pass | 12 ++-- apparmor.d/profiles-m-r/pass-import | 2 +- .../profiles-m-r/protonmail-bridge-core | 16 ++--- apparmor.d/tunables/home.d/apparmor.d | 62 +++++++++++-------- .../tunables/xdg-user-dirs.d/apparmor.d | 8 +-- docs/configuration.md | 4 +- docs/variables.md | 6 +- 11 files changed, 69 insertions(+), 61 deletions(-) diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home index 4291762a4..68c013a51 100644 --- a/apparmor.d/abstractions/deny-sensitive-home +++ b/apparmor.d/abstractions/deny-sensitive-home @@ -34,7 +34,7 @@ deny @{HOME}/@{XDG_SSH_DIR}/{,**} mrwkl, deny @{run}/user/@{uid}/keyring** mrwkl, deny @{user_config_dirs}/*-store/{,**} mrwkl, - deny @{user_password_store_dirs}/{,**} mrwkl, + deny @{user_passwordstore_dirs}/{,**} mrwkl, deny @{user_share_dirs}/kwalletd/{,**} mrwkl, # Privacy violations diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 905e2c170..899ecae04 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -31,13 +31,13 @@ profile virtiofsd @{exec_path} { mount options=(rw, rbind) -> @{user_publicshare_dirs}/, mount options=(rw, rbind) -> @{user_vm_dirs}/, - mount options=(rw, rbind) -> @{user_vm_shares}/, + mount options=(rw, rbind) -> @{user_vmshare_dirs}/, umount /, pivot_root @{user_publicshare_dirs}/, # TODO: -> pivoted, pivot_root @{user_vm_dirs}/, - pivot_root @{user_vm_shares}/, + pivot_root @{user_vmshare_dirs}/, signal (receive) set=term peer=libvirtd, @@ -50,7 +50,7 @@ profile virtiofsd @{exec_path} { @{user_publicshare_dirs}/{,**} r, @{user_vm_dirs}/{,**} r, - @{user_vm_shares}/{,**} r, + @{user_vmshare_dirs}/{,**} r, owner @{run}/libvirt/qemu/*.pid rw, diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index 86da0e6a7..272000f3f 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -48,8 +48,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{user_projects_dirs}/**/*-store/ rw, owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**, owner @{user_config_dirs}/*-store/ rw, diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc index d2dee61aa..de95d3c9f 100644 --- a/apparmor.d/profiles-g-l/keepassxc +++ b/apparmor.d/profiles-g-l/keepassxc @@ -48,10 +48,10 @@ profile keepassxc @{exec_path} { owner @{HOME}/@{XDG_SSH_DIR}/ r, owner @{HOME}/@{XDG_SSH_DIR}/* r, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/*.csv rw, - owner @{user_password_store_dirs}/*.kdbx* rwl -> @{KP_DB}/#@{int}, - owner @{user_password_store_dirs}/#@{int} rw, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/*.csv rw, + owner @{user_passwordstore_dirs}/*.kdbx* rwl -> @{user_passwordstore_dirs}/#@{int}, + owner @{user_passwordstore_dirs}/#@{int} rw, owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 0736f98c4..fe06a346d 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -59,7 +59,7 @@ profile pass @{exec_path} { /usr/share/terminfo/** r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner /dev/shm/pass.@{rand}/{,*} rw, @{sys}/devices/system/node/ r, @@ -88,7 +88,7 @@ profile pass @{exec_path} { /tmp/ r, - owner @{user_password_store_dirs}/{,**/} r, + owner @{user_passwordstore_dirs}/{,**/} r, owner /dev/shm/pass.@{rand}/{,*} rw, @@ -120,8 +120,8 @@ profile pass @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw, @@ -142,8 +142,8 @@ profile pass @{exec_path} { owner @{HOME}/@{XDG_GPG_DIR}/ rw, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner @{user_password_store_dirs}/ rw, - owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**, + owner @{user_passwordstore_dirs}/ rw, + owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index bb2bc9107..4977bb51a 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -33,7 +33,7 @@ profile pass-import @{exec_path} { /usr/share/file/misc/magic.mgc r, - owner @{user_password_store_dirs}/{,**} rw, + owner @{user_passwordstore_dirs}/{,**} rw, owner @{tmp}/[a-zA-Z0-9]* rw, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 4de73d718..da0c5f785 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -5,7 +5,7 @@ # To force the use of the Gnome Keyring or Kwallet secret-service, add the # following lines in your local/protonmail-bridge-core file: # deny @{bin}/pass x, -# deny owner @{user_password_store_dirs}/** r, +# deny owner @{user_passwordstore_dirs}/** r, abi , @@ -30,8 +30,8 @@ profile protonmail-bridge-core @{exec_path} { /etc/lsb-release r, /etc/machine-id r, - owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, owner @{user_cache_dirs}/protonmail/{,**} rwk, owner @{user_config_dirs}/protonmail/{,**} rwk, @@ -48,7 +48,7 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/sys/net/core/somaxconn r, deny @{bin}/pass x, - deny owner @{user_password_store_dirs}/** r, + deny owner @{user_passwordstore_dirs}/** r, profile pass { include @@ -72,10 +72,10 @@ profile protonmail-bridge-core @{exec_path} { @{bin}/tty rix, @{bin}/which rix, - owner @{user_password_store_dirs}/ r, - owner @{user_password_store_dirs}/.gpg-id r, - owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw, - deny owner @{user_password_store_dirs}/**/ r, + owner @{user_passwordstore_dirs}/ r, + owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, + deny owner @{user_passwordstore_dirs}/**/ r, /dev/tty rw, diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index f1be9acbe..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -11,59 +11,67 @@ # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d -# Extra user personal directories +# Define the XDG Base Directory +@{XDG_CACHE_DIR}=".cache" +@{XDG_CONFIG_DIR}=".config" +@{XDG_DATA_DIR}=".local/share" +@{XDG_STATE_DIR}=".local/state" +@{XDG_BIN_DIR}=".local/bin" +@{XDG_LIB_DIR}=".local/lib" + +# Define extended user directories not defined in the XDG standard but commonly +# used in profiles @{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots" @{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers" @{XDG_BOOKS_DIR}="Books" -@{XDG_GAMES_DIR}=".games" +@{XDG_GAMES_DIR}="Games" @{XDG_PROJECTS_DIR}="Projects" @{XDG_WORK_DIR}="Work" @{XDG_MAIL_DIR}="Mail" ".{m,M}ail" @{XDG_SYNC_DIR}="Sync" @{XDG_TORRENTS_DIR}="Torrents" -@{XDG_VM_DIR}=".vm" -@{XDG_VM_SHARES_DIR}="VM_Shares" -@{XDG_IMG_DIR}="images" @{XDG_GAMESSTUDIO_DIR}="unity3d" -# User personal keyrings +# Define user directories for virtual machines, shared folders and disk images +@{XDG_VM_DIR}=".vm" +@{XDG_VMSHARE_DIR}=".vmshare" +@{XDG_IMG_DIR}=".img" + +# Define user build directories and artifacts output +@{XDG_BUILD_DIR}=".build" +@{XDG_PKG_DIR}=".pkg" + +# Define user personal keyrings @{XDG_GPG_DIR}=".gnupg" @{XDG_SSH_DIR}=".ssh" -@{XDG_PASSWORD_STORE_DIR}=".password-store" +@{XDG_PASSWORDSTORE_DIR}=".password-store" -# User personal private directories +# Define user personal private directories @{XDG_PRIVATE_DIR}=".{p,P}rivate" "{p,P}rivate" -# Definition of local user configuration directories -@{XDG_CACHE_DIR}=".cache" -@{XDG_CONFIG_DIR}=".config" -@{XDG_DATA_DIR}=".local/share" -@{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" -@{XDG_LIB_DIR}=".local/lib" - -# Full path of the user configuration directories +# Full path of the XDG Base Directory @{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR} @{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR} +@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} @{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR} @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR} -@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR} - -# User build directories and output -@{user_build_dirs}="/tmp/build/" -@{user_pkg_dirs}="/tmp/pkg/" -@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} # Other user directories @{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR} @{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR} -@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} -@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR} +@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} @{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR} @{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR} -@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR} -@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR} +@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/@{XDG_SYNC_DIR} @{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR} @{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR} +@{user_vmshare_dirs}=@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR} +@{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR} +@{user_build_dirs}=@{HOME}/@{XDG_BUILD_DIR} @{MOUNTS}/@{XDG_BUILD_DIR} +@{user_pkg_dirs}=@{HOME}/@{XDG_PKG_DIR} @{MOUNTS}/@{XDG_PKG_DIR} +@{user_gpg_dirs}=@{HOME}/@{XDG_GPG_DIR} @{MOUNTS}/@{XDG_GPG_DIR} +@{user_ssh_dirs}=@{HOME}/@{XDG_SSH_DIR} @{MOUNTS}/@{XDG_SSH_DIR} +@{user_passwordstore_dirs}=@{HOME}/@{XDG_PASSWORDSTORE_DIR} @{MOUNTS}/@{XDG_PASSWORDSTORE_DIR} +@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR} # vim:syntax=apparmor diff --git a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d index 00231cbce..52be8b920 100644 --- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d +++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d @@ -14,14 +14,14 @@ @{XDG_DOWNLOAD_DIR}+=".tb/tor-browser/Browser/Downloads" # Other user directories -@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} +@{user_desktop_dirs}=@{HOME}/@{XDG_DESKTOP_DIR} @{MOUNTS}/@{XDG_DESKTOP_DIR} @{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR} +@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} +@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} +@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR} @{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR} @{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR} @{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR} -@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR} -@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR} -@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR} include if exists diff --git a/docs/configuration.md b/docs/configuration.md index e3fbba5ea..c3017c28d 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -143,7 +143,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | - | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | + | Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -152,7 +152,7 @@ Please ensure that all personal directories you are using are well-defined XDG d | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | - | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | + | Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | diff --git a/docs/variables.md b/docs/variables.md index ef2533c0f..7dc8e5ff6 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -29,7 +29,7 @@ title: Variables References | Sync | `@{XDG_SYNC_DIR}` | `Sync` | | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` | | Vm | `@{XDG_VM_DIR}` | `.vm` | -| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` | +| Vm Shares | `@{XDG_VMSHARE_DIR}` | `VM_Shares` | | Disk images | `@{XDG_IMG_DIR}` | `images` | | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` | @@ -85,7 +85,7 @@ title: Variables References | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` | | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` | | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` | -| Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | +| Passwords | `@{user_passwordstore_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` | | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` | | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` | | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` | @@ -94,7 +94,7 @@ title: Variables References | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` | | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` | | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` | -| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` | +| Vm Shares | `@{user_vmshare_dirs}` | `@{HOME}/@{XDG_VMSHARE_DIR} @{MOUNTS}/@{XDG_VMSHARE_DIR}` | | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` | From 0b1c265e23e4d3312433a82d3ea84ca2ec7c7d9f Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 21 Nov 2024 14:12:02 -0700 Subject: [PATCH 55/76] Add profile for iftop (#604) * Add profile for iftop * iftop: clean up formatting --- apparmor.d/profiles-g-l/iftop | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/profiles-g-l/iftop diff --git a/apparmor.d/profiles-g-l/iftop b/apparmor.d/profiles-g-l/iftop new file mode 100644 index 000000000..232aff538 --- /dev/null +++ b/apparmor.d/profiles-g-l/iftop @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/iftop +profile iftop @{exec_path} { + include + include + include + + capability net_raw, + + network inet dgram, + network inet6 dgram, + network netlink raw, + network packet raw, + + @{exec_path} mr, + + /usr/share/terminfo/** r, + + owner @{HOME}/.iftoprc r, + + # When running in promiscuous mode + @{sys}/devices/**/net/*/statistics/* r, + + include if exists +} + +# vim:syntax=apparmor From 5a0574435263688447955a21bc95866e89707f09 Mon Sep 17 00:00:00 2001 From: Besanon Date: Sat, 23 Nov 2024 18:44:18 +0100 Subject: [PATCH 56/76] add more lxqt files (#600) * Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group * Update lxqt * xdg-desktop abstraction added * removing tabs * Create startlxqt starter file for LXQT Desktop * Create startlxqt * fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop * Delete apparmor.d/profiles-s-z/startlxqt * indented by 2 spaces (like other entries) * Update sddm Enable sddm to start an lxqt desktop session * Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm * Update lxqt-session * Update lxqt-session * removed trailing whitespace * Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r * Update lxqt-session * Create lxqt-panel * Update lxqt-panel * Update lxqt-panel * Update lxqt-panel * fix conflicting x * Update lxqt-panel add child-open * remove include you think its too permissive to have app-launcher-user here, right? * Update lxqt-panel add needed programs * Update lxqt-panel turning back to layout of corresponding xfce file. * Create lxqt-globalkeysd * Create lxqt-about * Create lxqt-leave * Create lxqt-runner * Update lxqt-leave * Update lxqt-runner * Update lxqt-globalkeysd * remove video in lxqt-about * Update lxqt-about * Update lxqt-runner * remove abstr. in lxqt-globalkeysd * remove abstr. in lxqt-runner * remove abstr. in lxqt-leave --- apparmor.d/groups/lxqt/lxqt-about | 28 +++++++++++++++++ apparmor.d/groups/lxqt/lxqt-globalkeysd | 40 +++++++++++++++++++++++++ apparmor.d/groups/lxqt/lxqt-leave | 24 +++++++++++++++ apparmor.d/groups/lxqt/lxqt-runner | 34 +++++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-about create mode 100644 apparmor.d/groups/lxqt/lxqt-globalkeysd create mode 100644 apparmor.d/groups/lxqt/lxqt-leave create mode 100644 apparmor.d/groups/lxqt/lxqt-runner diff --git a/apparmor.d/groups/lxqt/lxqt-about b/apparmor.d/groups/lxqt/lxqt-about new file mode 100644 index 000000000..8f5830453 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-about @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-about +profile lxqt-about @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd new file mode 100644 index 000000000..8729b1abb --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-globalkeysd +profile lxqt-globalkeysd @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + @{open_path} rPx -> child-open-help, + @{bin}/screengrab rPx, + @{bin}/lxqt-config-brightness rPx, + + /usr/share/lxqt/globalkeyshortcuts.conf rw, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.lock wrk, + owner @{user_config_dirs}/lxqt/#@{int} wr, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/globalkeyshortcuts.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-leave b/apparmor.d/groups/lxqt/lxqt-leave new file mode 100644 index 000000000..e76d81f54 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-leave @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-leave +profile lxqt-leave @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner new file mode 100644 index 000000000..9477c1bda --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-runner +profile lxqt-runner @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/icons/ r, + /usr/share/desktop-directories/ r, + /usr/share/desktop-directories/{,**} r, + + /etc/xdg/menus/lxqt-applications.menu r, + + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.lock rwk, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-runner.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 4ba97067429c01cc3793031289d0501166eb61d4 Mon Sep 17 00:00:00 2001 From: valoq Date: Sat, 23 Nov 2024 22:03:42 +0100 Subject: [PATCH 57/76] add profile for swayimg (#612) * add profile for swayimg * fix exec --- apparmor.d/profiles-s-z/swayimg | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/swayimg diff --git a/apparmor.d/profiles-s-z/swayimg b/apparmor.d/profiles-s-z/swayimg new file mode 100644 index 000000000..a3ed158b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/swayimg @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/swayimg +profile swayimg @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + owner @{user_config_dirs}/swayimg/** r, + + include if exists +} + +# vim:syntax=apparmor From c936bd59d5c9352beb82e94d4ff80cf5b0ea289c Mon Sep 17 00:00:00 2001 From: odomingao Date: Sun, 24 Nov 2024 15:23:06 -0300 Subject: [PATCH 58/76] Fix typo --- apparmor.d/tunables/multiarch.d/extensions | 36 +++++++++++----------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index 956e8c253..d3d56934e 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -311,24 +311,24 @@ @{video_ext} += 3[gG]2 # 3g2 # Subtitles -@{suntitles_ext} = [aA][qQ][tT] # aqt -@{suntitles_ext} += [aA][sS][sS] # ass -@{suntitles_ext} += [gG][sS][uU][bB] # gsub -@{suntitles_ext} += [uU][sS][fF] # usf -@{suntitles_ext} += [pP][aA][cC] # pac -@{suntitles_ext} += [pP][jJ][sS] # pjs -@{suntitles_ext} += [pP][sS][bB] # psb -@{suntitles_ext} += [rR][tT] # rt -@{suntitles_ext} += [sS][bB][vV] # sbv -@{suntitles_ext} += [sS][mM][iI] # smi -@{suntitles_ext} += [sS][rR][tT] # srt -@{suntitles_ext} += [sS][sS][aA] # ssa -@{suntitles_ext} += [sS][sS][fF] # ssf -@{suntitles_ext} += [sS][tT][lL] # stl -@{suntitles_ext} += [sS][uU][bB] # sub -@{suntitles_ext} += [tT][t][mM][lL] # ttml -@{suntitles_ext} += [tT][t][xX][tT] # ttxt -@{suntitles_ext} += [vV][tT][t] # vtt +@{subtitles_ext} = [aA][qQ][tT] # aqt +@{subtitles_ext} += [aA][sS][sS] # ass +@{subtitles_ext} += [gG][sS][uU][bB] # gsub +@{subtitles_ext} += [uU][sS][fF] # usf +@{subtitles_ext} += [pP][aA][cC] # pac +@{subtitles_ext} += [pP][jJ][sS] # pjs +@{subtitles_ext} += [pP][sS][bB] # psb +@{subtitles_ext} += [rR][tT] # rt +@{subtitles_ext} += [sS][bB][vV] # sbv +@{subtitles_ext} += [sS][mM][iI] # smi +@{subtitles_ext} += [sS][rR][tT] # srt +@{subtitles_ext} += [sS][sS][aA] # ssa +@{subtitles_ext} += [sS][sS][fF] # ssf +@{subtitles_ext} += [sS][tT][lL] # stl +@{subtitles_ext} += [sS][uU][bB] # sub +@{subtitles_ext} += [tT][t][mM][lL] # ttml +@{subtitles_ext} += [tT][t][xX][tT] # ttxt +@{subtitles_ext} += [vV][tT][t] # vtt # Images @{image_ext} = [aA][pP][nN][gG] # apng From 415efb4ef1d5538cd628323c8fa1b010f33a2a4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Nov 2024 15:34:10 +0000 Subject: [PATCH 59/76] feat(profile): improve some core profiles. --- apparmor.d/groups/systemd/networkctl | 5 ++--- apparmor.d/profiles-a-f/cgrulesengd | 32 ++++++++++------------------ apparmor.d/profiles-a-f/chsh | 4 +++- 3 files changed, 16 insertions(+), 25 deletions(-) diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a4bab2be3..ce81686ae 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -27,11 +27,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd - # No label available - dbus send bus=system path=/org/freedesktop/network@{int} + dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.network@{int}), + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd index 08b1d83b5..6f31a43d5 100644 --- a/apparmor.d/profiles-a-f/cgrulesengd +++ b/apparmor.d/profiles-a-f/cgrulesengd @@ -12,42 +12,32 @@ profile cgrulesengd @{exec_path} { include include - # For creating Unix domain sockets/IPC sockets: - # socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3 - # ... - # bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation - # not permitted) + capability dac_read_search, capability net_admin, - - # To remove the following errors: - # readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied) capability sys_ptrace, - # To be able to read the /proc/ files of all processes in the system. - capability dac_read_search, - network netlink dgram, ptrace (read), @{exec_path} mr, - @{sys}/fs/cgroup/**/tasks w, - @{PROC}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/task/ r, - owner @{PROC}/@{pid}/mounts r, - @{PROC}/cgroups r, + /etc/cgconfig.conf r, + /etc/cgconfig.d/{,*} r, - @{sys}/fs/cgroup/unified/cgroup.controllers r, + /etc/cgrules.conf r, + /etc/cgrules.d/{,*} r, owner @{run}/cgred.socket w, - /etc/cgconfig.conf r, - /etc/cgrules.conf r, - /etc/cgconfig.d/ r, + @{sys}/fs/cgroup/** rw, + @{PROC}/ r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/task/ r, + @{PROC}/cgroups r, + owner @{PROC}/@{pid}/mounts r, include if exists } diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index f8a2af5c4..e124e4d19 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -26,11 +26,13 @@ profile chsh @{exec_path} { /etc/shells r, + /etc/.chsh.@{rand6} rw, /etc/passwd rw, /etc/passwd- w, - /etc/passwd+ rw, /etc/passwd.@{pid} w, /etc/passwd.lock wl -> /etc/passwd.@{pid}, + /etc/passwd.OLD wl -> /etc/passwd, + /etc/passwd+ rw, /etc/shadow r, From 5fffc959b46ee03134be442f8c796ff24a154691 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Nov 2024 15:41:54 +0000 Subject: [PATCH 60/76] feat(profile): needrestart improve mqueue rule. --- apparmor.d/profiles-m-r/needrestart | 2 +- tests/bats/needrestart.bats | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f5722ed3d..cc411ef83 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,7 +22,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace (read), - mqueue r type=posix /, + mqueue (r,getattr) type=posix /, @{exec_path} mrix, diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats index 567f8c773..4676b36af 100644 --- a/tests/bats/needrestart.bats +++ b/tests/bats/needrestart.bats @@ -5,10 +5,6 @@ load common -setup_file() { - skip "mqueue raised despite the rule being present. See https://gitlab.com/apparmor/apparmor/-/issues/362" -} - @test "needrestart: List outdated processes" { needrestart } From 85236a5818b143ef355c483c8bc39347c8f01f4c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 22:54:28 +0100 Subject: [PATCH 61/76] fix: apparmor parser inside snap. --- apparmor.d/profiles-a-f/apparmor_parser | 1 + apparmor.d/profiles-s-z/snap-seccomp | 2 ++ 2 files changed, 3 insertions(+) diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser index 19c0f6902..dc15d48b9 100644 --- a/apparmor.d/profiles-a-f/apparmor_parser +++ b/apparmor.d/profiles-a-f/apparmor_parser @@ -17,6 +17,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{lib_dirs}/@{multiarch}/** mr, @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp index 6b0917f8a..e7660f7b8 100644 --- a/apparmor.d/profiles-s-z/snap-seccomp +++ b/apparmor.d/profiles-s-z/snap-seccomp @@ -14,6 +14,8 @@ profile snap-seccomp @{exec_path} { include include + capability dac_read_search, + network netlink raw, @{exec_path} mr, From 929bcaace366f1f66b07569ab57befeeee2fd682 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:17:27 +0100 Subject: [PATCH 62/76] feat: improve dbus integration for chsh, better handling of generic needrestart. --- .github/local/needrestart | 2 ++ .github/workflows/main.yml | 1 + apparmor.d/profiles-a-f/chsh | 8 +++++++- apparmor.d/profiles-m-r/needrestart | 3 +-- apparmor.d/profiles-s-z/snapd | 1 + 5 files changed, 12 insertions(+), 3 deletions(-) create mode 100644 .github/local/needrestart diff --git a/.github/local/needrestart b/.github/local/needrestart new file mode 100644 index 000000000..33b23e014 --- /dev/null +++ b/.github/local/needrestart @@ -0,0 +1,2 @@ + + /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c7a76f871..75fa5c051 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -94,6 +94,7 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support + sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh index e124e4d19..bf2b92a98 100644 --- a/apparmor.d/profiles-a-f/chsh +++ b/apparmor.d/profiles-a-f/chsh @@ -10,18 +10,24 @@ include @{exec_path} = @{bin}/chsh profile chsh @{exec_path} { include - include include + include + include include include capability audit_write, capability chown, capability fsetid, + capability net_admin, capability setuid, network netlink raw, + unix type=stream addr=@@{udbus}/bus/chsh/system, + + #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + @{exec_path} mr, /etc/shells r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index cc411ef83..56f95b589 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{bin}/networkd-dispatcher r, - @{bin}/gettext.sh r, /usr/share/needrestart/{,**} r, /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 63a1568b5..fe24ed061 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -93,6 +93,7 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, + /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw, /usr/share/dbus-1/{system,session}.d/{,snapd*} r, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, From 89449547514afa6ab6c41afdba538a1d439c6175 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:24:14 +0100 Subject: [PATCH 63/76] feat(profile): minor update. --- apparmor.d/groups/network/networkd-dispatcher | 3 ++- apparmor.d/profiles-a-f/flatpak | 7 +++++- apparmor.d/profiles-g-l/iotop | 22 ++++++++----------- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index 632910933..45fbf76aa 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -21,8 +21,9 @@ profile networkd-dispatcher @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/networkctl rPx, + @{bin}/chronyc rPx, @{bin}/ls rix, + @{bin}/networkctl rPx, @{bin}/sed rix, @{lib}/networkd-dispatcher/routable.d/postfix rix, diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak index 7368d7c3b..bc21a583f 100644 --- a/apparmor.d/profiles-a-f/flatpak +++ b/apparmor.d/profiles-a-f/flatpak @@ -62,7 +62,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, - owner @{user_documents_dirs}/ rw, + # Can create dotfile directories for any app + owner @{user_cache_dirs}/*/ w, + owner @{user_config_dirs}/*/ w, + owner @{user_share_dirs}/*/ w, + owner @{user_games_dirs}/{,**/} w, + owner @{user_documents_dirs}/ w, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop index c53b4656d..d85b0244f 100644 --- a/apparmor.d/profiles-g-l/iotop +++ b/apparmor.d/profiles-g-l/iotop @@ -10,32 +10,28 @@ include @{exec_path} = @{bin}/iotop profile iotop @{exec_path} { include - include include + include - # Needed? - audit deny capability net_admin, - - # To set processes' priorities capability sys_nice, + network netlink raw, + @{exec_path} r, - @{bin}/python3.@{int} r, + @{bin}/ r, @{bin}/file rix, + @{bin}/python3.@{int} r, - @{bin}/ r, + /etc/magic r, @{PROC}/ r, - @{PROC}/vmstat r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/fd/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/task/ r, @{PROC}/sys/kernel/pid_max r, - - # For file - /etc/magic r, + @{PROC}/vmstat r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mounts r, include if exists } From 72733d3877b6337ed7c7b2f3152299e543e7454e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Dec 2024 23:29:44 +0100 Subject: [PATCH 64/76] fix(profile): snap integration with dbus. --- apparmor.d/profiles-s-z/snapd | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index fe24ed061..0a9b332d1 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -93,8 +93,7 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw, - /usr/share/dbus-1/{system,session}.d/{,snapd*} r, + /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**/} r, From 13cf860bf1603976ef7022c751b180a968f2b96c Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 12 Dec 2024 18:26:16 +0100 Subject: [PATCH 65/76] fix(profile): cron communication with dbus. --- apparmor.d/groups/cron/cron | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 4ce618ef7..25549a39c 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -27,6 +27,8 @@ profile cron @{exec_path} flags=(attach_disconnected) { ptrace (read) peer=unconfined, + unix bind type=stream addr=@@{udbus}/bus/cron/system, + @{exec_path} mr, @{sh_path} rix, From d243a4a37ba2ae95c5c81b8565f37c7b5c3c1ba9 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 12 Dec 2024 21:34:18 +0000 Subject: [PATCH 66/76] fix(profile): snapd --- apparmor.d/profiles-s-z/snapd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd index 0a9b332d1..250005f55 100644 --- a/apparmor.d/profiles-s-z/snapd +++ b/apparmor.d/profiles-s-z/snapd @@ -68,6 +68,7 @@ profile snapd @{exec_path} { @{sh_path} rix, @{bin}/apparmor_parser rPx, @{bin}/cp rix, + @{bin}/getent rix, @{bin}/gzip rix, @{bin}/journalctl rPx, @{bin}/kmod rPx, From 0f5f63164debd08c0a78cf02af63b7452dc4dfcf Mon Sep 17 00:00:00 2001 From: odomingao Date: Fri, 6 Dec 2024 09:41:35 -0300 Subject: [PATCH 67/76] Add wttrbar --- apparmor.d/profiles-s-z/wttrbar | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 apparmor.d/profiles-s-z/wttrbar diff --git a/apparmor.d/profiles-s-z/wttrbar b/apparmor.d/profiles-s-z/wttrbar new file mode 100644 index 000000000..37933679d --- /dev/null +++ b/apparmor.d/profiles-s-z/wttrbar @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 odomingao +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wttrbar +profile wttrbar @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + + owner /tmp/wttrbar--wttr.in.json rw, + + include if exists +} + +# vim:syntax=apparmor From f08bfc23ac1b4e094f38009a1d6d191f04a8fd4f Mon Sep 17 00:00:00 2001 From: Besanon Date: Fri, 13 Dec 2024 18:06:59 +0100 Subject: [PATCH 68/76] more lxqt-files (#613) * Create abstraction for lxqt desktop group first file for the LXQT 2.0 desktop group * Update lxqt * xdg-desktop abstraction added * removing tabs * Create startlxqt starter file for LXQT Desktop * Create startlxqt * fixing startlxqt I use sddm as display manager I cant remove the other file - only use graphical env., sorry After startlxqt i would add 2 lines to sddm to enable the start of LXQT desktop * Delete apparmor.d/profiles-s-z/startlxqt * indented by 2 spaces (like other entries) * Update sddm Enable sddm to start an lxqt desktop session * Create lxqt-session lxqt-session to be started by startlxqt. Display manager: sddm * Update lxqt-session * Update lxqt-session * removed trailing whitespace * Update kscreen_backend_launcher to support lxqt desktop is needed for several complaints: DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/lxqt.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open owner @{user_config_dirs}/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r DENIED kscreen_backend_launcher open /usr/share/lxqt/session.conf comm=kscreen_backend requested_mask=r denied_mask=r * Update lxqt-session * Create lxqt-panel * Update lxqt-panel * Update lxqt-panel * Update lxqt-panel * fix conflicting x * Update lxqt-panel add child-open * remove include you think its too permissive to have app-launcher-user here, right? * Update lxqt-panel add needed programs * Update lxqt-panel turning back to layout of corresponding xfce file. * Create lxqt-globalkeysd * Create lxqt-about * Create lxqt-leave * Create lxqt-runner * Update lxqt-leave * Update lxqt-runner * Update lxqt-globalkeysd * remove video in lxqt-about * Update lxqt-about * Update lxqt-runner * remove abstr. in lxqt-globalkeysd * remove abstr. in lxqt-runner * remove abstr. in lxqt-leave * Create lxqt-config-notificationd * Create lxqt-config-locale * Create lxqt-config-printer * Create lxqt-config-file-associations * Create lxqt-config-powermanagement * enable wayland-session for lxqt 2.1 startlxqtwayland for starting the session, support for labwc and kwin_wayland * Update lxqt-config-printer * Update lxqt-config-powermanagement * Update sddm * Update sddm * adapt pci-rules ok, havent seen this profile yet. I will change that in lxqt-powermanagement as well and check the other profiles * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement * Update lxqt-config-powermanagement --- apparmor.d/groups/kde/sddm | 4 ++ .../groups/lxqt/lxqt-config-file-associations | 36 ++++++++++++++++ apparmor.d/groups/lxqt/lxqt-config-locale | 40 +++++++++++++++++ .../groups/lxqt/lxqt-config-notificationd | 34 +++++++++++++++ .../groups/lxqt/lxqt-config-powermanagement | 43 +++++++++++++++++++ apparmor.d/groups/lxqt/lxqt-config-printer | 24 +++++++++++ 6 files changed, 181 insertions(+) create mode 100644 apparmor.d/groups/lxqt/lxqt-config-file-associations create mode 100644 apparmor.d/groups/lxqt/lxqt-config-locale create mode 100644 apparmor.d/groups/lxqt/lxqt-config-notificationd create mode 100644 apparmor.d/groups/lxqt/lxqt-config-powermanagement create mode 100644 apparmor.d/groups/lxqt/lxqt-config-printer diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index d8adff564..8e491bb2b 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -40,6 +40,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (trace) peer=@{profile_name}, signal (receive) set=(hup) peer=@{p_systemd}, + signal (send) set=(kill, term) peer=labwc, signal (send) set=(kill, term) peer=lxqt-session, signal (send) set=(kill, term) peer=startplasma, signal (send) set=(kill, term) peer=xorg, @@ -47,6 +48,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=kwin_wayland, signal (send) set=(term) peer=sddm-greeter, signal (send) set=(term) peer=startplasma-wayland, + signal (send) set=(term) peer=startlxqtwayland, dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable @@ -95,7 +97,9 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/sddm-greeter{,-qt6} rPx, + @{bin}/labwc rPx, @{bin}/startlxqt rPx, + @{bin}/startlxqtwayland rPx, @{bin}/startplasma-wayland rPx, @{bin}/startplasma-x11 rPx, @{bin}/sway rPUx, diff --git a/apparmor.d/groups/lxqt/lxqt-config-file-associations b/apparmor.d/groups/lxqt/lxqt-config-file-associations new file mode 100644 index 000000000..4232f1c70 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-file-associations @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-file-associations +profile lxqt-config-file-associations @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/ r, + owner @{user_config_dirs}/mimeapps* rwk, + owner @{user_config_dirs}/lxqt-* rwk, + owner @{user_config_dirs}/lxqt/ r, + owner @{user_config_dirs}/lxqt/#@{int} rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf kl -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-file-associations.conf.@{rand6} rwkl -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} rwk, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-locale b/apparmor.d/groups/lxqt/lxqt-config-locale new file mode 100644 index 000000000..c7c868c18 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-locale @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-locale +profile lxqt-config-locale @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/* r, + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + owner @{user_config_dirs}/lxqt/lxqt-config-locale.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.lock rwk, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/session.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-notificationd b/apparmor.d/groups/lxqt/lxqt-config-notificationd new file mode 100644 index 000000000..63b2eb673 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-notificationd @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-notificationd +profile lxqt-config-notificationd @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + /var/lib/dbus/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.lock rwk, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/notifications.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + owner /tmp/#@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-powermanagement b/apparmor.d/groups/lxqt/lxqt-config-powermanagement new file mode 100644 index 000000000..4b96ccb36 --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-powermanagement @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-powermanagement +profile lxqt-config-powermanagement @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/machine-id r, + + owner @{user_config_dirs}/lxqt/#@{int} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.lock rwk, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} rw, + owner @{user_config_dirs}/lxqt/lxqt-powermanagement.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, + + @{sys}/class/leds/ r, + @{sys}/devices/@{pci}/backlight/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/backlight/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/backlight/**/brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/drm/card@{int}/**/{uevent,type,enabled} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/brightness rw, + @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness rw, + @{sys}/devices/@{pci}/*_backlight/{uevent,type,enabled} r, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/lxqt/lxqt-config-printer b/apparmor.d/groups/lxqt/lxqt-config-printer new file mode 100644 index 000000000..f4c38e94d --- /dev/null +++ b/apparmor.d/groups/lxqt/lxqt-config-printer @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024 Besanon +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lxqt-config-printer +profile lxqt-config-printer @{exec_path} { + include + include + + @{exec_path} mr, + + owner /tmp/@{int} r, + + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From ea507d6ab729fa9a4b6968ab9daf263c2c515676 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:17:35 +0100 Subject: [PATCH 69/76] feat(profile): firefox: restric access to /tmp --- apparmor.d/groups/browsers/firefox | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 27eb0d54d..dfaff6064 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -59,9 +59,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw, owner @{tmp}/.xfsm-ICE-@{rand6} rw, - owner @{tmp}/@{rand6}.tmp r, - owner @{tmp}/@{rand8}.txt w, - owner @{tmp}/* w, # file downloads (to anywhere) + owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) + owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/mozilla* rw, owner @{tmp}/mozilla*/ rw, From ef133807d63f008389aa080a124c1202c43d1085 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:19:29 +0100 Subject: [PATCH 70/76] feat(profile): firefox: better naming of possible attachment. --- apparmor.d/groups/browsers/firefox | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index dfaff6064..f7b0e1964 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -7,8 +7,8 @@ abi , include -@{name} = firefox{,.sh,-esr,-bin} -@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{name} = firefox{,-esr,-bin} +@{lib_dirs} = @{lib}/firefox{,-esr,-beta,-devedition,-nightly} /opt/@{name} @{config_dirs} = @{HOME}/.mozilla/ @{cache_dirs} = @{user_cache_dirs}/mozilla/ From dda98be4d7d8b1e2f55c7830e49504566a6fbc3a Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Tue, 17 Dec 2024 20:28:17 +0200 Subject: [PATCH 71/76] non-owner accesses authorized_keys --- apparmor.d/groups/ssh/sshd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index b4ecc068e..825612af0 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -94,7 +94,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, From a7e570ac0c9c54438af598f54071c877fa957d46 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 23 Dec 2024 22:48:24 +0100 Subject: [PATCH 72/76] fix(profile): sensors: simplify hwmon access. fix #628 --- apparmor.d/profiles-s-z/sensors | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index fd839099e..e6ae103ae 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -18,19 +18,12 @@ profile sensors @{exec_path} { /etc/sensors.d/{,*} r, /etc/sensors3.conf r, + @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/**/hwmon*/{,**/} r, - @{sys}/devices/**/hwmon*/{in[0-9]_label,in[0-9]_min,in[0-9]_max} r, - @{sys}/devices/**/hwmon*/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r, - @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r, - @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r, @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, @{sys}/devices/@{pci}/name r, - @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/ r, - @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r, + @{sys}/devices/**/hwmon*/** r, # file_inherit deny @{PROC}/@{pid}/net/dev r, From 24938f65b44280dea766c0aed53c9b4a766e8553 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sun, 15 Dec 2024 19:40:06 +0200 Subject: [PATCH 73/76] systemd user ask-password --- apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 3e2129d39..b16577de8 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -24,6 +24,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { @{run}/systemd/ask-password-block/{,*} rw, @{run}/systemd/ask-password/{,*} rw, + @{run}/user/@{uid}/systemd/ask-password/ rw, @{run}/utmp rk, @{PROC}/@{pids}/stat r, From 915d7e81c31a3aab26335ff47e0925cd22897bc1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 24 Dec 2024 23:56:12 +0100 Subject: [PATCH 74/76] fix(profile): pacman-hook-systemd: add systemd-tty-ask-password-agent. fix #632 --- apparmor.d/groups/pacman/pacman-hook-systemd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 2c32024a2..59acc34d9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -45,6 +45,10 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, + signal send set=term peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + include if exists } From ab5eaaa8bce4979796c286533e0a819344fb7eb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 25 Dec 2024 00:05:36 +0100 Subject: [PATCH 75/76] feat(profile): various improvements and update. --- apparmor.d/groups/gnome/gnome-session | 2 ++ apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + apparmor.d/groups/pacman/pacman-hook-systemd | 1 + apparmor.d/groups/systemd/bootctl | 2 +- apparmor.d/groups/systemd/busctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 2 +- apparmor.d/groups/systemd/systemd-cryptsetup | 2 +- apparmor.d/groups/systemd/systemd-generator-user-autostart | 2 +- apparmor.d/groups/systemd/systemd-generator-user-environment | 2 +- apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-machined | 2 +- apparmor.d/groups/systemd/systemd-random-seed | 2 +- apparmor.d/groups/systemd/systemd-update-done | 2 +- apparmor.d/groups/systemd/systemd-update-utmp | 2 +- apparmor.d/groups/systemd/systemd-user-runtime-dir | 2 +- apparmor.d/groups/systemd/systemd-user-sessions | 2 +- apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/flatpak-system-helper | 3 ++- apparmor.d/profiles-a-f/fwupd | 3 +-- 20 files changed, 22 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 798868271..bec97e7de 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -58,6 +58,8 @@ profile gnome-session @{exec_path} { /etc/X11/xinit/xinputrc r, /etc/X11/Xsession.d/*im-config_launch r, + owner @{HOME}/ r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index a75cfee63..601e6b6df 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -39,6 +39,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, /usr/share/xml/iso-codes/{,**} r, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ee98720b6..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{uuid} rw, owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 59acc34d9..6f154269d 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} { include capability net_admin, + capability sys_resource, signal send set=term peer=systemd-tty-ask-password-agent, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 05655d308..c7bb7b19f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} { +profile bootctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 6516a500c..826405d2d 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/busctl -profile busctl @{exec_path} { +profile busctl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index f67cb301c..374e9c4ae 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-backlight -profile systemd-backlight @{exec_path} { +profile systemd-backlight @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup index f8950c1fe..090412ff5 100644 --- a/apparmor.d/groups/systemd/systemd-cryptsetup +++ b/apparmor.d/groups/systemd/systemd-cryptsetup @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup -profile systemd-cryptsetup @{exec_path} { +profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart index c42548ef5..8e3ebb6b3 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator -profile systemd-generator-user-autostart @{exec_path} { +profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment index db128405f..27db22078 100644 --- a/apparmor.d/groups/systemd/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd/systemd-generator-user-environment @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/user-environment-generators/* -profile systemd-generator-user-environment @{exec_path} { +profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index cc1f541dd..d63a4211d 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-journald -profile systemd-journald @{exec_path} { +profile systemd-journald @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 3a111f7f3..b37f2300b 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} { +profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed index be33d39cd..86ea02a0d 100644 --- a/apparmor.d/groups/systemd/systemd-random-seed +++ b/apparmor.d/groups/systemd/systemd-random-seed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-random-seed -profile systemd-random-seed @{exec_path} { +profile systemd-random-seed @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index c17be7ab2..e7a44d01d 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-done -profile systemd-update-done @{exec_path} { +profile systemd-update-done @{exec_path} flags=(attach_disconnected) { include capability net_admin, diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp index 9d512b495..1a2ff9a31 100644 --- a/apparmor.d/groups/systemd/systemd-update-utmp +++ b/apparmor.d/groups/systemd/systemd-update-utmp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-update-utmp -profile systemd-update-utmp @{exec_path} { +profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 9c7fe975b..363b9a32d 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir -profile systemd-user-runtime-dir @{exec_path} { +profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions index 6f16b2f19..8de32dfe2 100644 --- a/apparmor.d/groups/systemd/systemd-user-sessions +++ b/apparmor.d/groups/systemd/systemd-user-sessions @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-user-sessions -profile systemd-user-sessions @{exec_path} { +profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index db6d5d377..061866717 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+leds:* r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+platform:* r, + @{run}/udev/data/+power_supply:* r, @{run}/udev/data/+rfkill:* r, @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/+thunderbolt:* r, diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper index 2268de064..60c41a6a9 100644 --- a/apparmor.d/profiles-a-f/flatpak-system-helper +++ b/apparmor.d/profiles-a-f/flatpak-system-helper @@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/mime/mime.cache r, + /usr/share/flatpak/remotes.d/ r, /usr/share/flatpak/triggers/ r, + /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index aa95a00d5..643bbe96a 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include + include include include @@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/sd[a-z]* r, /dev/tpm@{int} rw, /dev/tpmrm@{int} rw, /dev/wmi/* r, From d0b5e2e82f47b30030752df19481af48c27380f5 Mon Sep 17 00:00:00 2001 From: nobody43 Date: Mon, 30 Dec 2024 23:37:16 +0000 Subject: [PATCH 76/76] regression: session names --- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/gnome/gdm | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/mullvad-setup | 2 +- apparmor.d/profiles-m-r/ouch | 2 +- apparmor.d/profiles-s-z/signal-desktop | 4 ++-- apparmor.d/profiles-s-z/virt-manager | 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 87865197e..602651587 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -125,7 +125,7 @@ @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, @{PROC}/@{pid}/net/arp r, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 6bafb132b..4d251cbb7 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -92,7 +92,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/virtual/tty/tty@{int}/active r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cgroup.events r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 825612af0..21892cc47 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -107,7 +107,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{run}/sshd{,.init}.pid wl, @{sys}/fs/cgroup/*/user/*/@{int}/ rw, - @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw, + @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-@{word}.scope/ rw, @{PROC}/@{pids}/fd/ r, @{PROC}/1/environ r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 96e50ba35..0949e72ee 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -159,7 +159,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user-runtime-dir@@{uid}.service/ r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**/} r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{,**/} r, @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index a0b57a38b..24088be3f 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -57,7 +57,7 @@ profile briar-desktop @{exec_path} { owner @{tmp}/jna@{u64}.tmp mrw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r, @{PROC}/cgroups r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63634d788..03dfe9749 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -99,7 +99,7 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup index b30da1c13..d2bb2eb44 100644 --- a/apparmor.d/profiles-m-r/mullvad-setup +++ b/apparmor.d/profiles-m-r/mullvad-setup @@ -13,7 +13,7 @@ profile mullvad-setup @{exec_path} { @{exec_path} mr, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/cpu.max r, diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index ef3ea4bee..a5b62ca93 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -19,7 +19,7 @@ profile ouch @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b905e8f3a..ca9da155c 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -44,8 +44,8 @@ profile signal-desktop @{exec_path} { @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 0a67b365b..052192d8f 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -85,7 +85,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/drm/ttm/uevent r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, @{PROC}/@{pids}/net/route r, owner @{PROC}/@{pid}/cgroup r,