From 5775721e55f6a2604a4a958a503925e91022d2e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 12:12:45 +0200 Subject: [PATCH 001/798] build: default target to apparmor 4.1 --- cmd/prebuild/main.go | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index fab6b8f35..62685202f 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -17,7 +17,7 @@ func init() { prebuild.ABI = 4 // Define the default version - prebuild.Version = 4.0 + prebuild.Version = 4.1 // Define the tasks applied by default prepare.Register( @@ -36,7 +36,7 @@ func init() { "hotfix", // Temporary fix for #74, #80 & #235 ) - // Compatibility with AppArmor 3 + // Matrix of ABI/Apparmor version to integrate with switch prebuild.Distribution { case "arch": @@ -45,12 +45,9 @@ func init() { case "jammy": prebuild.ABI = 3 prebuild.Version = 3.0 - case "noble", "oracular": + case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 - case "plucky": - prebuild.ABI = 4 - prebuild.Version = 4.1 } case "debian": @@ -58,16 +55,13 @@ func init() { case "bullseye", "bookworm": prebuild.ABI = 3 prebuild.Version = 3.0 - case "trixie", "sid": - prebuild.ABI = 4 - prebuild.Version = 4.1 } case "whonix": prebuild.ABI = 3 prebuild.Version = 3.0 - // Hide rewrittem Whonix profiles + // Hide rewritten Whonix profiles prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure /etc/apparmor.d/home.tor-browser.firefox /etc/apparmor.d/tunables/homsanitycheck From 6d2147582e4cc4eb7fe804b53b219df3432b4ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:44:56 +0200 Subject: [PATCH 002/798] build: add mappings to the list of directories without profile files. --- pkg/prebuild/builder/userspace.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 20498bb4f..618b67c17 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -33,7 +33,7 @@ func init() { } func (b Userspace) Apply(opt *Option, profile string) (string, error) { - for _, dir := range []string{"abstractions", "tunables", "local"} { + for _, dir := range []string{"abstractions", "tunables", "local", "mappings"} { if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join(dir)); ok { return profile, nil } From c32884ddebe17ce8d052572a04a2cf0246ee41cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:47:33 +0200 Subject: [PATCH 003/798] feat(profile): add base mappings definition. Used by profiles before to confine pre login script bfore transitionning to user hat. It should only be enabled when mapping is enabled as otherwise the shell is not confined. --- apparmor.d/mappings/login/base | 30 ++++++++++++++++++++++++++++++ apparmor.d/mappings/sshd/base | 30 ++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/mappings/login/base create mode 100644 apparmor.d/mappings/sshd/base diff --git a/apparmor.d/mappings/login/base b/apparmor.d/mappings/login/base new file mode 100644 index 000000000..f74b90418 --- /dev/null +++ b/apparmor.d/mappings/login/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor diff --git a/apparmor.d/mappings/sshd/base b/apparmor.d/mappings/sshd/base new file mode 100644 index 000000000..dd9218d9c --- /dev/null +++ b/apparmor.d/mappings/sshd/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by login to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 35d42038fd76f64a73b6f35fe58b6aff56ab3c7a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:48:01 +0200 Subject: [PATCH 004/798] feat(abs): add abstraction for ansible. --- apparmor.d/abstractions/ansible | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 apparmor.d/abstractions/ansible diff --git a/apparmor.d/abstractions/ansible b/apparmor.d/abstractions/ansible new file mode 100644 index 000000000..579783096 --- /dev/null +++ b/apparmor.d/abstractions/ansible @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw, + + include if exists + +# vim:syntax=apparmor From 0860667d2876d5edb736760d9d0944e2bef07614 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:49:00 +0200 Subject: [PATCH 005/798] fix(profile): spotify needs to read usb. --- apparmor.d/profiles-s-z/spotify | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ef516a7d6..a6d349b9c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,6 +17,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -51,10 +52,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /dev/tty rw, - deny @{sys}/bus/ r, - deny @{sys}/bus/*/devices/ r, - deny @{sys}/class/*/ r, - deny @{sys}/devices/@{pci}/usb@{int}/** r, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 5760ba4e48d25114a8eeebd0e55fff6692b6fd47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:50:49 +0200 Subject: [PATCH 006/798] feat(abs): fusermount: add mount, umount to fusermount. --- apparmor.d/abstractions/app/fusermount | 7 +++++++ apparmor.d/groups/freedesktop/xdg-document-portal | 6 ------ apparmor.d/groups/gvfs/gvfsd-fuse | 3 --- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/fusermount b/apparmor.d/abstractions/app/fusermount index 659eee99d..a394e2528 100644 --- a/apparmor.d/abstractions/app/fusermount +++ b/apparmor.d/abstractions/app/fusermount @@ -17,8 +17,15 @@ @{bin}/fusermount{,3} mr, + @{bin}/mount rix, + @{bin}/umount rix, + @{etc_ro}/fuse{,3}.conf r, + @{run}/mount/utab r, + @{run}/mount/utab.* rwk, + + @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, /dev/fuse rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index de362990a..c56729248 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -77,14 +77,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal), - @{bin}/mount rix, - @{bin}/umount rix, - owner @{run}/user/@{uid}/doc/ rw, - @{run}/mount/utab r, - @{run}/mount/utab.* rwk, - include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index bb19d5454..2695a1bf7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -49,9 +49,6 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse), - @{bin}/mount rix, - @{bin}/umount rix, - include if exists } From e61529bd049eb964857c9afdc35b99910d8e5870 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 22:54:34 +0200 Subject: [PATCH 007/798] feat(profile): add integration with role profiles. --- apparmor.d/groups/apt/apt-methods-gpgv | 1 + apparmor.d/groups/apt/apt-methods-http | 1 + apparmor.d/groups/apt/apt-methods-store | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index f4e77fa4d..db5d50f43 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -24,6 +24,7 @@ profile apt-methods-gpgv @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0638120ba..b6976e9af 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -27,6 +27,7 @@ profile apt-methods-http @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, signal (receive) peer=ubuntu-advantage, signal (receive) peer=unattended-upgrade, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 4c414f07c..5492fdd5e 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -24,6 +24,7 @@ profile apt-methods-store @{exec_path} { signal (receive) peer=apt, signal (receive) peer=aptitude, signal (receive) peer=packagekitd, + signal (receive) peer=role_*, signal (receive) peer=synaptic, @{exec_path} mr, From cd890bb81b9139e221a42bd18036b6f9654b886a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 23:00:52 +0200 Subject: [PATCH 008/798] feat(profile): minor improvement & update. --- apparmor.d/abstractions/X-strict | 1 - apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 ++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/cups/cups-pk-helper-mechanism | 2 +- apparmor.d/groups/freedesktop/upowerd | 1 + apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + .../groups/systemd/systemd-tty-ask-password-agent | 14 +++++++------- apparmor.d/profiles-a-f/ffplay | 2 +- apparmor.d/profiles-a-f/freetube | 1 + apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/rsyslogd | 2 ++ apparmor.d/profiles-s-z/swtpm | 6 +++--- 14 files changed, 24 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 4c506da69..d3e2cef4f 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -4,7 +4,6 @@ abi , - # The unix socket to use to connect to the display unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a3948e144..ebaced47f 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -26,7 +26,7 @@ @{PROC}/modules r, @{PROC}/sys/vm/max_map_count r, @{PROC}/sys/vm/mmap_min_addr r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 5b41f7b7c..31622c1bd 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -102,6 +102,8 @@ profile aa-notify @{exec_path} { /etc/apparmor.d/** rw, /etc/apparmor/* r, + @{PROC}/@{pid}/mounts r, + include if exists } diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8a7c9755f..bee1c0fe8 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -50,6 +50,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, + @{bin}/dpkg-divert rPx, @{bin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @@ -64,6 +65,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, + /etc/apport/report-ignore/ r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, diff --git a/apparmor.d/groups/cups/cups-pk-helper-mechanism b/apparmor.d/groups/cups/cups-pk-helper-mechanism index 89d55c2f1..89d517631 100644 --- a/apparmor.d/groups/cups/cups-pk-helper-mechanism +++ b/apparmor.d/groups/cups/cups-pk-helper-mechanism @@ -26,7 +26,7 @@ profile cups-pk-helper-mechanism @{exec_path} { /etc/cups/ppd/*.ppd r, - owner @{tmp}/[a-z0-9]* rw, + owner @{tmp}/@{int} rw, @{run}/cups/cups.sock rw, diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index f832d285e..a8244bce9 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -56,6 +56,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/**/power_supply/**/* r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/misc/uhid/*/input/input@{int}/name r, /dev/input/event* r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index d54ed16fc..4440b80e3 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=xorg, signal send set=hup peer=xwayland, - unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system, + unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index c0f131dd1..ee9c147b6 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,6 +21,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index a9575dd89..bbd4b7438 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,13 +17,13 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, - signal receive set=(term cont) peer=*//systemctl, - signal receive set=(term cont) peer=deb-systemd-invoke, - signal receive set=(term cont) peer=default, - signal receive set=(term cont) peer=logrotate, - signal receive set=(term cont) peer=makepkg//sudo, - signal receive set=(term cont) peer=role_*, - signal receive set=(term cont) peer=rpm, + signal receive set=(term cont winch) peer=*//systemctl, + signal receive set=(term cont winch) peer=deb-systemd-invoke, + signal receive set=(term cont winch) peer=default, + signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=makepkg//sudo, + signal receive set=(term cont winch) peer=role_*, + signal receive set=(term cont winch) peer=rpm, @{exec_path} mrix, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index 6d3e1972d..a4dec5d34 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -30,7 +30,7 @@ profile ffplay @{exec_path} { owner @{user_videos_dirs}/** rw, @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node[0-9]/meminfo r, + @{sys}/devices/system/node/node@{int}/meminfo r, include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 63bb82f11..8250cf8aa 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -40,6 +40,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-settings rPx -> freetube//&xdg-settings, deny @{sys}/devices/@{pci}/usb@{int}/** r, + deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b1b4ccb70..191ac5782 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -100,7 +100,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/*.tmp/{,**} rwk, owner @{tmp}/hsperfdata_@{user}/ rw, owner @{tmp}/hsperfdata_@{user}/@{int} rwk, - owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw, + owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index b4ae4b211..1dc744ff3 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -24,6 +24,8 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + signal receive set=hup peer=@{p_systemd}, + @{exec_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm index 783e58237..369046b6b 100644 --- a/apparmor.d/profiles-s-z/swtpm +++ b/apparmor.d/profiles-s-z/swtpm @@ -14,11 +14,11 @@ profile swtpm @{exec_path} { @{exec_path} mr, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, - /var/lib/libvirt/swtpm/@{uuid}/tpm2/*.permall rw, - /var/log/swtpm/libvirt/qemu/*-swtpm.log w, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/.lock wk, + owner /var/lib/libvirt/swtpm/@{uuid}/tpm2/* rw, + /tmp/.swtpm_setup.pidfile.* rw, /tmp/@{int}/.lock rwk, /tmp/@{int}/TMP* rw, From 5e38394986e6e2d0d14638261a214cf4cf91faa6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Apr 2025 23:38:11 +0200 Subject: [PATCH 009/798] fix(profile): snap: simplify cgroup access. --- apparmor.d/groups/snap/snapd | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index f1cd46537..4efe83957 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -157,12 +157,11 @@ profile snapd @{exec_path} { @{run}/systemd/private rw, @{sys}/fs/cgroup/{,*/} r, - @{sys}/fs/cgroup/cgroup.controllers r, - @{sys}/fs/cgroup/system.slice/{,**/} r, - @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r, @{sys}/fs/cgroup/*.slice/ r, @{sys}/fs/cgroup/*.slice/*.service/{,**/} r, - @{sys}/fs/cgroup/*.slice/*-@{uid}.slice/*@@{uid}.service/app.slice/snap*.service/cgroup.procs r, + @{sys}/fs/cgroup/*.slice/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, + @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, @{sys}/kernel/security/apparmor/.notify r, @{sys}/kernel/security/apparmor/features/{,**} r, From 69aa16625b5ba2045f3d74877d433e68cefbd574 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:14:51 +0200 Subject: [PATCH 010/798] feat(profile): add support for gimp 3.0 fix #656 --- apparmor.d/profiles-g-l/gimp | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 158885375..7f8eb716a 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -26,16 +26,19 @@ profile gimp @{exec_path} { @{exec_path} mr, - @{bin}/env rix, - @{bin}/gjs-console rix, - @{bin}/lua rix, - @{lib}/gimp/@{version}/extensions/*/* rix, - @{lib}/gimp/*/plug-ins/** rix, - @{python_path} rix, + @{python_path} rix, + @{bin}/env rix, + @{bin}/gimp-script-fu-interpreter-* rix, + @{bin}/gjs-console rix, + @{bin}/lua rix, + @{lib}/gimp/@{version}/extensions/*/* rix, + @{lib}/gimp/*/plug-ins/** rix, @{bin}/xsane-gimp rPx, @{open_path} rPx -> child-open-help, + @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -62,7 +65,16 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists } From 63e2b9372bd7b7f75331fc68311daecab9c63d83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:33:20 +0200 Subject: [PATCH 011/798] fix: snap access to cgroup. --- apparmor.d/groups/snap/snapd | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4efe83957..cbaa8bce9 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -158,8 +158,7 @@ profile snapd @{exec_path} { @{sys}/fs/cgroup/{,*/} r, @{sys}/fs/cgroup/*.slice/ r, - @{sys}/fs/cgroup/*.slice/*.service/{,**/} r, - @{sys}/fs/cgroup/*.slice/*.slice/{,**/} r, + @{sys}/fs/cgroup/*.slice/{,**/} r, @{sys}/fs/cgroup/*.slice/**/cgroup.procs r, @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/kexec_loaded r, From 379a093b10f93e69a03e5524b89278cb17334aff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:34:59 +0200 Subject: [PATCH 012/798] feat(fsp): small improvment to systemd profiles. --- apparmor.d/groups/_full/systemd | 8 +++----- apparmor.d/groups/_full/systemd-user | 1 + 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d055135bd..d3a193244 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -79,8 +79,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - mount fstype=vfat -> /boot/efi/, + mount /dev/** -> /boot/{,efi/}, mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, @@ -108,7 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { remount @{run}/systemd/unit-root/{,**}, remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/efi/, + remount options=(ro bind) /boot/{,efi/}, remount options=(ro noexec noatime bind) /var/snap/{,**}, remount options=(ro nosuid bind) /dev/, remount options=(ro nosuid nodev bind) /dev/hugepages/, @@ -221,12 +221,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{att}/@{run}/systemd/journal/dev-log r, @{run}/ rw, - @{run}/*.socket w, + @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, - @{run}/auditd.pid r, @{run}/credentials/{,**} rw, - @{run}/initctl rw, @{run}/systemd/{,**} rw, @{run}/udev/data/+bluetooth:* r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index e3ae3acb4..b0b3272a1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -146,6 +146,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability net_admin, deny capability perfmon, deny capability sys_admin, + deny capability sys_boot, deny capability sys_resource, profile systemctl { From c008cbda671320879d18f26afb2f44bf6ae72c4a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 18:43:57 +0200 Subject: [PATCH 013/798] feat(profile): add profile for most of udev internat scripts Required by FSP. --- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/profiles-s-z/udev-ata_id | 23 +++++++++++++++ .../profiles-s-z/udev-bcache-export-cached | 23 +++++++++++++++ apparmor.d/profiles-s-z/udev-cdrom_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-fido_id | 24 ++++++++++++++++ apparmor.d/profiles-s-z/udev-hdparm | 28 +++++++++++++++++++ apparmor.d/profiles-s-z/udev-probe-bcache | 21 ++++++++++++++ dists/flags/main.flags | 6 ++++ 8 files changed, 150 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/udev-ata_id create mode 100644 apparmor.d/profiles-s-z/udev-bcache-export-cached create mode 100644 apparmor.d/profiles-s-z/udev-cdrom_id create mode 100644 apparmor.d/profiles-s-z/udev-fido_id create mode 100644 apparmor.d/profiles-s-z/udev-hdparm create mode 100644 apparmor.d/profiles-s-z/udev-probe-bcache diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 29b40cb48..9e81cec83 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd -profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) { +profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/udev-ata_id b/apparmor.d/profiles-s-z/udev-ata_id new file mode 100644 index 000000000..f12ed105f --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-ata_id @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/ata_id +profile udev-ata_id @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached new file mode 100644 index 000000000..51746625e --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bcache-export-cached +profile udev-bcache-export-cached @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/bcache-super-show rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-cdrom_id b/apparmor.d/profiles-s-z/udev-cdrom_id new file mode 100644 index 000000000..552159867 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-cdrom_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/cdrom_id +profile udev-cdrom_id @{exec_path} { + include + + capability sys_rawio, + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + /dev/sr@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id new file mode 100644 index 000000000..76ec27b68 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/fido_id +profile udev-fido_id @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/udev/udev.conf r, + + @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/virtual/**/report_descriptor r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-hdparm b/apparmor.d/profiles-s-z/udev-hdparm new file mode 100644 index 000000000..bca98163b --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-hdparm @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/hdparm +profile udev-hdparm @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/sed rix, + @{bin}/udevadm rPx, + + /etc/hdparm.conf r, + + @{PROC}/cmdline r, + @{PROC}/mdstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-probe-bcache b/apparmor.d/profiles-s-z/udev-probe-bcache new file mode 100644 index 000000000..e02e070a8 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-probe-bcache @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/probe-bcache +profile udev-probe-bcache @{exec_path} { + include + include + + capability sys_rawio, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 06c3e3e27..5f99d7552 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -352,7 +352,13 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +udev-ata_id complain +udev-bcache-export-cached complain +udev-cdrom_id complain udev-dmi-memory-id complain +udev-fido_id complain +udev-hdparm complain +udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain From 80f5c50f139431b67cd81f25ebf42f177393d623 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:04:44 +0200 Subject: [PATCH 014/798] feat(profile): ensure flatpak can handle chromium based software. fix #715 --- apparmor.d/groups/flatpak/flatpak-app | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e332f50ca..397475a43 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -41,12 +41,12 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), + ptrace read, ptrace trace peer=flatpak-app, signal receive peer=flatpak, signal receive set=(int term) peer=flatpak-portal, - signal receive set=(int) peer=flatpak-session-helper, + signal receive set=(int term) peer=flatpak-session-helper, @{bin}/** rmix, @{lib}/** rmix, @@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/*/**/@{bin}/** rmix, /var/lib/flatpak/app/*/**/@{lib}/** rmix, + @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm, @{run}/flatpak/app/*/**so* rm, @{run}/parent/@{bin}/** rmix, @{run}/parent/@{lib}/** rmix, From e75d1729c1a9e3209fd67081740a82850714abde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:06:53 +0200 Subject: [PATCH 015/798] fix(tunable): remove vimtutor to the list of editors. #678 --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 3611178a2..d6b8e424f 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -33,7 +33,7 @@ @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop # Editors -@{editor_names} = sensible-editor vim{,.*} vimtutor vim-nox11 nvim nano +@{editor_names} = sensible-editor vim{,.*} vim-nox11 nvim nano @{editor_ui_names} = gnome-text-editor gedit mousepad # Pager From 8c591c90ab32bc598878f3005567ad65d00f75cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 19:28:59 +0200 Subject: [PATCH 016/798] feat(profile): journalctl minor improvments. --- apparmor.d/groups/systemd/journalctl | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index 36fbd9e75..bc061cfe5 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -20,8 +20,10 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (receive) set=(term) peer=cockpit-bridge, - signal (send) peer=child-pager, + network netlink raw, + + signal receive set=term peer=cockpit-bridge, + signal send peer=child-pager, @{exec_path} mr, @@ -49,6 +51,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/systemd/journal/io.systemd.journal rw, + @{run}/systemd/notify rw, @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, From 1ca12d173f58f1583a964758af031e87f8049be2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:31:18 +0200 Subject: [PATCH 017/798] ci: only run integration tests on dev branch. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 166840b44..15807cfe2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -81,6 +81,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build + if: github.ref == 'refs/heads/dev' steps: - name: Check out repository code uses: actions/checkout@v4 From e774ad65788b7888e64368cb73d776a882563e4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:33:36 +0200 Subject: [PATCH 018/798] fix(ci): minor fixes. --- apparmor.d/groups/systemd/journalctl | 1 + tests/integration/common.bash | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index bc061cfe5..ef62e37cd 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -22,6 +22,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { network netlink raw, + signal receive set=kill peer=snapd, signal receive set=term peer=cockpit-bridge, signal send peer=child-pager, diff --git a/tests/integration/common.bash b/tests/integration/common.bash index ed167d4f9..7a012191b 100644 --- a/tests/integration/common.bash +++ b/tests/integration/common.bash @@ -9,7 +9,7 @@ load "$BATS_LIB_PATH/bats-support/load" export SYSTEMD_PAGER= # Ignore the profile not managed by apparmor.d -IGNORE=(php-fpm snapd/snap-confine) +IGNORE=(php-fpm snapd/snap-confine snap.vault.vaultd) # User password for sudo commands export PASSWORD=${PASSWORD:-user} From e5b1c0ca7de318b50998fa823137846c235b0ffa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:38:14 +0200 Subject: [PATCH 019/798] feat(profile): minor update. --- .../gnome/gnome-calculator-search-provider | 2 ++ apparmor.d/groups/pacman/pacman | 5 ----- apparmor.d/profiles-g-l/ghc-pkg | 4 +++- apparmor.d/profiles-g-l/gimp | 3 +++ apparmor.d/profiles-g-l/gpartedbin | 2 +- apparmor.d/profiles-m-r/nvtop | 19 ++++++++++--------- 6 files changed, 19 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider index da03ed665..8400f03c1 100644 --- a/apparmor.d/groups/gnome/gnome-calculator-search-provider +++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider @@ -23,6 +23,8 @@ profile gnome-calculator-search-provider @{exec_path} { @{bin}/* rPUx, + owner @{user_cache_dirs}/gnome-calculator/* r, + owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 0043cd061..271540f52 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -149,11 +149,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, owner /dev/pts/@{int} rw, - # Silencer, - deny @{HOME}/ r, - deny @{HOME}/**/ r, - deny /tmp/ r, - profile gpg { include include diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg index df6613042..3ccfdec4a 100644 --- a/apparmor.d/profiles-g-l/ghc-pkg +++ b/apparmor.d/profiles-g-l/ghc-pkg @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ghc-pkg{,-*} +@{exec_path} = @{bin}/ghc-pkg{,-*} @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} profile ghc-pkg @{exec_path} { include include @@ -26,6 +26,8 @@ profile ghc-pkg @{exec_path} { @{sys}/devices/system/node/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 7f8eb716a..b335650d8 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -46,6 +46,9 @@ profile gimp @{exec_path} { /etc/fstab r, /etc/gimp/{,**} r, + owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, + owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, + owner @{user_documents_dirs}/{,**} rw, owner @{user_pictures_dirs}/{,**} rw, owner @{user_work_dirs}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index a82bf8b47..0b2fea4c3 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin -profile gpartedbin @{exec_path} { +profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index e4846d58e..d0553d186 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -43,15 +43,16 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/pcie_bw r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/ r, - @{PROC}/@{pids}/ r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/fdinfo/@{int} r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/stat r, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/dri/ r, /dev/nvidia-caps/ rw, From f90208bb7fb80897590ab7a3796b7da2be214f5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 20:40:19 +0200 Subject: [PATCH 020/798] feat(profile): add deb-systemd-* profiles. --- apparmor.d/groups/apt/deb-systemd-helper | 39 ++++++++++++++++++++++++ apparmor.d/groups/apt/deb-systemd-invoke | 29 ++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 70 insertions(+) create mode 100644 apparmor.d/groups/apt/deb-systemd-helper create mode 100644 apparmor.d/groups/apt/deb-systemd-invoke diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper new file mode 100644 index 000000000..28de2a8a0 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-helper +profile deb-systemd-helper @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/systemctl rCx -> systemctl, + + /var/lib/systemd/deb-systemd-helper-enabled/** rw, + /var/lib/systemd/deb-systemd-helper-masked/ rw, + + profile systemctl { + include + include + + /etc/ r, + /etc/systemd/ r, + /etc/systemd/system/ r, + /etc/systemd/system/* rw, + /etc/systemd/system/*.wants/ r, + /etc/systemd/system/*.wants/* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke new file mode 100644 index 000000000..63dfdaf52 --- /dev/null +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/deb-systemd-invoke +profile deb-systemd-invoke @{exec_path} { + include + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/systemctl rix, + @{bin}/systemd-tty-ask-password-agent rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f99d7552..8b1f3030c 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,6 +75,8 @@ cups-notifier-rss complain cups-pk-helper-mechanism complain cupsd attach_disconnected,complain ddcutil complain +deb-systemd-helper complain +deb-systemd-invoke complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From b765d8174b85850150007bc888d208e1272fab8a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 21:08:04 +0200 Subject: [PATCH 021/798] feat(profile): add initial dpkg-script-* profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 60 ++++++++++++++++++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ++++++++++ apparmor.d/groups/apt/dpkg-script-udev | 21 ++++++++ dists/flags/main.flags | 3 ++ 4 files changed, 111 insertions(+) create mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor create mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-udev diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor new file mode 100644 index 000000000..088fff84a --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/apparmor* +profile dpkg-script-apparmor @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/grep rix, + + @{bin}/deb-systemd-helper rPx, + @{bin}/deb-systemd-invoke rPx, + @{bin}/dpkg-divert rix, + @{bin}/systemctl rCx -> systemctl, + + /usr/share/apparmor.d/** rw, + + /etc/apparmor.d/** rw, + + /var/lib/dpkg/diversions rw, + /var/lib/dpkg/diversions-new rw, + /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + + /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/status r, + /var/lib/dpkg/triggers/File r, + /var/lib/dpkg/triggers/Unincorp r, + /var/lib/dpkg/updates/ r, + /var/lib/dpkg/updates/@{int} r, + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent rix, + + owner @{run}/systemd/ask-password/ rw, + owner @{run}/systemd/ask-password-block/{,*} rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man new file mode 100644 index 000000000..63f5c5c78 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-man @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/man-db.* +profile dpkg-script-man @{exec_path} { + include + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/setpriv rix, + @{bin}/mandb rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-udev new file mode 100644 index 000000000..58840ef39 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-udev @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/udev* +profile dpkg-script-udev @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemd-hwdb rPx, + @{bin}/deb-systemd-invoke rPx, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 8b1f3030c..894945f2e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,6 +86,9 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-script-apparmor complain +dpkg-script-man complain +dpkg-script-udev complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From 1aa8b429823d50e235a5503ae2c08e48ffd2d939 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 13 Apr 2025 21:09:10 +0200 Subject: [PATCH 022/798] feat(profile): add initial version of dpkg-maintscript-helper --- apparmor.d/groups/apt/dpkg-maintscript-helper | 41 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 42 insertions(+) create mode 100644 apparmor.d/groups/apt/dpkg-maintscript-helper diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper new file mode 100644 index 000000000..b7d8675e8 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-maintscript-helper +profile dpkg-maintscript-helper @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, + + /usr/share/dpkg/sh/* r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 894945f2e..453d5f73a 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,6 +86,7 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-man complain dpkg-script-udev complain From 9f0947a0fc0408da9350b95eb95a6860f8018471 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 16 Apr 2025 00:11:15 +0200 Subject: [PATCH 023/798] doc: add link to the play machine. --- README.md | 8 +++++++- docs/index.md | 4 ++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a2ae8d6fb..ddb1e79b3 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # apparmor.d -[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] +[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link] **Full set of AppArmor profiles** @@ -37,6 +37,10 @@ * XFCE (Lightdm) *(work in progress)* - [Fully tested](https://apparmor.pujol.io/development/tests/) +**Demo** + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments. ## Concepts @@ -92,6 +96,8 @@ and thus has the same license (GPL2). [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org +[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square +[play-link]: https://play.pujol.io [android_model]: https://arxiv.org/pdf/1904.05572 [clipos]: https://clip-os.org/en/ diff --git a/docs/index.md b/docs/index.md index 6f09983cb..39679d01a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -36,6 +36,10 @@ See the [Concepts](concepts.md)' page for more detail on the architecture. - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* - [Fully tested](development/tests.md) +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + ### Presentations Building the largest set of AppArmor profiles: From 7394b9ff9cfb75241591ccd557bcc92f8ab87f3b Mon Sep 17 00:00:00 2001 From: zinootje <16385833+zinootje@users.noreply.github.com> Date: Thu, 24 Apr 2025 17:19:20 +0200 Subject: [PATCH 024/798] Update PKGBUILD arch to any (#717) * Update PKGBUILD arch to any updated PKGBUILD arch to any to support all archs * Update PKGBUILD set archs as arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') --- PKGBUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PKGBUILD b/PKGBUILD index ca1aaa840..58a693d34 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -7,7 +7,7 @@ pkgname=apparmor.d pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" -arch=("x86_64") +arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') url="https://github.com/roddhjav/$pkgname" license=('GPL-2.0-only') depends=('apparmor') From 7c46ed2dd1f2b41ceadbb5a08a1d4030af0051b3 Mon Sep 17 00:00:00 2001 From: moisesmsf Date: Thu, 24 Apr 2025 15:20:00 +0000 Subject: [PATCH 025/798] Fix the links to issues (#723) --- docs/development/roadmap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index e8a047a03..52d7201ea 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -21,7 +21,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] General documentation improvements - [ ] **General improvements** - - [ ] Provide a proper fix for #74, #80 & #235 + - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - [ ] The apt/dpkg profiles needs to be reworked ## Next features From ce8e54c15fb11d3b9da1296e3890321daa01f6cc Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 25 Apr 2025 09:09:37 -0600 Subject: [PATCH 026/798] Allow vim to read spell files https://vimhelp.org/spell.txt.html --- apparmor.d/abstractions/app/editor | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 3992fb7b0..d21930d81 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -25,6 +25,7 @@ owner @{HOME}/.selected_editor r, owner @{HOME}/.viminf@{c}{,.tmp} rw, + owner @{HOME}/.vim/{after/,}spell/{,**} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From 3295a1334a7bbbe66b1f857a43d414ed96534455 Mon Sep 17 00:00:00 2001 From: beroal Date: Fri, 25 Apr 2025 20:14:49 +0300 Subject: [PATCH 027/798] webcam (#729) * webcam * webcam comment --- apparmor.d/groups/kde/baloo | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 75532a773..5ceb04725 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -53,6 +53,7 @@ profile baloo @{exec_path} { @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* + @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* @{run}/udev/data/c116:@{int} r, # For ALSA From b3da8d4be7ebca1021d418013a84b52a60492dbb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:23:30 +0200 Subject: [PATCH 028/798] feat(profile): update steam profiles. --- apparmor.d/groups/steam/steam | 9 ++++++++- apparmor.d/groups/steam/steam-fossilize | 6 ++++-- apparmor.d/groups/steam/steam-game-native | 2 +- apparmor.d/groups/steam/steam-game-proton | 20 +++++++++++++++++-- apparmor.d/groups/steam/steam-gameoverlayui | 4 +++- apparmor.d/groups/steam/steam-launch | 7 ++++++- apparmor.d/groups/steam/steam-launcher | 2 +- apparmor.d/groups/steam/steam-runtime | 9 ++++++--- .../groups/steam/steam-runtime-steam-remote | 2 +- apparmor.d/groups/steam/steamerrorreporter | 2 +- 10 files changed, 49 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 9cb5ac86b..a29a39687 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,7 +21,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -174,6 +174,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/steam/** rwk, owner @{tmp}/steam@{rand6}/{,**} rw, owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw, + owner @{tmp}/steam@{rand6} rwk, owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, owner /dev/shm/fossilize-*-@{int}-@{int} rw, @@ -292,6 +293,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/host/@{lib}/** rix, @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/config/htmlcache/WidevineCdm/**/linux_*/libwidevinecdm.so mr, + @{share_dirs}/linux{32,64}/steamclient.so mr, @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w, @@ -302,12 +305,15 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/ r, /usr/local/lib/ r, /var/tmp/ r, + /home/ r, owner /bindfile@{rand6} rw, owner /var/cache/ldconfig/aux-cache* rw, owner /var/pressure-vessel/ldso/* rw, + owner @{HOME}/ r, + owner @{lib_dirs}/.cef-* wk, owner @{share_dirs}/{,**} r, @@ -348,6 +354,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, + @{PROC}/version r, @{PROC}/@{pid}/stat r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, diff --git a/apparmor.d/groups/steam/steam-fossilize b/apparmor.d/groups/steam/steam-fossilize index e3e7f87e2..a5dd65b7c 100644 --- a/apparmor.d/groups/steam/steam-fossilize +++ b/apparmor.d/groups/steam/steam-fossilize @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -39,11 +39,13 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) { @{sys}/devices/system/node/node@{int}/cpumap r, - @{PROC}/@{pids}/statm r, + @{PROC}/@{pid}/statm r, @{PROC}/pressure/io r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny network inet stream, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, include if exists diff --git a/apparmor.d/groups/steam/steam-game-native b/apparmor.d/groups/steam/steam-game-native index ca80801d7..ba06d56a4 100644 --- a/apparmor.d/groups/steam/steam-game-native +++ b/apparmor.d/groups/steam/steam-game-native @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index 3c4695e4f..de0b0a295 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -35,18 +36,24 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{exec_path} mr, @{bin}/bwrap mrix, + @{sh_path} rix, + @{bin}/cat rix, + @{bin}/env rix, @{bin}/chmod rix, @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/ldconfig rix, + @{bin}/ln rix, @{bin}/localedef rix, - @{python_path} rix, + @{bin}/mkdir rix, @{bin}/readlink rix, + @{bin}/rm rix, @{bin}/steam-runtime-launcher-interface-@{int} rix, @{bin}/steam-runtime-system-info rix, @{bin}/steam-runtime-urlopen rix, @{bin}/true rix, + @{python_path} rix, @{open_path} rix, @{lib_dirs}/** mr, @@ -54,6 +61,14 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{lib}/pressure-vessel/from-host/@{lib}/** rix, @{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, + # TODO stack with steam ? rpx -> steam-game-proton&//steam, + @{runtime_dirs}/run.sh rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{runtime_dirs}/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/run.sh rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-identify-library-abi rix, + @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/@{arch}@{bin}/steam-runtime-launcher-interface-@{int} rix, + @{app_dirs}/** mrix, @{run}/host/@{bin}/ldconfig rix, @@ -72,6 +87,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw, owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk, + owner @{app_dirs}/SteamLinuxRuntime/var/steam-runtime/* rw, owner @{app_dirs}/Proton*/** rwkl, owner @{share_dirs}/*.dll r, diff --git a/apparmor.d/groups/steam/steam-gameoverlayui b/apparmor.d/groups/steam/steam-gameoverlayui index 0cd837135..278b47e98 100644 --- a/apparmor.d/groups/steam/steam-gameoverlayui +++ b/apparmor.d/groups/steam/steam-gameoverlayui @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -49,6 +49,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) { owner @{share_dirs}/resource/{,**} rk, owner @{share_dirs}/userdata/@{int}/{,**} rk, + owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw, + owner /dev/shm/u@{uid}-Shm_@{hex} rw, owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk, owner /dev/shm/ValveIPCSHM_@{uid} rw, diff --git a/apparmor.d/groups/steam/steam-launch b/apparmor.d/groups/steam/steam-launch index 4929c1d56..321c9c9c5 100644 --- a/apparmor.d/groups/steam/steam-launch +++ b/apparmor.d/groups/steam/steam-launch @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -36,6 +36,8 @@ profile steam-launch @{exec_path} { @{lib}/steam/bin_steam.sh rix, @{share_dirs}/steam.sh rPx, + @{lib_dirs}/** mr, + @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/* r, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @@ -44,7 +46,10 @@ profile steam-launch @{exec_path} { /usr/local/ r, owner @{share_dirs}/bootstrap.tar.xz rw, + owner @{share_dirs}/logs/ r, + owner @{share_dirs}/logs/* rwk, + owner @{run}/user/@{uid}/srt-fifo.@{rand6}/ rw, owner @{run}/user/@{uid}/srt-fifo.@{rand6}/fifo rw, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/groups/steam/steam-launcher b/apparmor.d/groups/steam/steam-launcher index 0bd8c67d3..e73b30d1a 100644 --- a/apparmor.d/groups/steam/steam-launcher +++ b/apparmor.d/groups/steam/steam-launcher @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steam-runtime b/apparmor.d/groups/steam/steam-runtime index 2a3e839ff..543324c0f 100644 --- a/apparmor.d/groups/steam/steam-runtime +++ b/apparmor.d/groups/steam/steam-runtime @@ -6,7 +6,8 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @@ -50,16 +51,17 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { @{lib}/ r, @{lib_dirs}/ r, + owner @{HOME}/ r, owner @{HOME}/.steam/steam.pipe r, owner @{app_dirs}/*/ r, owner @{app_dirs}/config/config.vdf{,.*} rw, owner @{app_dirs}/@{runtime}/** r, owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk, - owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk, + owner @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/** rwk, owner @{app_dirs}/@{runtime}/var/** rwk, owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**, - owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**, + owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/@{runtime_name}_platform_*/**, owner @{share_dirs}/config/config.vdf{,.*} rw, owner @{share_dirs}/steamapps/appmanifest_* rw, @@ -78,6 +80,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/steam/steam-runtime-steam-remote b/apparmor.d/groups/steam/steam-runtime-steam-remote index 93a93e892..b7d5f2b15 100644 --- a/apparmor.d/groups/steam/steam-runtime-steam-remote +++ b/apparmor.d/groups/steam/steam-runtime-steam-remote @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index 27fe69be9..b4d5f3e68 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -6,7 +6,7 @@ abi , include -@{runtime} = SteamLinuxRuntime_sniper +@{runtime} = SteamLinuxRuntime_{sniper,soldier} @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64} @{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} From e15dfdc33eb6597f321d1f21561b68fc581493aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:27:27 +0200 Subject: [PATCH 029/798] feat(profiles): smallupdate to gnome profiles. --- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/gnome/localsearch | 2 ++ apparmor.d/groups/gnome/loupe | 3 ++- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 195a72d39..07f6a0599 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -35,8 +35,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=unconfined, signal send set=kill peer=passwd, - unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon), - #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 15d8f7268..05156bac1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -65,7 +65,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), unix (send,receive) type=stream addr=none peer=(label=xwayland), - unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon), # Owned by gnome-shell diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 448e517a5..74a4e0f36 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -33,6 +33,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{lib}/localsearch-extractor-3 ix, # nnp /usr/share/localsearch3/{,**} r, + /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, # Allow to search user files @@ -47,6 +48,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner /var/tmp/etilqs_@{hex15} rw, owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, owner @{tmp}/etilqs_@{hex12}@{hex2} rw, owner @{tmp}/etilqs_@{hex15} rw, owner @{tmp}/etilqs_@{hex16} rw, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 75835395a..4ee0d9268 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -42,6 +42,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny @{user_share_dirs}/gvfs-metadata/* r, @@ -50,7 +51,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=loupe, + signal receive set=kill peer=loupe, @{bin}/bwrap mr, @{lib}/glycin-loaders/*/glycin-* rix, From dca81f4a1e3dcfb67ab716cbb964ab5c6464dae1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:28:10 +0200 Subject: [PATCH 030/798] chore(abs): comment the use of keyfile in dconf. --- apparmor.d/abstractions/dconf-write | 2 +- apparmor.d/abstractions/dconf.d/complete | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 3f25c66af..72a943527 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -10,7 +10,7 @@ include include - owner @{user_config_dirs}/glib-2.0/settings/keyfile w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, owner @{run}/user/@{uid}/dconf/user w, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index b207e4539..1796c7ca0 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -4,7 +4,7 @@ /usr/share/dconf/profile/gdm r, - owner @{user_config_dirs}/glib-2.0/settings/keyfile r, + owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ r, From 5bfebf6ea525945042a14d98d5358dd005d5ef76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Apr 2025 17:34:30 +0200 Subject: [PATCH 031/798] feat(profile): small general improvments. --- apparmor.d/groups/flatpak/flatpak | 6 +++++- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 8 ++++++++ apparmor.d/profiles-a-f/finalrd | 3 +-- apparmor.d/profiles-s-z/spotify | 2 ++ apparmor.d/profiles-s-z/syncthing | 4 ++++ 5 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 42d9fd9c3..c958bd2cd 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -98,7 +98,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, owner /dev/shm/flatpak*/{,**} rw, - @{run}/.userns r, + @{run}/.userns r, + @{att}/@{run}/.userns r, + @{run}/user/@{uid}/.dbus-proxy/ w, @{run}/user/@{uid}/dconf/user rw, owner @{run}/user/@{uid}/.dbus-proxy/* rw, @@ -146,6 +148,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 3b02d2b16..8c1c1686f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -10,10 +10,12 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde profile xdg-desktop-portal-kde @{exec_path} { include + include include include include include + include network inet dgram, network inet6 dgram, @@ -27,8 +29,14 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker + /usr/share/plasma/look-and-feel/** r, + + owner @{HOME}/ r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 7578b505d..bb68e873e 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -65,9 +65,8 @@ profile finalrd @{exec_path} { include include - @{bin}/ldd mr, + @{bin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, - @{lib}/ld-linux.so* mr, include if exists } diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a6d349b9c..1a0bd0ea9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -36,6 +36,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, + owner @{HOME}/.tmp rw, + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/spotify-adblock/* r, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index d03ece9e4..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -36,10 +36,14 @@ profile syncthing @{exec_path} { @{user_sync_dirs}/{,**} rw, @{PROC}/@{pids}/net/route r, + @{PROC}/bus/pci/devices r, + @{PROC}/modules r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/statm r, include if exists } From 2bc87f68a80fe12e6d725b18ef20c17dbe122ea6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:20:22 +0200 Subject: [PATCH 032/798] tests(packer): define more common cloud init resources. --- Justfile | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 28 ++----- .../cloud-init/archlinux-gnome.user-data.yml | 31 ++------ tests/cloud-init/archlinux-kde.user-data.yml | 31 ++------ .../cloud-init/archlinux-server.user-data.yml | 53 ++----------- tests/cloud-init/archlinux-xfce.user-data.yml | 31 ++------ tests/cloud-init/archlinux.yml | 47 ++++++++++++ tests/cloud-init/common.yml | 22 ++++++ tests/cloud-init/debian.yml | 64 ++++++++++++++++ tests/cloud-init/debian12-gnome.user-data.yml | 45 ++--------- .../cloud-init/debian12-server.user-data.yml | 43 ++--------- .../cloud-init/debian13-server.user-data.yml | 37 ++------- tests/cloud-init/opensuse-gnome.user-data.yml | 19 +---- tests/cloud-init/opensuse-kde.user-data.yml | 19 +---- .../cloud-init/opensuse-server.user-data.yml | 35 +-------- tests/cloud-init/opensuse.yml | 16 ++++ tests/cloud-init/ubuntu.yml | 76 +++++++++++++++++++ .../cloud-init/ubuntu24-desktop.user-data.yml | 45 +---------- .../cloud-init/ubuntu24-kubuntu.user-data.yml | 8 ++ .../cloud-init/ubuntu24-server.user-data.yml | 34 +-------- .../cloud-init/ubuntu25-desktop.user-data.yml | 45 +---------- .../cloud-init/ubuntu25-server.user-data.yml | 7 ++ tests/packer/builds.pkr.hcl | 7 +- 23 files changed, 311 insertions(+), 434 deletions(-) create mode 100644 tests/cloud-init/archlinux.yml create mode 100644 tests/cloud-init/debian.yml create mode 100644 tests/cloud-init/opensuse.yml create mode 100644 tests/cloud-init/ubuntu.yml create mode 100644 tests/cloud-init/ubuntu24-kubuntu.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-server.user-data.yml diff --git a/Justfile b/Justfile index 740b29cc1..1558ebef8 100644 --- a/Justfile +++ b/Justfile @@ -201,7 +201,7 @@ create dist flavor: --vcpus {{vcpus}} \ --ram {{ram}} \ --machine q35 \ - --boot uefi \ + {{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \ --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index 70d446076..be623e625 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -3,9 +3,7 @@ packages: # Install core packages - apparmor - - audit - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -26,14 +24,14 @@ packages: - cups-pdf - system-config-printer - # Install Graphical Interface - - cosmic - # Install Applications - firefox - chromium - terminator + # Install Graphical Interface + - cosmic + runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -53,20 +51,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index 1fa1c9c1d..c292993c1 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,17 +24,17 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - gnome - gnome-extra - seahorse - alacarte - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -55,20 +54,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index 5953eab2e..c89b3a25c 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,6 +24,11 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - plasma-meta - sddm @@ -33,11 +37,6 @@ packages: - konsole - okular - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -57,20 +56,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-server.user-data.yml b/tests/cloud-init/archlinux-server.user-data.yml index e0edaca16..2b3567171 100644 --- a/tests/cloud-init/archlinux-server.user-data.yml +++ b/tests/cloud-init/archlinux-server.user-data.yml @@ -1,22 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget +packages: *core-packages runcmd: # Regenerate grub.cfg @@ -34,34 +18,7 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index e9f4a78a6..54329bfb8 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -4,7 +4,6 @@ packages: # Install core packages - apparmor - base-devel - - firewalld - qemu-guest-agent - rng-tools - spice-vdagent @@ -25,17 +24,17 @@ packages: - cups-pdf - system-config-printer + # Install Applications + - firefox + - chromium + - terminator + # Install Graphical Interface - xfce4 - xfce4-goodies - lightdm - lightdm-gtk-greeter - # Install Applications - - firefox - - chromium - - terminator - runcmd: # Regenerate grub.cfg - grub-mkconfig -o /boot/grub/grub.cfg @@ -55,20 +54,6 @@ runcmd: - systemctl enable systemd-timesyncd.service write_files: - # Enable AppArmor in kernel parameters - - path: /etc/default/grub - append: true - content: | - GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf" - - # Set some bash aliases - - path: /etc/skel/.bashrc - append: true - content: | - [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml new file mode 100644 index 000000000..d860f1a1e --- /dev/null +++ b/tests/cloud-init/archlinux.yml @@ -0,0 +1,47 @@ +#cloud-config + +# Core packages for Archlinux +core-packages: &core-packages + # Install core packages + - apparmor + - base-devel + - qemu-guest-agent + - rng-tools + - spice-vdagent + + # Install usefull core packages + - bash-completion + - git + - htop + - man + - pass + - python-notify2 + - vim + - wget + +# Core desktop packages for Archlinux +desktop-packages: &desktop-packages + # Install basic services + - networkmanager + - cups + - cups-pdf + - system-config-printer + + # Install Applications + - firefox + - chromium + - terminator + +# Enable AppArmor in kernel parameters +grub-enable-apparmor: &grub-enable-apparmor + path: /etc/default/grub + append: true + content: | + GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1" + +# Set some bash aliases +setup-bash-aliases: &setup-bash-aliases + path: /etc/skel/.bashrc + append: true + content: | + [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases diff --git a/tests/cloud-init/common.yml b/tests/cloud-init/common.yml index ac619c879..2048e5368 100644 --- a/tests/cloud-init/common.yml +++ b/tests/cloud-init/common.yml @@ -15,3 +15,25 @@ users: package_update: true package_upgrade: true package_reboot_if_required: false + +# Mount shared directory +shared-directory: &shared-directory + path: /etc/fstab + append: true + content: | + 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + +# Network configuration for server +systemd-netword: &systemd-netword + path: /etc/systemd/network/20-wired.network + owner: "root:root" + permissions: "0644" + content: | + [Match] + Name=en* + + [Network] + DHCP=yes + + [DHCPv4] + RouteMetric=10 diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml new file mode 100644 index 000000000..cead162a4 --- /dev/null +++ b/tests/cloud-init/debian.yml @@ -0,0 +1,64 @@ +#cloud-config + +# Core packages for Debian +core-packages: &core-packages + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + +gnome-packages: &desktop-packages + # Core packages for Debian + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + + # Gnome packages for Debian + - spice-vdagent + - task-gnome-desktop + - terminator + +kde-packages: &kubuntu-packages + # Core packages for Debian + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - htop + - qemu-guest-agent + - rsync + - vim + + # KDE packages for Debian + - spice-vdagent + - task-kde-desktop + - terminator + +debian12-runcmd: &debian12-runcmd + - apt-get update -y + - apt-get install -y -t bookworm-backports golang-go + +debian13-runcmd: &debian13-runcmd + - apt-get update -y + - apt-get install -y golang-go + +# Add backports repository +debian12-backports: &debian12-backports + path: /etc/apt/sources.list + append: true + content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free diff --git a/tests/cloud-init/debian12-gnome.user-data.yml b/tests/cloud-init/debian12-gnome.user-data.yml index 5ce6cedf5..fbb3d1232 100644 --- a/tests/cloud-init/debian12-gnome.user-data.yml +++ b/tests/cloud-init/debian12-gnome.user-data.yml @@ -1,45 +1,10 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - spice-vdagent - - task-gnome-desktop - - vim +packages: *gnome-packages -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go +runcmd: *debian12-runcmd write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian12-server.user-data.yml b/tests/cloud-init/debian12-server.user-data.yml index aef29f579..cec721285 100644 --- a/tests/cloud-init/debian12-server.user-data.yml +++ b/tests/cloud-init/debian12-server.user-data.yml @@ -1,43 +1,10 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages -runcmd: - - apt-get update -y - - apt-get install -y -t bookworm-backports golang-go +runcmd: *debian12-runcmd write_files: - # Add backports repository - - path: /etc/apt/sources.list - append: true - content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *debian12-backports # Add backports repository + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/debian13-server.user-data.yml b/tests/cloud-init/debian13-server.user-data.yml index 1400584ba..692548770 100644 --- a/tests/cloud-init/debian13-server.user-data.yml +++ b/tests/cloud-init/debian13-server.user-data.yml @@ -1,36 +1,9 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages -write_files: - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* +runcmd: *debian13-runcmd - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 406b4445d..3ab5a6c08 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,21 +1,6 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 406b4445d..3ab5a6c08 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,21 +1,6 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 7699fb074..98b78ec80 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -1,36 +1,7 @@ #cloud-config -packages: - - apparmor-profiles - - bash-completion - - distribution-release - - git - - go - - golang-packaging - - htop - - make - - rpmbuild - - rsync - - vim +packages: *core-packages write_files: - - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml new file mode 100644 index 000000000..1adf2b6eb --- /dev/null +++ b/tests/cloud-init/opensuse.yml @@ -0,0 +1,16 @@ +#cloud-config + +# Core packages for OpenSUSE +core-packages: &core-packages + - apparmor-profiles + - bash-completion + - distribution-release + - git + - go + - golang-packaging + - htop + - make + - rpmbuild + - rsync + - vim + diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml new file mode 100644 index 000000000..ba640e3af --- /dev/null +++ b/tests/cloud-init/ubuntu.yml @@ -0,0 +1,76 @@ +#cloud-config + +# Core packages for Ubuntu +core-packages: &core-packages + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + +desktop-packages: &desktop-packages + # Core packages for Ubuntu + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - ubuntu-desktop + +kubuntu-packages: &kubuntu-packages + # Core packages for Ubuntu + - apparmor-profiles + - auditd + - build-essential + - config-package-dev + - debhelper + - devscripts + - golang-go + - htop + - qemu-guest-agent + - rsync + - vim + + # Desktop packages for Ubuntu + - spice-vdagent + - terminator + - kubuntu-desktop + +desktop-runcmd: &desktop-runcmd + # Add missing snap packages + - snap install snap-store + - snap install snapd-desktop-integration + - snap install --edge desktop-security-center + + # Remove default filesystem and related tools not used with the suggested + # storage layout. These may yet be required if different partitioning schemes + # are used. + - apt-get -y purge btrfs-progs xfsprogs + + # Remove other packages present by default in Ubuntu Server but not + # normally present in Ubuntu Desktop. + - >- + apt-get -y purge + byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader + mdadm motd-news-config ncurses-term open-iscsi open-vm-tools + screen sg3-utils sosreport ssh-import-id sssd tmux + + # Finally, remove things only installed as dependencies of other things + # we have already removed. + - apt-get -y autoremove diff --git a/tests/cloud-init/ubuntu24-desktop.user-data.yml b/tests/cloud-init/ubuntu24-desktop.user-data.yml index d1b1f169c..7f4183d49 100644 --- a/tests/cloud-init/ubuntu24-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu24-desktop.user-data.yml @@ -1,47 +1,8 @@ #cloud-config -# Based on https://github.com/canonical/autoinstall-desktop +packages: *desktop-packages -packages: - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - linux-generic-hwe-24.04 - - qemu-guest-agent - - rsync - - spice-vdagent - - terminator - - ubuntu-desktop - - vim - -runcmd: - # Add missing snap packages - - snap install snap-store - - snap install snapd-desktop-integration - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove +runcmd: *desktop-runcmd write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml new file mode 100644 index 000000000..d4139c2f7 --- /dev/null +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -0,0 +1,8 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu24-server.user-data.yml b/tests/cloud-init/ubuntu24-server.user-data.yml index 8e9c7bd38..98b78ec80 100644 --- a/tests/cloud-init/ubuntu24-server.user-data.yml +++ b/tests/cloud-init/ubuntu24-server.user-data.yml @@ -1,35 +1,7 @@ #cloud-config -packages: - - apparmor-profiles - - auditd - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - htop - - qemu-guest-agent - - rsync - - vim +packages: *core-packages write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 - - # Network configuration - - path: /etc/systemd/network/20-wired.network - owner: "root:root" - permissions: "0644" - content: | - [Match] - Name=en* - - [Network] - DHCP=yes - - [DHCPv4] - RouteMetric=10 + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-desktop.user-data.yml b/tests/cloud-init/ubuntu25-desktop.user-data.yml index 881e9b4e9..7f4183d49 100644 --- a/tests/cloud-init/ubuntu25-desktop.user-data.yml +++ b/tests/cloud-init/ubuntu25-desktop.user-data.yml @@ -1,47 +1,8 @@ #cloud-config -# Based on https://github.com/canonical/autoinstall-desktop +packages: *desktop-packages -packages: - - apparmor-profiles - - build-essential - - config-package-dev - - debhelper - - devscripts - - golang-go - - linux-generic-hwe-24.04 - - qemu-guest-agent - - rsync - - spice-vdagent - - terminator - - ubuntu-desktop - - vim - -runcmd: - - snap install snap-store - - snap install snapd-desktop-integration - - snap install --edge desktop-security-center - - # Remove default filesystem and related tools not used with the suggested - # storage layout. These may yet be required if different partitioning schemes - # are used. - - apt-get -y purge btrfs-progs xfsprogs - - # Remove other packages present by default in Ubuntu Server but not - # normally present in Ubuntu Desktop. - - >- - apt-get -y purge - byobu dmeventd finalrd gawk kpartx landscape-common lxd-agent-loader - mdadm motd-news-config ncurses-term open-iscsi open-vm-tools - screen sg3-utils sosreport ssh-import-id sssd tmux - - # Finally, remove things only installed as dependencies of other things - # we have already removed. - - apt-get -y autoremove +runcmd: *desktop-runcmd write_files: - # Setup shared directory - - path: /etc/fstab - append: true - content: | - 0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d virtiofs defaults 0 1 + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/ubuntu25-server.user-data.yml b/tests/cloud-init/ubuntu25-server.user-data.yml new file mode 100644 index 000000000..98b78ec80 --- /dev/null +++ b/tests/cloud-init/ubuntu25-server.user-data.yml @@ -0,0 +1,7 @@ +#cloud-config + +packages: *core-packages + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 674a295b1..48a5fafb6 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -32,7 +32,7 @@ source "qemu" "default" { cd_label = "cidata" cd_content = { "meta-data" = "" - "user-data" = format("%s\n%s", + "user-data" = format("%s\n%s\n%s", templatefile("${path.cwd}/tests/cloud-init/common.yml", { username = "${var.username}" @@ -41,6 +41,7 @@ source "qemu" "default" { hostname = "${local.name}" } ), + file("${path.cwd}/tests/cloud-init/${regex_replace(var.dist, "[0-9]*$", "")}.yml"), file("${path.cwd}/tests/cloud-init/${var.dist}-${var.flavor}.user-data.yml") ) } @@ -70,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - "cloud-init status", + # "cloud-init status", # Remove logs and artifacts so cloud-init can re-run - "cloud-init clean", + # "cloud-init clean", # Install local files and config "bash /tmp/init.sh", From 475d8dc082cdc6bc6048ce3d0838249071d1f8d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:28:18 +0200 Subject: [PATCH 033/798] doc: small update & improvements. --- docs/configuration.md | 4 ++-- docs/development/dbus.md | 2 ++ docs/development/roadmap.md | 9 ++++++++- docs/development/vm.md | 40 ++++++++++++++++++++++++++----------- docs/full-system-policy.md | 2 ++ 5 files changed, 42 insertions(+), 15 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index dda450a85..fd8a5d38c 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -32,7 +32,7 @@ The profiles heavily use the **largely extended** [XDG directory variables](#xdg ``` 3. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### Profile Additions @@ -55,7 +55,7 @@ By default, `nautilus` (and any file browser) only allows access to user files. ``` 2. Then restart the AppArmor service to reload the profiles in the kernel: ```sh - sudo systemctl restart apparmor.service + sudo systemctl reload apparmor.service ``` ### XDG variables diff --git a/docs/development/dbus.md b/docs/development/dbus.md index e4133e5d1..165626f24 100644 --- a/docs/development/dbus.md +++ b/docs/development/dbus.md @@ -20,6 +20,8 @@ Default **system**, **session**, and **accessibility** bus access are provided w - `abstractions/bus-session` - `abstractions/bus-accessibility` +Do not use the dbus abstractions from apparmor in this project, they won't work as expected as the dbus daemon is confined. Furthermore, in `apparmor.d` there is no such thing as a strict dbus abstraction (`abstractions/dbus-strict`) as they are strict by default: bus access needs to be explicitly allowed using an interface abstraction or a directive. + ### Interfaces Access to common dbus interfaces is done using the abstractions under **[`abstractions/bus/`](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions/bus)**. They are kept minimal on purpose. The goal is not to give full talk access an interface but to provide a *read-only* like view of it. It may be required to have a look at the dbus interface documentation to check what method can be safely allowed. diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 52d7201ea..75cbcdd10 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,7 +6,7 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [ ] **Play machine** +- [x] **Play machine** - [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - [x] Move most profiles into groups such that @@ -24,6 +24,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - [ ] The apt/dpkg profiles needs to be reworked +- [ ] Build system + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [ ] Provide complain/enforced packages version + - [ ] Add a `just` target to install the profiles in the right place + - [ ] Fully drop the Makefile in favor of `just` + ## Next features - [ ] **Conditions** diff --git a/docs/development/vm.md b/docs/development/vm.md index ead82ed0f..66630022e 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -5,32 +5,48 @@ title: Development VM To ensure compatibility across distribution, this project ships a wide range of development and tests VM images. The test VMs can be built locally using [cloud-init](https://cloud-init.io/), [packer](https://www.packer.io/) on Qemu/KVM using Libvirt. No other hypervisor will be targeted for these tests. The files that generate these images can be found in the **[tests/packer](https://github.com/roddhjav/apparmor.d/tree/main/tests/packer)** directory. -The VMs are fully managed using a [justfile](https://github.com/casey/just) that provide an integration environment helper for `apparmor.d`. +The VMs are fully managed using a [justfile](https://github.com/casey/just) that provides an integration environment helper for `apparmor.d`. ```sh $ just ``` ``` -Integration environment helper for apparmor.d - Available recipes: - default # Show this help message - package dist # Build the apparmor.d package - img dist flavor # Build the image - vm dist flavor # Create the machine + help # Show this help message + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + install # Install the profiles + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + tests # Run the unit tests + lint # Run the linters + check # Run style checks on the profiles + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation + clean # Remove all build artifacts + package dist # Build the package in a clean OCI container + img dist flavor # Build the VM image + create dist flavor # Create the machine up dist flavor # Start a machine halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine destroy dist flavor # Destroy the machine ssh dist flavor # Connect to the machine list # List the machines - images # List the machine images - available # List the machine that can be created + images # List the VM images + available # List the VM images that can be created + init dist flavor # Install dependencies for the bats integration tests integration dist flavor # Run the integration tests on the machine - lint # Run the linters - clean # Remove the machine images get_ip dist flavor get_osinfo dist + +See https://apparmor.pujol.io/development/ for more information. + ``` ## Requirements @@ -88,7 +104,7 @@ archlinux gnome 3.3G Mar 1 14:49 The VM can then be created with: ```sh -$ just vm archlinux gnome +$ just create archlinux gnome ``` And connected to with: diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 80da55c2a..c747cb739 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -29,6 +29,8 @@ Particularly: - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. - FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. +- PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. + ## Installation From 4d706f35987492e0f95256df47fc3af2f8cdf070 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:30:10 +0200 Subject: [PATCH 034/798] build: be more verbose when file sync fail. --- pkg/paths/paths.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 912611850..357b9c2f7 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -391,7 +391,11 @@ func CopyTo(src *Path, dst *Path) error { // CopyFS copies the file system fsys into the directory dir, // creating dir if necessary. It is the exivalent of os.CopyFS with Path. func (p *Path) CopyFS(dst *Path) error { - return os.CopyFS(dst.String(), os.DirFS(p.String())) + err := os.CopyFS(dst.String(), os.DirFS(p.String())) + if err != nil { + return fmt.Errorf("copying %s to %s: %s", p, dst, err) + } + return nil } // CopyDirTo recursively copies the directory denoted by the current path to From 532676b4214e833450748c4c134869f9bcaf6b3b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:33:44 +0200 Subject: [PATCH 035/798] build: improve documentation about overwriten profiles. Make it clear why a given profile is overwriten from upstream. --- dists/overwrite | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 1464f03ff..5bc00f9fe 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -1,8 +1,8 @@ -# Apparmor 4.0 ships several profiles that allow userns and are otherwise -# unconfined. This file keeps track of them and allow apparmor.d to replace -# them by our own. +# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d +# This file keeps track of them and allow apparmor.d to replace them by our own. # File format: one profile name by line. +# Overwrite unconfined upstream profiles that only allow userns brave chrome chromium @@ -12,22 +12,30 @@ firefox flatpak foliate loupe -lsblk -lsusb msedge mullvad nautilus -openvpn opera os-prober plasmashell -remmina signal-desktop slirp4netns steam systemd-coredump thunderbird -transmission -unix-chkpwd virtiofsd + +# Overwrite upstreamed profiles, our local version may be more up to date +unix-chkpwd + +# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while +# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: +# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better +fusermount3 +lsblk +lsusb +openvpn +remmina +transmission wg-quick From 4bb57bed22b1eda8430e5901948338cf5c658fee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:35:46 +0200 Subject: [PATCH 036/798] doc: update aa-log man page. --- share/man/man8/aa-log.8 | 42 ++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8 index 42c9a3560..62f40966e 100644 --- a/share/man/man8/aa-log.8 +++ b/share/man/man8/aa-log.8 @@ -1,10 +1,10 @@ -.\" Automatically generated by Pandoc 3.1.9 +.\" Automatically generated by Pandoc 3.1.12.1 .\" -.TH "aa-log" "8" "September 2024" "" "" +.TH "aa\-log" "8" "September 2024" "" "" .SH NAME -aa-log \[em] Review AppArmor generated messages in a colorful way. +aa\-log \[em] Review AppArmor generated messages in a colorful way. .SH SYNOPSIS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .SH DESCRIPTION Review AppArmor generated messages in a colourful way. Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R] @@ -13,48 +13,48 @@ as well as \f[I]dbus session\f[R] events. It can be given an optional profile name to filter the output with. .PP It can be used to generate AppArmor rules from the logs and it therefore -an alternative to \f[CR]aa-logprof(8)\f[R]. +an alternative to \f[CR]aa\-logprof(8)\f[R]. The generated rules should be manually reviewed and inserted into the profile. .PP Default logs are read from \f[CR]/var/log/audit/audit.log\f[R]. Other files in \f[CR]/var/log/audit/\f[R] can easily be checked: -\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R] +\f[B]aa\-log \-f 1\f[R] parses \f[CR]audit.log.1\f[R] .SH OPTIONS -\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] +\f[B]aa\-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]] .TP [\f[I]profile\f[R]] Optional profile name to filter the output with. .TP -\f[CR]--file\f[R], \f[CR]-f\f[R] +\f[CR]\-\-file\f[R], \f[CR]\-f\f[R] Set a logfile or a suffix to the default log file. .TP -\f[CR]--systemd\f[R], \f[CR]-s\f[R] +\f[CR]\-\-systemd\f[R], \f[CR]\-s\f[R] Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot. .TP -\f[CR]--rules\f[R], \f[CR]-r\f[R] +\f[CR]\-\-rules\f[R], \f[CR]\-r\f[R] Convert the log into AppArmor rules. .TP -\f[CR]--raw\f[R], \f[CR]-R\f[R] +\f[CR]\-\-raw\f[R], \f[CR]\-R\f[R] Print the raw log without any formatting. Useful for reporting logs. .TP -\f[CR]--help\f[R], \f[CR]-h\f[R] +\f[CR]\-\-help\f[R], \f[CR]\-h\f[R] Print the program usage. .SH USAGE To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]: .IP .EX -aa-log +aa\-log .EE .PP To optionally filter a given profile name: -\f[CR]aa-log \f[R] (your shell will autocomplete the +\f[CR]aa\-log \f[R] (your shell will autocomplete the profile name): .IP .EX -$ aa-log dnsmasq +$ aa\-log dnsmasq DENIED dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r @@ -63,7 +63,7 @@ DENIED dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r To generate AppArmor rule: .IP .EX -$ aa-log -r dnsmasq +$ aa\-log \-r dnsmasq profile dnsmasq { \[at]{PROC}/\[at]{pid}/environ r, \[at]{PROC}/cmdline r, @@ -71,9 +71,9 @@ profile dnsmasq { } .EE .SH SEE ALSO -\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], -\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R], -\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R], -\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io. +\f[CR]aa\-logprof(8)\f[R], \f[CR]apparmor(7)\f[R], +\f[CR]apparmor.d(5)\f[R], \f[CR]aa\-genprof(1)\f[R], +\f[CR]aa\-enforce(1)\f[R], \f[CR]aa\-complain(1)\f[R], +\f[CR]aa\-disable(1)\f[R], and https://apparmor.pujol.io. .SH AUTHORS -aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io). +aa\-log was written by Alexandre Pujol (alexandre\[at]pujol.io). From b8f2f38c7225a1eeab982ee242236be339e6c4b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Apr 2025 14:38:31 +0200 Subject: [PATCH 037/798] doc: improve justfile doc. --- Justfile | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Justfile b/Justfile index 1558ebef8..1e626dc1c 100644 --- a/Justfile +++ b/Justfile @@ -2,8 +2,6 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Integration environment for apparmor.d -# # Usage: # just # just img ubuntu24 server @@ -63,9 +61,8 @@ prefix := "aa-" [doc('Show this help message')] help: - @echo -e "Integration environment helper for apparmor.d\n" @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/vm/ for more information." + @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." [doc('Build the go programs')] build: @@ -160,7 +157,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ .pkg/{{pkgname}}* {{build}} coverage.out -[doc('Build the apparmor.d package')] +[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -175,7 +172,7 @@ package dist: fi bash dists/docker.sh $dist $version -[doc('Build the image')] +[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -238,7 +235,7 @@ list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' -[doc('List the images')] +[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -254,7 +251,7 @@ images: } ' -[doc('List the machine that can be created')] +[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail From fd17a77b179bde3eea91b4ad43b3032d0a8e4f88 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 21:27:57 +0200 Subject: [PATCH 038/798] feat(profile): use @{sbin} for all program inside /usr/sbin. --- apparmor.d/abstractions/app/kmod | 14 +++--- .../abstractions/authentication.d/complete | 2 +- apparmor.d/groups/_full/systemd | 2 +- apparmor.d/groups/_full/systemd-service | 6 +-- apparmor.d/groups/apparmor/aa-enforce | 4 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-status | 2 +- apparmor.d/groups/apparmor/aa-teardown | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apparmor/apparmor.systemd | 6 +-- apparmor.d/groups/apparmor/apparmor_parser | 2 +- apparmor.d/groups/apt/apt | 4 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/querybts | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 4 +- apparmor.d/groups/bluetooth/blueman-mechanism | 6 +-- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-anacron | 2 +- apparmor.d/groups/cron/cron-apt | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 2 +- apparmor.d/groups/cron/cron-cracklib | 2 +- apparmor.d/groups/cron/cron-exim4-base | 4 +- .../groups/cron/cron-ipset-autoban-save | 2 +- apparmor.d/groups/cron/cron-logrotate | 2 +- apparmor.d/groups/cron/cron-man-db | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- .../groups/cron/cron-popularity-contest | 6 +-- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/cups/cupsd | 4 +- apparmor.d/groups/filesystem/fsck.btrfs | 2 +- apparmor.d/groups/filesystem/fsck.fat | 2 +- apparmor.d/groups/filesystem/lvm | 2 +- apparmor.d/groups/filesystem/lvmconfig | 2 +- apparmor.d/groups/filesystem/lvmdump | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/filesystem/mke2fs | 4 +- apparmor.d/groups/filesystem/mkfs-btrfs | 2 +- apparmor.d/groups/filesystem/mkswap | 2 +- apparmor.d/groups/filesystem/mount-cifs | 2 +- apparmor.d/groups/filesystem/ntfsclone | 2 +- apparmor.d/groups/filesystem/ntfscp | 2 +- apparmor.d/groups/filesystem/ntfslabel | 2 +- apparmor.d/groups/filesystem/ntfsresize | 2 +- apparmor.d/groups/filesystem/ntfsundelete | 2 +- apparmor.d/groups/filesystem/udisksd | 16 +++---- apparmor.d/groups/filesystem/umount.udisks2 | 2 +- apparmor.d/groups/firewall/firewalld | 14 +++--- apparmor.d/groups/firewall/nft | 2 +- apparmor.d/groups/firewall/ufw | 6 +-- apparmor.d/groups/firewall/ufw-init | 6 +-- apparmor.d/groups/flatpak/flatpak-app | 2 +- apparmor.d/groups/freedesktop/accounts-daemon | 8 ++-- apparmor.d/groups/freedesktop/plymouthd | 2 +- .../groups/freedesktop/update-mime-database | 2 +- apparmor.d/groups/gnome/gnome-control-center | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-macbless | 2 +- apparmor.d/groups/grub/grub-mkconfig | 6 +-- apparmor.d/groups/grub/grub-mkdevicemap | 2 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 4 +- apparmor.d/groups/grub/grub-reboot | 2 +- apparmor.d/groups/grub/grub-set-default | 2 +- apparmor.d/groups/grub/update-grub | 4 +- apparmor.d/groups/kde/kauth-kded-smart-helper | 2 +- .../kde/kauth-kinfocenter-dmidecode-helper | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/ModemManager | 2 +- apparmor.d/groups/network/NetworkManager | 8 ++-- apparmor.d/groups/network/dhcpcd | 4 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/iwd | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/nm-dispatcher | 4 +- apparmor.d/groups/network/nm-openvpn-service | 2 +- apparmor.d/groups/network/openvpn | 12 ++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 4 +- apparmor.d/groups/network/wg-quick | 12 ++--- apparmor.d/groups/pacman/mkinitcpio | 6 +-- apparmor.d/groups/pacman/pacman | 18 ++++---- apparmor.d/groups/pacman/pacman-hook-depmod | 2 +- apparmor.d/groups/pacman/pacman-hook-dkms | 2 +- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/shadow/chpasswd | 2 +- apparmor.d/groups/shadow/groupadd | 2 +- apparmor.d/groups/shadow/groupdel | 2 +- apparmor.d/groups/shadow/groupmod | 2 +- apparmor.d/groups/shadow/grpck | 2 +- apparmor.d/groups/shadow/pwck | 2 +- apparmor.d/groups/shadow/useradd | 4 +- apparmor.d/groups/shadow/userdel | 2 +- apparmor.d/groups/shadow/usermod | 2 +- apparmor.d/groups/snap/snapd | 12 ++--- apparmor.d/groups/snap/snapd-apparmor | 2 +- apparmor.d/groups/ssh/sshd | 4 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/steam/steam-game-proton | 4 +- apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-fsck | 6 +-- .../systemd/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd/systemd-homed | 6 +-- apparmor.d/groups/systemd/systemd-makefs | 4 +- .../groups/systemd/systemd-sulogin-shell | 2 +- apparmor.d/groups/systemd/systemd-udevd | 8 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- .../groups/ubuntu/subiquity-console-conf | 4 +- .../groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/utils/agetty | 2 +- apparmor.d/groups/utils/blkid | 2 +- apparmor.d/groups/utils/blockdev | 2 +- apparmor.d/groups/utils/fsck | 6 +-- apparmor.d/groups/utils/fstrim | 2 +- apparmor.d/groups/utils/locale-gen | 2 +- apparmor.d/groups/utils/losetup | 2 +- apparmor.d/groups/utils/nologin | 2 +- apparmor.d/groups/utils/su | 2 +- apparmor.d/groups/utils/sulogin | 2 +- apparmor.d/groups/utils/swaplabel | 2 +- apparmor.d/groups/utils/swapon | 2 +- apparmor.d/groups/utils/uuidd | 2 +- apparmor.d/groups/utils/zramctl | 2 +- apparmor.d/groups/virt/cni-portmap | 2 +- apparmor.d/groups/virt/cockpit-bridge | 4 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/containerd | 2 +- apparmor.d/groups/virt/dockerd | 4 +- apparmor.d/groups/virt/k3s | 2 +- apparmor.d/groups/virt/libvirt-dbus | 4 +- apparmor.d/groups/virt/libvirtd | 20 ++++---- apparmor.d/groups/virt/virt-aa-helper | 2 +- apparmor.d/groups/virt/virtlockd | 2 +- apparmor.d/groups/virt/virtlogd | 2 +- apparmor.d/groups/virt/virtnetworkd | 2 +- apparmor.d/groups/virt/xtables | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/whonix-firewalld | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 4 +- apparmor.d/profiles-a-f/acpid | 2 +- apparmor.d/profiles-a-f/adduser | 10 ++-- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/alsactl | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 +- apparmor.d/profiles-a-f/auditctl | 2 +- apparmor.d/profiles-a-f/auditd | 2 +- apparmor.d/profiles-a-f/augenrules | 4 +- apparmor.d/profiles-a-f/badblocks | 2 +- apparmor.d/profiles-a-f/biosdecode | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 6 +-- apparmor.d/profiles-a-f/borg | 2 +- apparmor.d/profiles-a-f/briar-desktop | 2 +- apparmor.d/profiles-a-f/calibre | 2 +- apparmor.d/profiles-a-f/cfdisk | 2 +- apparmor.d/profiles-a-f/cgdisk | 2 +- apparmor.d/profiles-a-f/check-bios-nx | 4 +- .../profiles-a-f/check-support-status-hook | 6 +-- apparmor.d/profiles-a-f/cracklib-packer | 2 +- apparmor.d/profiles-a-f/deluser | 6 +-- apparmor.d/profiles-a-f/dhclient-script | 6 +-- apparmor.d/profiles-a-f/dkms | 4 +- apparmor.d/profiles-a-f/dkms-autoinstaller | 2 +- apparmor.d/profiles-a-f/dmeventd | 2 +- apparmor.d/profiles-a-f/dmidecode | 2 +- apparmor.d/profiles-a-f/dmsetup | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/dumpe2fs | 2 +- apparmor.d/profiles-a-f/e2fsck | 4 +- apparmor.d/profiles-a-f/e2image | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 2 +- apparmor.d/profiles-a-f/f3fix | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 4 +- apparmor.d/profiles-a-f/fatlabel | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-a-f/fdisk | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-a-f/firecfg | 2 +- apparmor.d/profiles-a-f/frontend | 6 +-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gdisk | 2 +- apparmor.d/profiles-g-l/gparted | 8 ++-- apparmor.d/profiles-g-l/gpartedbin | 46 +++++++++---------- apparmor.d/profiles-g-l/gsmartcontrol | 4 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hdparm | 2 +- apparmor.d/profiles-g-l/hw-probe | 30 ++++++------ apparmor.d/profiles-g-l/hwinfo | 2 +- apparmor.d/profiles-g-l/hypnotix | 2 +- apparmor.d/profiles-g-l/ifconfig | 2 +- apparmor.d/profiles-g-l/ifup | 8 ++-- apparmor.d/profiles-g-l/initd-kexec | 2 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/inxi | 10 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/iw | 2 +- apparmor.d/profiles-g-l/iwconfig | 2 +- apparmor.d/profiles-g-l/iwlist | 2 +- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/kvm-ok | 4 +- apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/mkinitramfs | 8 ++-- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/monitorix | 4 +- apparmor.d/profiles-m-r/mpsyt | 2 +- apparmor.d/profiles-m-r/needrestart | 4 +- .../profiles-m-r/needrestart-apt-pinvoke | 2 +- .../needrestart-iucode-scan-versions | 2 +- apparmor.d/profiles-m-r/on-ac-power | 2 +- apparmor.d/profiles-m-r/os-prober | 6 +-- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 4 +- apparmor.d/profiles-m-r/parted | 4 +- apparmor.d/profiles-m-r/partprobe | 4 +- apparmor.d/profiles-m-r/pass-import | 2 +- apparmor.d/profiles-m-r/pcscd | 2 +- apparmor.d/profiles-m-r/rdmsr | 2 +- apparmor.d/profiles-m-r/resize2fs | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- apparmor.d/profiles-m-r/rfkill | 2 +- apparmor.d/profiles-m-r/rsyslogd | 2 +- apparmor.d/profiles-m-r/rtkitctl | 2 +- apparmor.d/profiles-m-r/run-parts | 8 ++-- apparmor.d/profiles-m-r/runuser | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/setvtrgb | 2 +- apparmor.d/profiles-s-z/sfdisk | 2 +- apparmor.d/profiles-s-z/sgdisk | 2 +- apparmor.d/profiles-s-z/smartctl | 2 +- apparmor.d/profiles-s-z/smartd | 2 +- .../profiles-s-z/spectre-meltdown-checker | 4 +- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- apparmor.d/profiles-s-z/tlp | 6 +-- apparmor.d/profiles-s-z/tomb | 14 +++--- apparmor.d/profiles-s-z/torsocks | 2 +- .../profiles-s-z/udev-bcache-export-cached | 2 +- apparmor.d/profiles-s-z/unix-chkpwd | 2 +- .../profiles-s-z/update-ca-certificates | 2 +- apparmor.d/profiles-s-z/update-cracklib | 6 +-- apparmor.d/profiles-s-z/update-initramfs | 4 +- apparmor.d/profiles-s-z/update-pciids | 2 +- .../profiles-s-z/update-secureboot-policy | 2 +- apparmor.d/profiles-s-z/update-smart-drivedb | 4 +- apparmor.d/profiles-s-z/updatedb-mlocate | 2 +- apparmor.d/profiles-s-z/veracrypt | 8 ++-- apparmor.d/profiles-s-z/vidcutter | 2 +- apparmor.d/profiles-s-z/virt-manager | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/whdd | 2 +- apparmor.d/profiles-s-z/wpa-action | 6 +-- apparmor.d/profiles-s-z/wpa-cli | 4 +- apparmor.d/profiles-s-z/wpa-supplicant | 2 +- apparmor.d/profiles-s-z/wrmsr | 2 +- apparmor.d/profiles-s-z/youtube-dl | 2 +- apparmor.d/profiles-s-z/ytdl | 2 +- apparmor.d/profiles-s-z/zsysd | 2 +- 270 files changed, 475 insertions(+), 475 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 25a0c0c38..86bb7d78a 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,13 +7,13 @@ include - @{bin}/depmod mr, - @{bin}/insmod mr, - @{bin}/kmod mr, - @{bin}/lsmod mr, - @{bin}/modinfo mr, - @{bin}/modprobe mr, - @{bin}/rmmod mr, + @{sbin}/depmod mr, + @{sbin}/insmod mr, + @{bin}/kmod mr, + @{sbin}/lsmod mr, + @{sbin}/modinfo mr, + @{sbin}/modprobe mr, + @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete index 450fa84d4..a4ed65e8c 100644 --- a/apparmor.d/abstractions/authentication.d/complete +++ b/apparmor.d/abstractions/authentication.d/complete @@ -6,7 +6,7 @@ @{lib}/pam-tmpdir/pam-tmpdir-helper rPx, #aa:only abi3 - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, #aa:only whonix @{lib}/security-misc/pam-abort-on-locked-password rPx, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index d3a193244..827e9fcf7 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -173,7 +173,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { # Shell based systemd unit services # TODO: create unit profile for all of them - @{bin}/ldconfig Px -> systemd-service, + @{sbin}/ldconfig Px -> systemd-service, @{bin}/mandb Px -> systemd-service, @{bin}/savelog Px -> systemd-service, @{coreutils_path} Px -> systemd-service, diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service index dfe3000bc..a53193cc5 100644 --- a/apparmor.d/groups/_full/systemd-service +++ b/apparmor.d/groups/_full/systemd-service @@ -21,7 +21,7 @@ profile systemd-service flags=(attach_disconnected) { capability chown, capability fsetid, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/savelog rix, @{bin}/systemctl rix, @{bin}/gzip rix, @@ -32,8 +32,8 @@ profile systemd-service flags=(attach_disconnected) { @{bin}/ifup rPx, # shadow.service - @{bin}/pwck rPx, - @{bin}/grpck rPx, + @{sbin}/pwck rPx, + @{sbin}/grpck rPx, @{bin}/grub-editenv rPx, @{bin}/ibus-daemon rPx, diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index da4d63460..fcf7dc724 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit @{bin}/aa-disable +@{exec_path} = @{sbin}/aa-enforce @{sbin}/aa-complain @{sbin}/aa-audit @{sbin}/aa-disable profile aa-enforce @{exec_path} { include include @@ -17,7 +17,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, @{bin}/ r, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 31622c1bd..c6fc2dff2 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -89,7 +89,7 @@ profile aa-notify @{exec_path} { ptrace read peer=aa-notify, - @{bin}/apparmor_parser Px, + @{sbin}/apparmor_parser Px, @{lib}/@{python_name}/site-packages/apparmor/update_profile.py ix, /usr/share/apparmor/** r, diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index a48dc693c..17de74439 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-status @{bin}/apparmor_status +@{exec_path} = @{sbin}/aa-status @{sbin}/apparmor_status profile aa-status @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-teardown b/apparmor.d/groups/apparmor/aa-teardown index b625ad8c6..059766181 100644 --- a/apparmor.d/groups/apparmor/aa-teardown +++ b/apparmor.d/groups/apparmor/aa-teardown @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-teardown +@{exec_path} = @{sbin}/aa-teardown profile aa-teardown @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 08c401270..7c53f7c8d 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-unconfined +@{exec_path} = @{sbin}/aa-unconfined profile aa-unconfined @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index 79b3f1a86..cb862ff48 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -19,14 +19,14 @@ profile apparmor.systemd @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/aa-status rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/aa-status rPx, + @{sbin}/apparmor_parser rPx, @{bin}/getconf rix, @{bin}/ls rix, @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index dc15d48b9..0a9f9fcaf 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -8,7 +8,7 @@ include @{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} -@{exec_path} = @{bin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser +@{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index fc5d1b3cc..5c33a1866 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd +@{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include include @@ -80,7 +80,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, @{bin}/localepurge rPx, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 29a1309c7..eb8a8cd8d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -75,7 +75,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/apt-listbugs rPx, @{bin}/apt-listchanges rPx, @{bin}/apt-show-versions rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/debtags rPx, @{bin}/localepurge rPx, @{bin}/appstreamcli rPx, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index c71d9749c..ef7852863 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dpkg-preconfigure +@{exec_path} = @{sbin}/dpkg-preconfigure profile dpkg-preconfigure @{exec_path} { include include diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 85bd2e6c3..2a2063d8e 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -31,7 +31,7 @@ profile querybts @{exec_path} { @{bin}/ r, @{sh_path} rix, @{bin}/stty rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{open_path} rPx -> child-open-browsers, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ae2e64e5d..dbd02ff6c 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -30,7 +30,7 @@ profile reportbug @{exec_path} { @{bin}/ r, @{python_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/selinuxenabled rix, @{sh_path} rix, @{bin}/aa-enabled rix, diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 58224dd45..651fac1ba 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -45,7 +45,7 @@ profile synaptic @{exec_path} { @{bin}/deborphan rPx, @{bin}/debtags rPx, @{bin}/dpkg rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index bee1c0fe8..2778b2b39 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -51,10 +51,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/apt-listchanges rPx, @{bin}/dpkg rPx, @{bin}/dpkg-divert rPx, - @{bin}/dpkg-preconfigure rPx, + @{sbin}/dpkg-preconfigure rPx, @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index bb6c6cdf7..ffdda336e 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -36,9 +36,9 @@ profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { /dev/rfkill rw, # For network AP - #@{bin}/ip rix, - #@{bin}/xtables-nft-multi rix, - #@{bin}/dnsmasq rPx, + #@{sbin}/ip rix, + #@{sbin}/xtables-nft-multi rix, + #@{sbin}/dnsmasq rPx, #@{bin}/dhclient rPx, # @{PROC}/sys/net/ipv4/ip_forward w, # @{PROC}/sys/net/ipv4/conf/ r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a3..7d1be8442 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 57c2ed4b8..1322108d4 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/anacron +@{exec_path} = @{sbin}/anacron profile anacron @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 25549a39c..c92441568 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron +@{exec_path} = @{sbin}/cron profile cron @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron index 15d1b9737..91c531618 100644 --- a/apparmor.d/groups/cron/cron-anacron +++ b/apparmor.d/groups/cron/cron-anacron @@ -12,7 +12,7 @@ profile cron-anacron @{exec_path} { @{exec_path} r, - @{bin}/anacron rPx, + @{sbin}/anacron rPx, @{sh_path} rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 29294fa53..81e5761d7 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cron-apt +@{exec_path} = @{sbin}/cron-apt profile cron-apt @{exec_path} { include include diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 2aaa6b142..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -14,7 +14,7 @@ profile cron-apt-compat @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{bin}/apt-config rPx, @{lib}/apt/apt.systemd.daily rPx, diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 2c3f90a9a..f264de78c 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -22,7 +22,7 @@ profile cron-apt-xapian-index @{exec_path} { @{bin}/ r, @{bin}/update-apt-xapian-index rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib index ede030682..9399b6ed4 100644 --- a/apparmor.d/groups/cron/cron-cracklib +++ b/apparmor.d/groups/cron/cron-cracklib @@ -15,7 +15,7 @@ profile cron-cracklib @{exec_path} { @{sh_path} rix, @{bin}/logger rix, - @{bin}/update-cracklib rPx, + @{sbin}/update-cracklib rPx, /etc/cracklib/cracklib.conf r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 42f2f0823..2970f8d42 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -39,8 +39,8 @@ profile cron-exim4-base @{exec_path} { @{bin}/exim4 rPx, @{bin}/exim_tidydb rix, - @{bin}/start-stop-daemon rix, - @{bin}/runuser rix, + @{sbin}/start-stop-daemon rix, + @{sbin}/runuser rix, /etc/default/exim4 r, diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save index 601368446..8b5891eed 100644 --- a/apparmor.d/groups/cron/cron-ipset-autoban-save +++ b/apparmor.d/groups/cron/cron-ipset-autoban-save @@ -15,7 +15,7 @@ profile cron-ipset-autoban-save @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, /etc/peerblock/autoban rw, diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate index abe3542f6..36044b2f3 100644 --- a/apparmor.d/groups/cron/cron-logrotate +++ b/apparmor.d/groups/cron/cron-logrotate @@ -14,7 +14,7 @@ profile cron-logrotate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/logrotate rPx, + @{sbin}/logrotate rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db index 8629f7be2..709f843e8 100644 --- a/apparmor.d/groups/cron/cron-man-db +++ b/apparmor.d/groups/cron/cron-man-db @@ -20,7 +20,7 @@ profile cron-man-db @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, - @{bin}/start-stop-daemon rix, + @{sbin}/start-stop-daemon rix, @{bin}/xargs rix, @{bin}/find rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index 852e85141..f0757187a 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -23,7 +23,7 @@ profile cron-mlocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.mlocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/mlocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 7080658c3..742531b41 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -23,7 +23,7 @@ profile cron-plocate @{exec_path} { @{bin}/nice rix, @{bin}/updatedb.plocate rPx, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, @{run}/plocate.daily.lock rwk, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 21455fb7d..c4b9de0b3 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -29,11 +29,11 @@ profile cron-popularity-contest @{exec_path} { # To send reports via TOR @{bin}/torify rix, @{bin}/torsocks rix, - @{bin}/getcap rix, + @{sbin}/getcap rix, /usr/share/popularity-contest/popcon-upload rCx -> popcon-upload, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/savelog rCx -> savelog, /usr/share/popularity-contest/ r, @@ -93,7 +93,7 @@ profile cron-popularity-contest @{exec_path} { include include - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, @{bin}/popularity-contest rPx, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index d240454f5..156d5e820 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crontab +@{exec_path} = @{sbin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 41d22ed9b..f671ce6e9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cups-browsed +@{exec_path} = @{sbin}/cups-browsed profile cups-browsed @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 697a307f9..91dd32f51 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cupsd +@{exec_path} = @{sbin}/cupsd profile cupsd @{exec_path} flags=(attach_disconnected) { include include @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{bin}/ippfind rix, + @{sbin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/fsck.btrfs b/apparmor.d/groups/filesystem/fsck.btrfs index f8ac9419d..512265788 100644 --- a/apparmor.d/groups/filesystem/fsck.btrfs +++ b/apparmor.d/groups/filesystem/fsck.btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.btrfs +@{exec_path} = @{sbin}/fsck.btrfs profile fsck.btrfs @{exec_path} { include diff --git a/apparmor.d/groups/filesystem/fsck.fat b/apparmor.d/groups/filesystem/fsck.fat index fd944532f..0e7df947d 100644 --- a/apparmor.d/groups/filesystem/fsck.fat +++ b/apparmor.d/groups/filesystem/fsck.fat @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck.fat @{bin}/fsck.msdos @{bin}/fsck.vfat @{bin}/dosfsck +@{exec_path} = @{sbin}/fsck.fat @{sbin}/fsck.msdos @{sbin}/fsck.vfat @{sbin}/dosfsck profile fsck.fat @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvm b/apparmor.d/groups/filesystem/lvm index 4fb66d92c..ad4645bff 100644 --- a/apparmor.d/groups/filesystem/lvm +++ b/apparmor.d/groups/filesystem/lvm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvm +@{exec_path} = @{sbin}/lvm profile lvm @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/filesystem/lvmconfig b/apparmor.d/groups/filesystem/lvmconfig index 5e5a0d1dd..39224c22f 100644 --- a/apparmor.d/groups/filesystem/lvmconfig +++ b/apparmor.d/groups/filesystem/lvmconfig @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmconfig +@{exec_path} = @{sbin}/lvmconfig profile lvmconfig @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmdump b/apparmor.d/groups/filesystem/lvmdump index 6a443fc57..5e90ffeee 100644 --- a/apparmor.d/groups/filesystem/lvmdump +++ b/apparmor.d/groups/filesystem/lvmdump @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmdump +@{exec_path} = @{sbin}/lvmdump profile lvmdump @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index fdc3bad3f..4168ad4fe 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/lvmpolld +@{exec_path} = @{sbin}/lvmpolld profile lvmpolld @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index 56a223bdd..a3edbeb50 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mke2fs @{bin}/mkfs.ext2 @{bin}/mkfs.ext3 @{bin}/mkfs.ext4 +@{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include include @@ -19,7 +19,7 @@ profile mke2fs @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs index 1e6c95838..54c83e559 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkfs.btrfs +@{exec_path} = @{sbin}/mkfs.btrfs profile mkfs-btrfs @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mkswap b/apparmor.d/groups/filesystem/mkswap index 4a818cd58..fa30030f3 100644 --- a/apparmor.d/groups/filesystem/mkswap +++ b/apparmor.d/groups/filesystem/mkswap @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mkswap +@{exec_path} = @{sbin}/mkswap profile mkswap @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-cifs b/apparmor.d/groups/filesystem/mount-cifs index cf1ceefb3..a6c8d01e3 100644 --- a/apparmor.d/groups/filesystem/mount-cifs +++ b/apparmor.d/groups/filesystem/mount-cifs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.cifs +@{exec_path} = @{sbin}/mount.cifs profile mount-cifs @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/filesystem/ntfsclone b/apparmor.d/groups/filesystem/ntfsclone index c239e81af..c6443bf7a 100644 --- a/apparmor.d/groups/filesystem/ntfsclone +++ b/apparmor.d/groups/filesystem/ntfsclone @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsclone +@{exec_path} = @{sbin}/ntfsclone profile ntfsclone @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfscp b/apparmor.d/groups/filesystem/ntfscp index 2e36046ba..f3bc38b6a 100644 --- a/apparmor.d/groups/filesystem/ntfscp +++ b/apparmor.d/groups/filesystem/ntfscp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfscp +@{exec_path} = @{sbin}/ntfscp profile ntfscp @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfslabel b/apparmor.d/groups/filesystem/ntfslabel index 471aefaa1..5d4089a44 100644 --- a/apparmor.d/groups/filesystem/ntfslabel +++ b/apparmor.d/groups/filesystem/ntfslabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfslabel +@{exec_path} = @{sbin}/ntfslabel profile ntfslabel @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsresize b/apparmor.d/groups/filesystem/ntfsresize index 5c7d5c835..3eac37d70 100644 --- a/apparmor.d/groups/filesystem/ntfsresize +++ b/apparmor.d/groups/filesystem/ntfsresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsresize +@{exec_path} = @{sbin}/ntfsresize profile ntfsresize @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/ntfsundelete b/apparmor.d/groups/filesystem/ntfsundelete index 4d96d1dbd..9f68cba7a 100644 --- a/apparmor.d/groups/filesystem/ntfsundelete +++ b/apparmor.d/groups/filesystem/ntfsundelete @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ntfsundelete +@{exec_path} = @{sbin}/ntfsundelete profile ntfsundelete @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index f661ccd12..7d4febb1f 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -73,18 +73,18 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/umount rix, - @{bin}/dmidecode rPx, - @{bin}/dumpe2fs rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dumpe2fs rPx, @{bin}/eject rPx, - @{bin}/fsck.fat rPx, - @{bin}/lvm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPx, + @{sbin}/fsck.fat rPx, + @{sbin}/lvm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPx, @{bin}/mount.exfat-fuse rPUx, @{bin}/ntfs-3g rPx, @{bin}/ntfsfix rPx, - @{bin}/sfdisk rPx, - @{bin}/sgdisk rPx, + @{sbin}/sfdisk rPx, + @{sbin}/sgdisk rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-escape rPx, @{bin}/xfs_* rPUx, diff --git a/apparmor.d/groups/filesystem/umount.udisks2 b/apparmor.d/groups/filesystem/umount.udisks2 index 4e842c7fb..752a1d5d3 100644 --- a/apparmor.d/groups/filesystem/umount.udisks2 +++ b/apparmor.d/groups/filesystem/umount.udisks2 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/umount.udisks2 +@{exec_path} = @{sbin}/umount.udisks2 profile umount.udisks2 @{exec_path} flags=(complain) { include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 003089ca4..7a6b7a9cf 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/firewalld +@{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include include @@ -34,14 +34,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/alts rix, - @{bin}/ebtables-legacy rix, - @{bin}/ebtables-legacy-restore rix, + @{sbin}/ebtables-legacy rix, + @{sbin}/ebtables-legacy-restore rix, @{bin}/false rix, - @{bin}/ipset rix, + @{sbin}/ipset rix, @{bin}/kmod rix, - @{bin}/modprobe rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rmix, + @{sbin}/modprobe rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rmix, /usr/local/lib/@{python_name}/dist-packages/ r, diff --git a/apparmor.d/groups/firewall/nft b/apparmor.d/groups/firewall/nft index 292b22043..2392829c8 100644 --- a/apparmor.d/groups/firewall/nft +++ b/apparmor.d/groups/firewall/nft @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/nft +@{exec_path} = @{sbin}/nft profile nft @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index d16675235..09f4f06f2 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -33,9 +33,9 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/cat rix, @{bin}/env r, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 78483a399..5c0521790 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -22,9 +22,9 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sysctl rix, - @{bin}/xtables-legacy-multi rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/sysctl rix, + @{sbin}/xtables-legacy-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/default/ufw r, /etc/ufw/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 397475a43..8d35bc8e0 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon index d3aaa753f..85e277198 100644 --- a/apparmor.d/groups/freedesktop/accounts-daemon +++ b/apparmor.d/groups/freedesktop/accounts-daemon @@ -27,13 +27,13 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/cat rix, @{bin}/chage rPx, @{bin}/passwd rPx, - @{bin}/chpasswd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/chpasswd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, @{bin}/locale rPUx, /usr/share/language-tools/language-validate rPx, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 1b004021f..0a2390661 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouthd +@{exec_path} = @{sbin}/plymouthd profile plymouthd @{exec_path} { include include diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 9efd9cccc..6f6b39700 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-mime-database +@{exec_path} = @{sbin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 07f6a0599..994c8e445 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -60,11 +60,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/bwrap rCx -> bwrap, @{bin}/gkbd-keyboard-display rPx, @{bin}/gnome-software rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{bin}/passwd rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/software-properties-gtk rPx, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/cups/backend/snmp rPx, @{lib}/gnome-control-center-goa-helper rPx, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index e52e96b8a..06fdf1601 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-install +@{exec_path} = @{sbin}/grub-install profile grub-install @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless index c2571ea73..17e71a25c 100644 --- a/apparmor.d/groups/grub/grub-macbless +++ b/apparmor.d/groups/grub/grub-macbless @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-macbless +@{exec_path} = @{sbin}/grub-macbless profile grub-macbless @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1ff23f1fe..0ca05d549 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include @@ -27,14 +27,14 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, @{bin}/gettext rix, @{bin}/grub-editenv rPx, @{bin}/grub-mkrelpath rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/grub-script-check rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 533f9780b..2a7082c64 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-mkdevicemap +@{exec_path} = @{sbin}/grub-mkdevicemap profile grub-mkdevicemap @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index 94c4c7e2b..d147b94fb 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -13,7 +13,7 @@ profile grub-multi-install @{exec_path} { @{exec_path} mr, - @{bin}/grub-install rPx, + @{sbin}/grub-install rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 3c22c2d27..6d0ec6a72 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grub-probe +@{exec_path} = @{sbin}/grub-probe profile grub-probe @{exec_path} { include include @@ -20,7 +20,7 @@ profile grub-probe @{exec_path} { /{usr/,}{local/,}{s,}bin/zpool rPx, @{bin}/lsb_release rPx -> lsb_release, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/udevadm rPx, /usr/share/grub/* r, diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot index 7d94a22af..310b416bf 100644 --- a/apparmor.d/groups/grub/grub-reboot +++ b/apparmor.d/groups/grub/grub-reboot @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-reboot +@{exec_path} = @{sbin}/grub-reboot profile grub-reboot @{exec_path} { include include diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default index 11c78024b..9e3c96464 100644 --- a/apparmor.d/groups/grub/grub-set-default +++ b/apparmor.d/groups/grub/grub-set-default @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-set-default +@{exec_path} = @{sbin}/grub-set-default profile grub-set-default @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 03df05295..1996b346b 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub{2,} profile update-grub @{exec_path} { include include @@ -15,7 +15,7 @@ profile update-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grub-mkconfig rPx, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index 6483fe39f..cf0caffeb 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -22,7 +22,7 @@ profile kauth-kded-smart-helper @{exec_path} { @{exec_path} mr, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper index 5ae1f5f12..afecd8d53 100644 --- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper +++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper @@ -13,7 +13,7 @@ profile kauth-kinfocenter-dmidecode-helper @{exec_path} { @{exec_path} mr, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, include if exists } diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index 2c129b426..dd3a6b42b 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -39,7 +39,7 @@ profile kscreenlocker_greet @{exec_path} { @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{lib}/@{multiarch}/libexec/kcheckpass rPx, /usr/share/plasma/** r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..0ae174b09 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{bin}/tcsh rix, + @{sbin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index b92ad8e68..1d8987709 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ModemManager +@{exec_path} = @{sbin}/ModemManager profile ModemManager @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index d41f38b1b..008b6bd31 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/NetworkManager +@{exec_path} = @{sbin}/NetworkManager profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include @@ -75,12 +75,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/nft rix, + @{sbin}/nft rix, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, @{bin}/netconfig rPUx, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index c1b5d04c5..7f47b9975 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dhcpcd +@{exec_path} = @{sbin}/dhcpcd profile dhcpcd @{exec_path} flags=(attach_disconnected) { include include @@ -35,7 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cmp rix, @{bin}/mkdir rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index 0b5bd090e..eddcaedf7 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/iwctl +@{exec_path} = @{sbin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd index d3c114a43..13edaaf16 100644 --- a/apparmor.d/groups/network/iwd +++ b/apparmor.d/groups/network/iwd @@ -24,7 +24,7 @@ profile iwd @{exec_path} { network packet dgram, @{exec_path} mr, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, /etc/iwd/{,**} r, /var/lib/iwd/{,**} rw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c..ecd23ce53 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index e6150c509..726798180 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/gawk rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/invoke-rc.d rCx -> invoke-rc, + @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @@ -101,7 +101,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { profile invoke-rc { include - @{bin}/invoke-rc.d rm, + @{sbin}/invoke-rc.d rm, @{sh_path} rix, @{bin}/basename rix, @{bin}/ls rix, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 675c14679..943386f61 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -20,7 +20,7 @@ profile nm-openvpn-service @{exec_path} { @{sh_path} rix, @{bin}/kmod rPx, - @{bin}/openvpn rPx, + @{sbin}/openvpn rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 608b98994..5623901fb 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -22,7 +22,7 @@ abi , include -@{exec_path} = @{bin}/openvpn +@{exec_path} = @{sbin}/openvpn profile openvpn @{exec_path} flags=(attach_disconnected) { include include @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,9 +83,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/which{,.debianutils} rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, @@ -110,8 +110,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/sed rix, /etc/iproute2/rt_realms r, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 4e5bba684..096fe276c 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{bin}/ip rPx, + @{sbin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index ac29b0b28..fa6cd8ddd 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,9 +35,9 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/resolvectl rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index b5e8d88e8..e8ece5c88 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,19 +21,19 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/mv rix, - @{bin}/nft rix, + @{sbin}/nft rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/resolvectl rPx, @{bin}/rm rix, @{bin}/sort rix, @{bin}/stat rix, @{bin}/sync rix, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, @{bin}/wg rPx, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, /usr/share/terminfo/** r, @@ -49,7 +49,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { profile sysctl flags=(attach_disconnected) { include - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index f1d4818ef..fdd9618fc 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -28,11 +28,11 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/bsdtar rix, @{bin}/fc-match rix, @{bin}/findmnt rPx, - @{bin}/fsck rix, + @{sbin}/fsck rix, @{bin}/getent rix, @{bin}/gzip rix, @{bin}/hexdump rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/loadkeys rix, @{bin}/objcopy rix, @@ -45,7 +45,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{depmod,insmod} rPx, @{bin}/{kmod,lsmod} rPx, @{bin}/{modinfo,rmmod} rPx, - @{bin}/modprobe rPx, + @{sbin}/modprobe rPx, @{bin}/plymouth rPx, @{bin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 271540f52..ada70feec 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -69,35 +69,35 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/ghc-pkg-@{version} rix, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gtk-query-immodules-{2,3}.0 rPx, @{bin}/gtk{,4}-update-icon-cache rPx, - @{bin}/iconvconfig rix, + @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, @{bin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, - @{bin}/ldconfig rix, - @{bin}/locale-gen rPx, + @{sbin}/ldconfig rix, + @{sbin}/locale-gen rPx, @{bin}/mkinitcpio rPx, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, @{bin}/pacman-key rPx, @{bin}/pkgfile rPUx, @{bin}/pkill rix, @{bin}/rsync rix, @{bin}/sbctl rPx, - @{bin}/setcap rix, + @{sbin}/setcap rix, @{bin}/setfacl rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-* rPx, @{bin}/tput rix, @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, - @{bin}/update-grub rPx, - @{bin}/update-mime-database rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index 45336a100..fe1bc5781 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,7 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{bin}/depmod rPx, + @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms index a039db414..a8a54c151 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dkms +++ b/apparmor.d/groups/pacman/pacman-hook-dkms @@ -19,7 +19,7 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/kmod rPx, @{bin}/nproc rix, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index a25414390..3131befeb 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/sysctl +@{exec_path} = @{sbin}/sysctl profile sysctl @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/chpasswd b/apparmor.d/groups/shadow/chpasswd index 0dc65b1fb..5e84f31b4 100644 --- a/apparmor.d/groups/shadow/chpasswd +++ b/apparmor.d/groups/shadow/chpasswd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/chpasswd +@{exec_path} = @{sbin}/chpasswd profile chpasswd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupadd b/apparmor.d/groups/shadow/groupadd index 65e735605..2d135007a 100644 --- a/apparmor.d/groups/shadow/groupadd +++ b/apparmor.d/groups/shadow/groupadd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupadd +@{exec_path} = @{sbin}/groupadd profile groupadd @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupdel b/apparmor.d/groups/shadow/groupdel index 734b22463..8f8b28239 100644 --- a/apparmor.d/groups/shadow/groupdel +++ b/apparmor.d/groups/shadow/groupdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupdel +@{exec_path} = @{sbin}/groupdel profile groupdel @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/groupmod b/apparmor.d/groups/shadow/groupmod index 01841483e..34bf046cd 100644 --- a/apparmor.d/groups/shadow/groupmod +++ b/apparmor.d/groups/shadow/groupmod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/groupmod +@{exec_path} = @{sbin}/groupmod profile groupmod @{exec_path} { include include diff --git a/apparmor.d/groups/shadow/grpck b/apparmor.d/groups/shadow/grpck index 3b820febb..1e47307e4 100644 --- a/apparmor.d/groups/shadow/grpck +++ b/apparmor.d/groups/shadow/grpck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/grpck +@{exec_path} = @{sbin}/grpck profile grpck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/pwck b/apparmor.d/groups/shadow/pwck index 6aef4d028..456a15af4 100644 --- a/apparmor.d/groups/shadow/pwck +++ b/apparmor.d/groups/shadow/pwck @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pwck +@{exec_path} = @{sbin}/pwck profile pwck @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/useradd b/apparmor.d/groups/shadow/useradd index 021ede783..b10487cf2 100644 --- a/apparmor.d/groups/shadow/useradd +++ b/apparmor.d/groups/shadow/useradd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/useradd +@{exec_path} = @{sbin}/useradd profile useradd @{exec_path} { include include @@ -25,7 +25,7 @@ profile useradd @{exec_path} { @{exec_path} mr, @{bin}/nscd rix, - @{bin}/usermod rPx, + @{sbin}/usermod rPx, @{bin}/pam_tally2 rCx -> pam_tally2, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index afaa52a03..589c726d0 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/userdel +@{exec_path} = @{sbin}/userdel profile userdel @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/shadow/usermod b/apparmor.d/groups/shadow/usermod index 1e5c6e4eb..b59260a25 100644 --- a/apparmor.d/groups/shadow/usermod +++ b/apparmor.d/groups/shadow/usermod @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/usermod +@{exec_path} = @{sbin}/usermod profile usermod @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index cbaa8bce9..b3ee8a5da 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -65,17 +65,17 @@ profile snapd @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/adduser rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/adduser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/cp rix, @{bin}/getent rix, - @{bin}/groupadd rPx, + @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, @{bin}/journalctl rPx, @{bin}/kmod rPx, @{bin}/mount rix, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, @{bin}/ssh-keygen rPx, @{bin}/sync rix, @{bin}/systemctl rCx -> systemctl, @@ -85,7 +85,7 @@ profile snapd @{exec_path} { @{bin}/umount rix, @{bin}/unsquashfs rix, @{bin}/update-desktop-database rPx, - @{bin}/useradd rPx, + @{sbin}/useradd rPx, @{bin_dirs}/fc-cache-* mr, @{bin_dirs}/snap rPUx, @@ -201,7 +201,7 @@ profile snapd @{exec_path} { profile runuser { include - @{bin}/runuser mr, + @{sbin}/runuser mr, include if exists } diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 6d873982b..63251a976 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -15,7 +15,7 @@ profile snapd-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/systemd-detect-virt rPx, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{lib_dirs}/** mr, @{lib_dirs}/snapd/apparmor_parser rPx -> apparmor_parser, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a7d9a6699..3ae1326d8 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -15,7 +15,7 @@ abi , include -@{exec_path} = @{bin}/sshd +@{exec_path} = @{sbin}/sshd profile sshd @{exec_path} flags=(attach_disconnected) { include include @@ -62,7 +62,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/false rix, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{bin}/passwd rPx, @{lib}/{openssh,ssh}/sftp-server rPx, @{lib}/{openssh,ssh}/sshd-session rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index a29a39687..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -67,7 +67,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{open_path} rPx -> child-open, @{bin}/getopt rix, @{bin}/journalctl rPx -> systemctl, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, @@ -276,7 +276,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/localedef rix, @{bin}/readlink rix, @{bin}/true rix, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index de0b0a295..1b094c2a3 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -43,7 +43,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{bin}/fc-match rix, @{bin}/getopt rix, @{bin}/gzip rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ln rix, @{bin}/localedef rix, @{bin}/mkdir rix, @@ -71,7 +71,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { @{app_dirs}/** mrix, - @{run}/host/@{bin}/ldconfig rix, + @{run}/host/@{sbin}/ldconfig rix, @{run}/host/@{bin}/localedef rix, @{run}/host/@{lib}/** mr, diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 7dc10fd46..0381b93b1 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -31,7 +31,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{pager_path} rPx -> child-pager, # Location of file system OS images diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck index 0680e0be8..4836c9747 100644 --- a/apparmor.d/groups/systemd/systemd-fsck +++ b/apparmor.d/groups/systemd/systemd-fsck @@ -19,9 +19,9 @@ profile systemd-fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck rPx, + @{sbin}/fsck.* rPx, owner @{run}/systemd/quotacheck w, owner @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index d9a6639c1..346e7d94e 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a24858125..a89cd90f8 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -42,9 +42,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, - @{bin}/mkfs.btrfs rPx, - @{bin}/mkfs.fat rPx, - @{bin}/mke2fs rPx, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, /etc/machine-id r, /etc/systemd/homed.conf r, diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs index 8556e51d7..74a824411 100644 --- a/apparmor.d/groups/systemd/systemd-makefs +++ b/apparmor.d/groups/systemd/systemd-makefs @@ -17,8 +17,8 @@ profile systemd-makefs @{exec_path} { @{exec_path} mr, - @{bin}/mkfs.* rPx, - @{bin}/mkswap rPx, + @{sbin}/mkfs.* rPx, + @{sbin}/mkswap rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell index d28531e56..5ccf33219 100644 --- a/apparmor.d/groups/systemd/systemd-sulogin-shell +++ b/apparmor.d/groups/systemd/systemd-sulogin-shell @@ -18,7 +18,7 @@ profile systemd-sulogin-shell @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/sulogin rPx, + @{sbin}/sulogin rPx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9e81cec83..03bfd6000 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -41,15 +41,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{pager_path} rPx -> child-pager, @{bin}/*-print-pci-ids rix, - @{bin}/alsactl rPUx, + @{sbin}/alsactl rPUx, @{bin}/ddcutil rPx, - @{bin}/dmsetup rPx, - @{bin}/ethtool rix, + @{sbin}/dmsetup rPx, + @{sbin}/ethtool rix, @{bin}/issue-generator rPx, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mknod rix, @{bin}/multipath rPx, @{bin}/nfsrahead rix, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0121dd46d..15c7f27ad 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -43,7 +43,7 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rix, @{bin}/journalctl rPx, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index c5c31edd3..eb299345c 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -19,7 +19,7 @@ profile cron-ubuntu-fan @{exec_path} { @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, @{bin}/touch rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 58323b8ff..575481de2 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, @@ -35,7 +35,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/journalctl rCx -> journalctl, @{bin}/ssh-keygen rPx, - @{bin}/sshd rPx, + @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPUx, # TODO: rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 77b24fa27..0573f38bf 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -12,7 +12,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{exec_path} mr, - @{bin}/dumpe2fs rPx, + @{sbin}/dumpe2fs rPx, @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/groups/utils/agetty b/apparmor.d/groups/utils/agetty index 3eca54abc..9ae450196 100644 --- a/apparmor.d/groups/utils/agetty +++ b/apparmor.d/groups/utils/agetty @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/agetty +@{exec_path} = @{sbin}/agetty profile agetty @{exec_path} { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 27207bdb7..3eee035fe 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkid +@{exec_path} = @{sbin}/blkid profile blkid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/blockdev b/apparmor.d/groups/utils/blockdev index 96e3ad23f..0c5e7b17c 100644 --- a/apparmor.d/groups/utils/blockdev +++ b/apparmor.d/groups/utils/blockdev @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blockdev +@{exec_path} = @{sbin}/blockdev profile blockdev @{exec_path} { include include diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 5d0588026..40694aff9 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fsck +@{exec_path} = @{sbin}/fsck profile fsck @{exec_path} flags=(attach_disconnected) { include include @@ -18,8 +18,8 @@ profile fsck @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/e2fsck rPx, - @{bin}/fsck.* rPx, + @{sbin}/e2fsck rPx, + @{sbin}/fsck.* rPx, /etc/fstab r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 211913f41..a6ada04d5 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/fstrim +@{exec_path} = @{sbin}/fstrim profile fstrim @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index b9254171a..3620018a7 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/locale-gen +@{exec_path} = @{sbin}/locale-gen profile locale-gen @{exec_path} { include include diff --git a/apparmor.d/groups/utils/losetup b/apparmor.d/groups/utils/losetup index bb0ac6c74..9b32074ba 100644 --- a/apparmor.d/groups/utils/losetup +++ b/apparmor.d/groups/utils/losetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/losetup +@{exec_path} = @{sbin}/losetup profile losetup @{exec_path} { include include diff --git a/apparmor.d/groups/utils/nologin b/apparmor.d/groups/utils/nologin index 3ee32cf34..795a1aa35 100644 --- a/apparmor.d/groups/utils/nologin +++ b/apparmor.d/groups/utils/nologin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nologin +@{exec_path} = @{sbin}/nologin profile nologin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 4bd473584..81e299d23 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -22,7 +22,7 @@ profile su @{exec_path} { @{exec_path} mr, @{bin}/@{shells} rUx, - @{bin}/nologin rPx, + @{sbin}/nologin rPx, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/groups/utils/sulogin b/apparmor.d/groups/utils/sulogin index ccf7216e0..2af869dab 100644 --- a/apparmor.d/groups/utils/sulogin +++ b/apparmor.d/groups/utils/sulogin @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/sulogin +@{exec_path} = @{sbin}/sulogin profile sulogin @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swaplabel b/apparmor.d/groups/utils/swaplabel index 05dc5783a..16abf153d 100644 --- a/apparmor.d/groups/utils/swaplabel +++ b/apparmor.d/groups/utils/swaplabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swaplabel +@{exec_path} = @{sbin}/swaplabel profile swaplabel @{exec_path} { include include diff --git a/apparmor.d/groups/utils/swapon b/apparmor.d/groups/utils/swapon index 83d2c6a3b..dd4aec8e2 100644 --- a/apparmor.d/groups/utils/swapon +++ b/apparmor.d/groups/utils/swapon @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/swapon @{bin}/swapoff +@{exec_path} = @{sbin}/swapon @{sbin}/swapoff profile swapon @{exec_path} { include include diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 4d75a70ed..0f03325c8 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/uuidd +@{exec_path} = @{sbin}/uuidd profile uuidd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 9dbf23243..91697be73 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/zramctl +@{exec_path} = @{sbin}/zramctl profile zramctl @{exec_path} { include include diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap index 73ad13cb1..0f2692ecf 100644 --- a/apparmor.d/groups/virt/cni-portmap +++ b/apparmor.d/groups/virt/cni-portmap @@ -15,7 +15,7 @@ profile cni-portmap @{exec_path} { network netlink raw, @{exec_path} mr, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index a6eb80e9f..87ffb3f4a 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,13 +38,13 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, @{bin}/chage Px, - @{bin}/dmidecode Px, + @{sbin}/dmidecode Px, @{bin}/findmnt Px, @{bin}/journalctl Px, @{bin}/last Px, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index 1de016aea..d71eb9ec1 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{bin}/ip rPx, + @{sbin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 4f73ff985..598ec7ca9 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -46,7 +46,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd-shim-runc-v2 rPx, @{bin}/kmod rPx, @{bin}/unpigz rPUx, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 3f18bbdcc..6b1e3537a 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -64,7 +64,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{bin}/containerd rPx, @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @@ -74,7 +74,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/runc rUx, @{bin}/unpigz rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 0949e72ee..2142e28b9 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -62,7 +62,7 @@ profile k3s @{exec_path} flags=(attach_disconnected) { @{bin}/systemd-run rix, @{bin}/{nano,emacs,ed} rPUx, @{bin}/vim{,.basic} rPUx, - @{bin}/xtables-nft-multi rPx -> cni-xtables-nft, + @{sbin}/xtables-nft-multi rPx -> cni-xtables-nft, @{lib}/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds/uds rix, /var/lib/rancher/k3s/data/@{hex}/bin/* rix, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 44d24f1ae..303e906c2 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/libvirt-dbus +@{exec_path} = @{sbin}/libvirt-dbus profile libvirt-dbus @{exec_path} { include include @@ -18,7 +18,7 @@ profile libvirt-dbus @{exec_path} { @{exec_path} mr, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/virtqemud rPx, /usr/share/dbus-1/interfaces/org.libvirt.*.xml r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 061866717..53dcb0703 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -14,7 +14,7 @@ abi , include -@{exec_path} = @{bin}/libvirtd +@{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include include @@ -103,26 +103,26 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{lib}/xen-common/bin/xen-toolstack rPUx, @{lib}/xen/bin/* rPUx, - @{bin}/dmidecode rPx, - @{bin}/dnsmasq rPx, + @{sbin}/dmidecode rPx, + @{sbin}/dnsmasq rPx, @{bin}/kmod rPx, - @{bin}/lvm rPUx, + @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @{bin}/swtpm_ioctl rPx, @{bin}/swtpm_setup rPx, @{bin}/udevadm rPx, @{bin}/virtiofsd rux, # TODO: WIP - @{bin}/virtlogd rPx, + @{sbin}/virtlogd rPx, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/nft rix, + @{sbin}/ip rix, + @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper - @{bin}/tc rix, + @{sbin}/tc rix, @{bin}/xmllint rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{lib}/libvirt/virt-aa-helper rPx, /etc/libvirt/hooks/** rPUx, @@ -265,7 +265,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /dev/vhost-net rw, # Force the use of virt-aa-helper - audit deny @{bin}/apparmor_parser rwxl, + audit deny @{sbin}/apparmor_parser rwxl, audit deny @{etc_rw}/apparmor.d/libvirt/** wxl, audit deny @{sys}/kernel/security/apparmor/features rwxl, audit deny @{sys}/kernel/security/apparmor/matching rwxl, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index c10f44922..81ec217b9 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -19,7 +19,7 @@ profile virt-aa-helper @{exec_path} { @{exec_path} mr, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, /etc/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd index ea9336cef..ef28e59e9 100644 --- a/apparmor.d/groups/virt/virtlockd +++ b/apparmor.d/groups/virt/virtlockd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlockd +@{exec_path} = @{sbin}/virtlockd profile virtlockd @{exec_path} { include diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd index 44bf06ba0..d362ad108 100644 --- a/apparmor.d/groups/virt/virtlogd +++ b/apparmor.d/groups/virt/virtlogd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/virtlogd +@{exec_path} = @{sbin}/virtlogd profile virtlogd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd index 42e13ef64..2d7df07b6 100644 --- a/apparmor.d/groups/virt/virtnetworkd +++ b/apparmor.d/groups/virt/virtnetworkd @@ -18,7 +18,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/dnsmasq rPx, + @{sbin}/dnsmasq rPx, /etc/libvirt/*.conf r, diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables index 71f75b642..a10b75dde 100644 --- a/apparmor.d/groups/virt/xtables +++ b/apparmor.d/groups/virt/xtables @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi +@{exec_path} = @{sbin}/xtables-nft-multi @{sbin}/xtables-legacy-multi profile xtables { include include diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 51053ccee..1cc3e7668 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -14,7 +14,7 @@ profile pam-info @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/faillock rix, + @{sbin}/faillock rix, @{bin}/grep rix, @{bin}/str_replace rix, @{bin}/wc rix, diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld index 01e1cb418..08322714f 100644 --- a/apparmor.d/groups/whonix/whonix-firewalld +++ b/apparmor.d/groups/whonix/whonix-firewalld @@ -29,7 +29,7 @@ profile whonix-firewalld @{exec_path} { @{bin}/rm rix, @{bin}/touch rix, @{bin}/whonix-*-firewall rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rix, @{bin}/qubesdb-read rPUx, @{bin}/qubesdb-cmd rPUx, diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index 796194146..bf7daf85e 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -13,11 +13,11 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,}grep rix, - @{bin}/killall5 rix, + @{sbin}/killall5 rix, @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{bin}/shutdown rix, + @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid index 5bf6c433a..4985bca3a 100644 --- a/apparmor.d/profiles-a-f/acpid +++ b/apparmor.d/profiles-a-f/acpid @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/acpid +@{exec_path} = @{sbin}/acpid profile acpid @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index e1d813324..135f65067 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -33,12 +33,12 @@ profile adduser @{exec_path} { @{bin}/chage rPx, @{bin}/chfn rPx, @{bin}/gpasswd rPx, - @{bin}/groupadd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupadd rPx, + @{sbin}/groupdel rPx, @{bin}/passwd rPx, - @{bin}/useradd rPx, - @{bin}/userdel rPx, - @{bin}/usermod rPx, + @{sbin}/useradd rPx, + @{sbin}/userdel rPx, + @{sbin}/usermod rPx, /etc/{group,passwd,shadow} r, /etc/adduser.conf r, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 28576423d..6999f5baf 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -18,7 +18,7 @@ profile adequate @{exec_path} flags=(complain) { @{exec_path} r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, # It wants to ldd all binaries/libs in packages. @{bin}/ldd rCx -> ldd, diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl index b2b97a62a..adf0d5cd3 100644 --- a/apparmor.d/profiles-a-f/alsactl +++ b/apparmor.d/profiles-a-f/alsactl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/alsactl +@{exec_path} = @{sbin}/alsactl profile alsactl @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index b3baaaa8f..a10df8394 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/aspell-autobuildhash +@{exec_path} = @{sbin}/aspell-autobuildhash profile aspell-autobuildhash @{exec_path} flags=(complain) { include include @@ -47,7 +47,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl index d6881f3e7..762273a9f 100644 --- a/apparmor.d/profiles-a-f/auditctl +++ b/apparmor.d/profiles-a-f/auditctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditctl +@{exec_path} = @{sbin}/auditctl profile auditctl @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd index bb2c64cee..41fb158c0 100644 --- a/apparmor.d/profiles-a-f/auditd +++ b/apparmor.d/profiles-a-f/auditd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/auditd +@{exec_path} = @{sbin}/auditd profile auditd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules index 7a515c1ba..5ae84876b 100644 --- a/apparmor.d/profiles-a-f/augenrules +++ b/apparmor.d/profiles-a-f/augenrules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/augenrules +@{exec_path} = @{sbin}/augenrules profile augenrules @{exec_path} flags=(attach_disconnected) { include include @@ -16,7 +16,7 @@ profile augenrules @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e,f}grep rix, @{bin}/{,g,m}awk rix, - @{bin}/auditctl rPx, + @{sbin}/auditctl rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks index e0f686b90..ff3a710c3 100644 --- a/apparmor.d/profiles-a-f/badblocks +++ b/apparmor.d/profiles-a-f/badblocks @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/badblocks +@{exec_path} = @{sbin}/badblocks profile badblocks @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode index 8010b380a..87457a129 100644 --- a/apparmor.d/profiles-a-f/biosdecode +++ b/apparmor.d/profiles-a-f/biosdecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/biosdecode +@{exec_path} = @{sbin}/biosdecode profile biosdecode @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 2cabb639f..f864a605b 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/blkdeactivate +@{exec_path} = @{sbin}/blkdeactivate profile blkdeactivate @{exec_path} flags=(complain) { include include @@ -15,11 +15,11 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{bin}/dmsetup rPUx, + @{sbin}/dmsetup rPUx, @{bin}/grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index ff3f8b43a..6d2683ade 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -31,7 +31,7 @@ profile borg @{exec_path} { @{bin}/{,@{multiarch}-}ld.bfd rix, @{bin}/cat rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, @{bin}/ccache rCx -> ccache, diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop index 9ea7a824c..1cfda03d9 100644 --- a/apparmor.d/profiles-a-f/briar-desktop +++ b/apparmor.d/profiles-a-f/briar-desktop @@ -80,7 +80,7 @@ profile briar-desktop @{exec_path} { profile jspawnhelper flags=(attach_disconnected) { include - @{bin}/ldconfig ix, + @{sbin}/ldconfig ix, owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor, @{system_share_dirs}/java/briar-desktop.jar r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 6d71ed28d..e3643ab6d 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -48,7 +48,7 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/file rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk index 9cacb9324..ee8d277f2 100644 --- a/apparmor.d/profiles-a-f/cfdisk +++ b/apparmor.d/profiles-a-f/cfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cfdisk +@{exec_path} = @{sbin}/cfdisk profile cfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk index 0f91c1e85..8f3f11af0 100644 --- a/apparmor.d/profiles-a-f/cgdisk +++ b/apparmor.d/profiles-a-f/cgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/cgdisk +@{exec_path} = @{sbin}/cgdisk profile cgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 775e3f640..965e0dc3a 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/check-bios-nx +@{exec_path} = @{sbin}/check-bios-nx profile check-bios-nx @{exec_path} { include include @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 4c805b9b1..39f30c5fe 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -24,10 +24,10 @@ profile check-support-status-hook @{exec_path} { @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/adduser rPx, + @{sbin}/adduser rPx, @{bin}/check-support-status rPx, @{bin}/debconf-escape rCx -> debconf-escape, - @{bin}/runuser rCx -> runuser, + @{sbin}/runuser rCx -> runuser, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, @@ -111,7 +111,7 @@ profile check-support-status-hook @{exec_path} { # To write records to the kernel auditing log. capability audit_write, - @{bin}/runuser mr, + @{sbin}/runuser mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer index cc183f527..4db396fa0 100644 --- a/apparmor.d/profiles-a-f/cracklib-packer +++ b/apparmor.d/profiles-a-f/cracklib-packer @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/cracklib-packer +@{exec_path} = @{sbin}/cracklib-packer profile cracklib-packer @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1c5185833..5262e9065 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -20,11 +20,11 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/crontab rPx, + @{sbin}/crontab rPx, @{bin}/gpasswd rPx, - @{bin}/groupdel rPx, + @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, - @{bin}/userdel rPx, + @{sbin}/userdel rPx, /etc/adduser.conf r, /etc/deluser.conf r, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index b650498cf..d5505ff86 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, @@ -36,11 +36,11 @@ profile dhclient-script @{exec_path} { @{bin}/ping rPx, @{bin}/printenv rix, @{bin}/readlink rix, - @{bin}/resolvconf rPx, + @{sbin}/resolvconf rPx, @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{bin}/sysctl rix, + @{sbin}/sysctl rix, @{bin}/tr rix, @{bin}/xxd rix, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 75487fbec..0a01e5db5 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/dkms +@{exec_path} = @{sbin}/dkms profile dkms @{exec_path} flags=(attach_disconnected) { include include @@ -43,7 +43,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{bin}/update-secureboot-policy rPUx, + @{sbin}/update-secureboot-policy rPUx, @{bin}/zstd rix, @{lib}/gcc/@{multiarch}/@{version}/* rix, diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller index ffce30921..2d799987f 100644 --- a/apparmor.d/profiles-a-f/dkms-autoinstaller +++ b/apparmor.d/profiles-a-f/dkms-autoinstaller @@ -15,7 +15,7 @@ profile dkms-autoinstaller @{exec_path} { @{exec_path} rm, @{sh_path} rix, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/echo rix, @{bin}/plymouth rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd index 0484cf99d..984545508 100644 --- a/apparmor.d/profiles-a-f/dmeventd +++ b/apparmor.d/profiles-a-f/dmeventd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmeventd +@{exec_path} = @{sbin}/dmeventd profile dmeventd @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode index aba455535..680d25992 100644 --- a/apparmor.d/profiles-a-f/dmidecode +++ b/apparmor.d/profiles-a-f/dmidecode @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dmidecode +@{exec_path} = @{sbin}/dmidecode profile dmidecode @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup index b5a1f3ab7..eb9d1dc19 100644 --- a/apparmor.d/profiles-a-f/dmsetup +++ b/apparmor.d/profiles-a-f/dmsetup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dmsetup +@{exec_path} = @{sbin}/dmsetup profile dmsetup @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 065fe92c5..eecdb2e6d 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -32,7 +32,7 @@ profile dropbox @{exec_path} { @{bin}/readlink rix, @{bin}/dirname rix, @{bin}/uname rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/python3.@{int} rix, @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs index eb3d4d61a..a4184a358 100644 --- a/apparmor.d/profiles-a-f/dumpe2fs +++ b/apparmor.d/profiles-a-f/dumpe2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/dumpe2fs @{bin}/e2mmpstatus +@{exec_path} = @{sbin}/dumpe2fs @{sbin}/e2mmpstatus profile dumpe2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck index be5d26b9f..c120a3590 100644 --- a/apparmor.d/profiles-a-f/e2fsck +++ b/apparmor.d/profiles-a-f/e2fsck @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4 +@{exec_path} = @{sbin}/e2fsck @{sbin}/fsck.ext2 @{sbin}/fsck.ext3 @{sbin}/fsck.ext4 profile e2fsck @{exec_path} { include include @@ -21,7 +21,7 @@ profile e2fsck @{exec_path} { # To check for badblocks @{sh_path} rix, - @{bin}/badblocks rPx, + @{sbin}/badblocks rPx, /usr/share/file/misc/magic.mgc r, diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image index b099f1ccf..c7238f262 100644 --- a/apparmor.d/profiles-a-f/e2image +++ b/apparmor.d/profiles-a-f/e2image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/e2image +@{exec_path} = @{sbin}/e2image profile e2image @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 25fab12c7..af10dddcd 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/e2scrub_all +@{exec_path} = @{sbin}/e2scrub_all profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix index 4d743fbb7..a2cfe43c5 100644 --- a/apparmor.d/profiles-a-f/f3fix +++ b/apparmor.d/profiles-a-f/f3fix @@ -21,7 +21,7 @@ profile f3fix @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 2506b1db9..21d2a1cf8 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -20,8 +20,8 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/xtables-nft-multi rix, - @{bin}/iptables rix, + @{sbin}/xtables-nft-multi rix, + @{sbin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel index c7ac0d399..c8bdedaa3 100644 --- a/apparmor.d/profiles-a-f/fatlabel +++ b/apparmor.d/profiles-a-f/fatlabel @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatlabel +@{exec_path} = @{sbin}/fatlabel profile fatlabel @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index e299a109b..8db6bde6f 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -21,7 +21,7 @@ profile fatresize @{exec_path} { @{sh_path} rix, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/udevadm rCx -> udevadm, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk index e6a7aeebf..bab152574 100644 --- a/apparmor.d/profiles-a-f/fdisk +++ b/apparmor.d/profiles-a-f/fdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fdisk +@{exec_path} = @{sbin}/fdisk profile fdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bb68e873e..74c6ad3b1 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -25,7 +25,7 @@ profile finalrd @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/grep rix, - @{bin}/ldconfig{,.real} rix, + @{sbin}/ldconfig{,.real} rix, @{bin}/ln rix, @{bin}/mkdir rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg index a54d1c9ac..d8086715a 100644 --- a/apparmor.d/profiles-a-f/firecfg +++ b/apparmor.d/profiles-a-f/firecfg @@ -19,7 +19,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/apparmor_parser rPx, + @{sbin}/apparmor_parser rPx, @{etc_ro}/login.defs r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend index 3d7ee07f8..6d9502220 100644 --- a/apparmor.d/profiles-a-f/frontend +++ b/apparmor.d/profiles-a-f/frontend @@ -28,14 +28,14 @@ profile frontend @{exec_path} flags=(complain) { @{bin}/locale rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/stty rix, - @{bin}/update-secureboot-policy rPx, + @{sbin}/update-secureboot-policy rPx, # debconf apps @{bin}/adequate rPx, - @{bin}/aspell-autobuildhash rPx, + @{sbin}/aspell-autobuildhash rPx, @{bin}/debconf-apt-progress rPx, @{bin}/linux-check-removal rPx, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{bin}/ucf rPx, @{bin}/whiptail rPx, @{lib}/tasksel/tasksel-debconf rPx -> tasksel, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index e06c49b9d..1dcdf8042 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -33,7 +33,7 @@ profile gajim @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, # To play sounds diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk index 1357b03b6..b49e20570 100644 --- a/apparmor.d/profiles-g-l/gdisk +++ b/apparmor.d/profiles-g-l/gdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gdisk +@{exec_path} = @{sbin}/gdisk profile gdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted index d4511c62c..d74945777 100644 --- a/apparmor.d/profiles-g-l/gparted +++ b/apparmor.d/profiles-g-l/gparted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gparted +@{exec_path} = @{sbin}/gparted profile gparted @{exec_path} flags=(attach_disconnected) { include include @@ -20,7 +20,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{coreutils_path} rix, @{sh_path} rix, - @{bin}/killall5 rCx -> killall, + @{sbin}/killall5 rCx -> killall, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -29,7 +29,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { @{bin}/ps rPx, @{bin}/xhost rPx, - @{bin}/gpartedbin rPx, + @{sbin}/gpartedbin rPx, @{lib}/gparted/gpartedbin rPx, @{lib}/gpartedbin rPx, @@ -71,7 +71,7 @@ profile gparted @{exec_path} flags=(attach_disconnected) { ptrace (read), - @{bin}/killall5 mr, + @{sbin}/killall5 mr, @{PROC}/ r, @{PROC}/@{pids}/stat r, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 0b2fea4c3..29bac6a2f 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin +@{exec_path} = @{sbin}/gpartedbin @{lib}/{,gparted/}gpartedbin profile gpartedbin @{exec_path} flags=(attach_disconnected) { include include @@ -30,9 +30,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, - @{bin}/blkid rPx, - @{bin}/dmidecode rPx, - @{bin}/hdparm rPx, + @{sbin}/blkid rPx, + @{sbin}/dmidecode rPx, + @{sbin}/hdparm rPx, @{bin}/kmod rPx, @{bin}/mount rCx -> mount, @@ -42,28 +42,28 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/btrfs rPx, @{bin}/btrfstune rPx, @{bin}/dmraid rPUx, - @{bin}/dmsetup rPUx, - @{bin}/dumpe2fs rPx, - @{bin}/e2fsck rPx, - @{bin}/e2image rPx, - @{bin}/fsck.* rPUx, - @{bin}/lvm rPUx, - @{bin}/mdadm rPUx, - @{bin}/mke2fs rPx, - @{bin}/mkfs.* rPUx, - @{bin}/mkntfs rPx, - @{bin}/mkswap rPx, + @{sbin}/dmsetup rPUx, + @{sbin}/dumpe2fs rPx, + @{sbin}/e2fsck rPx, + @{sbin}/e2image rPx, + @{sbin}/fsck.* rPUx, + @{sbin}/lvm rPUx, + @{sbin}/mdadm rPUx, + @{sbin}/mke2fs rPx, + @{sbin}/mkfs.* rPUx, + @{sbin}/mkntfs rPx, + @{sbin}/mkswap rPx, @{bin}/mtools rPx, @{bin}/ntfsinfo rPx, - @{bin}/ntfslabel rPx, - @{bin}/ntfsresize rPx, - @{bin}/resize2fs rPx, - @{bin}/swaplabel rPx, - @{bin}/swapoff rPx, - @{bin}/swapon rPx, + @{sbin}/ntfslabel rPx, + @{sbin}/ntfsresize rPx, + @{sbin}/resize2fs rPx, + @{sbin}/swaplabel rPx, + @{sbin}/swapoff rPx, + @{sbin}/swapon rPx, @{bin}/tune.* rPUx, - @{bin}/tune2fs rPx, - @{bin}/xfs_io rPUx, + @{sbin}/tune2fs rPx, + @{sbin}/xfs_io rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol index 5d04e33fb..988c547f0 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol +++ b/apparmor.d/profiles-g-l/gsmartcontrol @@ -20,7 +20,7 @@ profile gsmartcontrol @{exec_path} { @{bin}/dbus-launch Cx -> bus, @{bin}/dbus-send Cx -> bus, - @{bin}/smartctl Px, + @{sbin}/smartctl Px, @{bin}/xterm Cx -> terminal, /etc/fstab r, @@ -67,7 +67,7 @@ profile gsmartcontrol @{exec_path} { capability setuid, @{bin}/xterm mr, - @{bin}/update-smart-drivedb rPx, + @{sbin}/update-smart-drivedb rPx, /usr/include/X11/bitmaps/vlines2 r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index aaa28bd55..97fad1f13 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -39,7 +39,7 @@ profile hardinfo @{exec_path} { @{bin}/make rix, @{bin}/perl rix, @{python_path} rix, - @{bin}/route rix, + @{sbin}/route rix, @{bin}/ruby@{int}.@{int} rix, @{bin}/strace rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm index a4fa34973..53e520509 100644 --- a/apparmor.d/profiles-g-l/hdparm +++ b/apparmor.d/profiles-g-l/hdparm @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hdparm +@{exec_path} = @{sbin}/hdparm profile hdparm @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 590d4427e..2a1244ef7 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -37,28 +37,28 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{bin}/biosdecode rPx, + @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{bin}/ethtool rCx -> netconfig, - @{bin}/fdisk rPx, + @{sbin}/ethtool rCx -> netconfig, + @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{bin}/ifconfig rCx -> netconfig, + @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{bin}/iw rCx -> netconfig, - @{bin}/iwconfig rCx -> netconfig, + @{sbin}/iw rCx -> netconfig, + @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rix, @@ -70,10 +70,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{bin}/rfkill rPx, + @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -205,10 +205,10 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { network appletalk dgram, network netlink raw, - @{bin}/iw mr, - @{bin}/ifconfig mr, - @{bin}/iwconfig mr, - @{bin}/ethtool mr, + @{sbin}/iw mr, + @{sbin}/ifconfig mr, + @{sbin}/iwconfig mr, + @{sbin}/ethtool mr, owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/net/dev r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index e7bf2937c..21165acec 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -27,7 +27,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, - @{bin}/acpidump rPUx, + @{sbin}/acpidump rPUx, @{bin}/dmraid rPUx, diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix index cda55bc59..ce1ad519b 100644 --- a/apparmor.d/profiles-g-l/hypnotix +++ b/apparmor.d/profiles-g-l/hypnotix @@ -34,7 +34,7 @@ profile hypnotix @{exec_path} { @{python_path} r, @{sh_path} rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mkdir rix, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig index 5bebad691..48181e130 100644 --- a/apparmor.d/profiles-g-l/ifconfig +++ b/apparmor.d/profiles-g-l/ifconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ifconfig +@{exec_path} = @{sbin}/ifconfig profile ifconfig @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index aac25b811..42169dd6d 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,8 +19,8 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/ip rix, - @{bin}/route rix, + @{sbin}/ip rix, + @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, @{bin}/wc rix, @@ -32,7 +32,7 @@ profile ifup @{exec_path} { @{bin}/run-parts rCx -> run-parts, @{bin}/kmod rCx -> kmod, - @{bin}/sysctl rCx -> sysctl, + @{sbin}/sysctl rCx -> sysctl, /etc/network/interfaces r, /etc/network/interfaces.d/{,*} r, @@ -110,7 +110,7 @@ profile ifup @{exec_path} { capability net_admin, capability sys_admin, - @{bin}/sysctl mr, + @{sbin}/sysctl mr, @{PROC}/sys/ r, @{PROC}/sys/** r, diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec index 074b4e735..199483f4f 100644 --- a/apparmor.d/profiles-g-l/initd-kexec +++ b/apparmor.d/profiles-g-l/initd-kexec @@ -19,7 +19,7 @@ profile initd-kexec @{exec_path} { @{bin}/tput rix, @{bin}/echo rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index 1b27d1a4e..b5bf58ff2 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -25,7 +25,7 @@ profile initd-kexec-load @{exec_path} { @{bin}/readlink rix, @{bin}/tput rix, - @{bin}/kexec rPx, + @{sbin}/kexec rPx, @{bin}/run-parts rCx -> run-parts, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 09753107b..38b2a17a2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/ip rCx -> ip, + @{sbin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -43,11 +43,11 @@ profile inxi @{exec_path} { # shared object file): ignored. @{bin}/dpkg-query rpx, - @{bin}/blockdev rPx, + @{sbin}/blockdev rPx, @{bin}/compton rPx, @{bin}/df rPx, @{bin}/dig rPx, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, @@ -56,7 +56,7 @@ profile inxi @{exec_path} { @{bin}/openbox rPx, @{bin}/ps rPx, @{bin}/sensors rPx, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/sudo rPx, @{bin}/uptime rPx, @{bin}/who rPx, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{bin}/ip mr, + @{sbin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..3495bcc80 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ip +@{exec_path} = @{sbin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index c6dfa762a..628728846 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ipcalc +@{exec_path} = @{sbin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw index c760c50f6..631b0b9d1 100644 --- a/apparmor.d/profiles-g-l/iw +++ b/apparmor.d/profiles-g-l/iw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iw +@{exec_path} = @{sbin}/iw profile iw @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig index 962b4ab23..ec6b9a46b 100644 --- a/apparmor.d/profiles-g-l/iwconfig +++ b/apparmor.d/profiles-g-l/iwconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwconfig +@{exec_path} = @{sbin}/iwconfig profile iwconfig @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist index 298c94688..b89af77b9 100644 --- a/apparmor.d/profiles-g-l/iwlist +++ b/apparmor.d/profiles-g-l/iwlist @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/iwlist +@{exec_path} = @{sbin}/iwlist profile iwlist @{exec_path} { include diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index 102b75d83..d1e142a13 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kexec +@{exec_path} = @{sbin}/kexec profile kexec @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 08fc10c22..0338e3975 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{bin}/sysctl rPx, + @{sbin}/sysctl rPx, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index fc6a6ede5..016dceae0 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -30,7 +30,7 @@ profile kodi @{exec_path} { @{bin}/df rix, @{bin}/dirname rix, @{bin}/find rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/mv rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok index eb3d1cc80..f62e9ddf9 100644 --- a/apparmor.d/profiles-g-l/kvm-ok +++ b/apparmor.d/profiles-g-l/kvm-ok @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kvm-ok +@{exec_path} = @{sbin}/kvm-ok profile kvm-ok @{exec_path} { include @@ -20,7 +20,7 @@ profile kvm-ok @{exec_path} { @{bin}/kmod rCx -> kmod, - @{bin}/rdmsr rPx, + @{sbin}/rdmsr rPx, #/proc/cpuinfo r, #/dev/kvm r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index fdd3b6209..f74f309fe 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/logrotate +@{exec_path} = @{sbin}/logrotate profile logrotate @{exec_path} flags=(attach_disconnected) { include include @@ -32,7 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/grep rix, @{bin}/gzip rix, - @{bin}/invoke-rc.d rix, + @{sbin}/invoke-rc.d rix, @{bin}/kill rix, @{bin}/ls rix, @{bin}/setfacl rix, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index fdc258da1..ad626192c 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/mkinitramfs +@{exec_path} = @{sbin}/mkinitramfs profile mkinitramfs @{exec_path} { include include @@ -58,7 +58,7 @@ profile mkinitramfs @{exec_path} { @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, - @{bin}/ldconfig rCx -> ldconfig, + @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, @{lib}/ld-linux.so* rCx -> ldd, @@ -130,10 +130,10 @@ profile mkinitramfs @{exec_path} { capability sys_chroot, - @{bin}/ldconfig mr, + @{sbin}/ldconfig mr, @{sh_path} rix, - @{bin}/ldconfig.real rix, + @{sbin}/ldconfig.real rix, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..8b8968464 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/modprobed-db +@{exec_path} = @{sbin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index e847db872..cf77b7ab8 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -43,8 +43,8 @@ profile monitorix @{exec_path} { @{bin}/free rix, @{bin}/ss rix, @{bin}/who rix, - @{bin}/lvm rix, - @{bin}/xtables-nft-multi rix, + @{sbin}/lvm rix, + @{sbin}/xtables-nft-multi rix, @{bin}/sensors rix, @{bin}/getconf rix, @{bin}/ps rix, diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt index 502f941be..a66fc287f 100644 --- a/apparmor.d/profiles-m-r/mpsyt +++ b/apparmor.d/profiles-m-r/mpsyt @@ -27,7 +27,7 @@ profile mpsyt @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/tset rix, @{bin}/uname rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 397646c5e..2470c527f 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/needrestart +@{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include include @@ -37,7 +37,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/unix_chkpwd rPx, + @{sbin}/unix_chkpwd rPx, @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke index 480caf77e..b70a49be8 100644 --- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke +++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke @@ -19,7 +19,7 @@ profile needrestart-apt-pinvoke @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dbus-send rix, - @{bin}/needrestart rPx, + @{sbin}/needrestart rPx, @{bin}/rm rix, @{run}/needrestart/{,**} rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 75b150042..cf51936da 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,7 +12,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index c92d4d849..ffe3d4119 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/on_ac_power +@{exec_path} = @{sbin}/on_ac_power profile on-ac-power @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index bfee59187..263fab8bb 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -26,20 +26,20 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, - @{bin}/blkid rPx, + @{sbin}/blkid rPx, @{bin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, @{bin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, - @{bin}/grub-probe rPx, + @{sbin}/grub-probe rPx, @{bin}/head rix, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{bin}/lsblk rPx, - @{bin}/lvm rPx, + @{sbin}/lvm rPx, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index bcd9ba6b7..c3df0072d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -52,7 +52,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/gdbus rix, @{bin}/gzip rix, @{bin}/ischroot rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @{bin}/test rix, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 3991299b9..655ed9d40 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/pam-auth-update +@{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include include @@ -35,7 +35,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/debconf/frontend r, - @{bin}/pam-auth-update rPx, + @{sbin}/pam-auth-update rPx, @{sh_path} rix, @{bin}/stty rix, diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted index 4a98dbae8..1ae7f5478 100644 --- a/apparmor.d/profiles-m-r/parted +++ b/apparmor.d/profiles-m-r/parted @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/parted +@{exec_path} = @{sbin}/parted profile parted @{exec_path} { include include @@ -22,7 +22,7 @@ profile parted @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe index 6a0a6c9cf..79e4b0ffb 100644 --- a/apparmor.d/profiles-m-r/partprobe +++ b/apparmor.d/profiles-m-r/partprobe @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/partprobe +@{exec_path} = @{sbin}/partprobe profile partprobe @{exec_path} { include include @@ -23,7 +23,7 @@ profile partprobe @{exec_path} { @{sh_path} rix, @{bin}/udevadm rCx -> udevadm, - @{bin}/dmidecode rPx, + @{sbin}/dmidecode rPx, @{PROC}/devices r, @{PROC}/swaps r, diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import index c8fb38e44..8d55dd156 100644 --- a/apparmor.d/profiles-m-r/pass-import +++ b/apparmor.d/profiles-m-r/pass-import @@ -24,7 +24,7 @@ profile pass-import @{exec_path} { @{bin}/ r, @{bin}/gcc rix, # TODO: Test deny @{bin}/ld rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/pass rPx, @{python_path} rix, @{lib}/gcc/**/collect2 rix, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 984b566cf..67e0ee74e 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/pcscd +@{exec_path} = @{sbin}/pcscd profile pcscd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr index 47dd9beab..81f43b3e6 100644 --- a/apparmor.d/profiles-m-r/rdmsr +++ b/apparmor.d/profiles-m-r/rdmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rdmsr +@{exec_path} = @{sbin}/rdmsr profile rdmsr @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs index 7b28a1d22..38d482326 100644 --- a/apparmor.d/profiles-m-r/resize2fs +++ b/apparmor.d/profiles-m-r/resize2fs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/resize2fs +@{exec_path} = @{sbin}/resize2fs profile resize2fs @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index c050ce970..a83c867fa 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/resolvconf +@{exec_path} = @{sbin}/resolvconf profile resolvconf @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c80211b09..c65298b27 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rfkill +@{exec_path} = @{sbin}/rfkill profile rfkill @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 1dc744ff3..599fac88f 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,7 +12,7 @@ include # following: # watch -n 1 'dmesg | tail -5' -@{exec_path} = @{bin}/rsyslogd +@{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl index 9417c93b1..733573d6b 100644 --- a/apparmor.d/profiles-m-r/rtkitctl +++ b/apparmor.d/profiles-m-r/rtkitctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rtkitctl +@{exec_path} = @{sbin}/rtkitctl profile rtkitctl @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index fc46c2967..f6d40b0c5 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -25,7 +25,7 @@ profile run-parts @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/anacron rix, + @{sbin}/anacron rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/nice rix, @@ -229,12 +229,12 @@ profile run-parts @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, - @{bin}/dkms rPx, + @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, @{bin}/update-alternatives rPx, - @{bin}/update-grub rPUx, - @{bin}/update-initramfs rPx, + @{sbin}/update-grub rPUx, + @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser index 9931c07fb..4bd569955 100644 --- a/apparmor.d/profiles-m-r/runuser +++ b/apparmor.d/profiles-m-r/runuser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/runuser +@{exec_path} = @{sbin}/runuser profile runuser @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index e3eca4e22..96dc17042 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sensors-detect +@{exec_path} = @{sbin}/sensors-detect profile sensors-detect @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb index 6c9a3fe62..7fdfddcbb 100644 --- a/apparmor.d/profiles-s-z/setvtrgb +++ b/apparmor.d/profiles-s-z/setvtrgb @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/setvtrgb +@{exec_path} = @{sbin}/setvtrgb profile setvtrgb @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 0009d52cb..05ab2273f 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sfdisk +@{exec_path} = @{sbin}/sfdisk profile sfdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk index ecc6abcdb..4e68816d7 100644 --- a/apparmor.d/profiles-s-z/sgdisk +++ b/apparmor.d/profiles-s-z/sgdisk @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/sgdisk +@{exec_path} = @{sbin}/sgdisk profile sgdisk @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl index 4af40c8ab..d025d160b 100644 --- a/apparmor.d/profiles-s-z/smartctl +++ b/apparmor.d/profiles-s-z/smartctl @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/smartctl +@{exec_path} = @{sbin}/smartctl profile smartctl @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd index d0f9c28fd..60a77a782 100644 --- a/apparmor.d/profiles-s-z/smartd +++ b/apparmor.d/profiles-s-z/smartd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/smartd +@{exec_path} = @{sbin}/smartd profile smartd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index e70a5c499..5277dcc1e 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -46,7 +46,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/gzip rix, @{bin}/head rix, @{bin}/id rix, - @{bin}/iucode_tool rix, + @{sbin}/iucode_tool rix, @{bin}/kmod rCx -> kmod, @{bin}/lzop rix, @{bin}/mktemp rix, @@ -55,7 +55,7 @@ profile spectre-meltdown-checker @{exec_path} { @{bin}/od rix, @{bin}/perl rix, @{bin}/pgrep rCx -> pgrep, - @{bin}/rdmsr rix, + @{sbin}/rdmsr rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index bebfbe419..95013d8e0 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/spice-vdagentd +@{exec_path} = @{sbin}/spice-vdagentd profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e9..8b66b652f 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{bin}/ip rix, + @{sbin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index fe30e6da8..101310df1 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/thermald +@{exec_path} = @{sbin}/thermald profile thermald @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index ff447e81e..52fe2af61 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -30,13 +30,13 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/ethtool rix, + @{sbin}/ethtool rix, @{bin}/flock rix, @{bin}/grep rix, - @{bin}/hdparm rPx, + @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, - @{bin}/iw rPx, + @{sbin}/iw rPx, @{bin}/logger rix, @{bin}/mktemp rix, @{bin}/readlink rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 0b35cff02..a9db94276 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -48,7 +48,7 @@ profile tomb @{exec_path} { @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{bin}/losetup rix, + @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -67,22 +67,22 @@ profile tomb @{exec_path} { @{bin}/zsh rix, @{bin}/btrfs rPx, - @{bin}/cryptsetup rPUx, + @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, - @{bin}/fsck rPx, + @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, - @{bin}/mkfs.* rPUx, + @{sbin}/mkfs.* rPUx, @{bin}/mount rPx, @{bin}/pinentry rPx, @{bin}/pinentry-* rPx, @{bin}/qrencode rPx, - @{bin}/resize2fs rPx, + @{sbin}/resize2fs rPx, @{bin}/tomb-kdb-pbkdf2 rPUx, - @{bin}/tune2fs rPx, + @{sbin}/tune2fs rPx, @{bin}/umount rCx -> umount, @{bin}/updatedb.mlocate rPx, - @{bin}/zramctl rPx, + @{sbin}/zramctl rPx, /usr/share/file/** r, /usr/share/terminfo/** r, diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks index c7c914387..ad258189c 100644 --- a/apparmor.d/profiles-s-z/torsocks +++ b/apparmor.d/profiles-s-z/torsocks @@ -19,7 +19,7 @@ profile torsocks @{exec_path} { @{sh_path} rix, @{bin}/* rPUx, @{lib}/uwt/uwtexec rPUx, - @{bin}/getcap rix, + @{sbin}/getcap rix, /etc/tor/torsocks.conf r, diff --git a/apparmor.d/profiles-s-z/udev-bcache-export-cached b/apparmor.d/profiles-s-z/udev-bcache-export-cached index 51746625e..e42b10c26 100644 --- a/apparmor.d/profiles-s-z/udev-bcache-export-cached +++ b/apparmor.d/profiles-s-z/udev-bcache-export-cached @@ -15,7 +15,7 @@ profile udev-bcache-export-cached @{exec_path} { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bcache-super-show rix, + @{sbin}/bcache-super-show rix, include if exists } diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 85b99b8ab..4b7d35c32 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/unix_chkpwd +@{exec_path} = @{sbin}/unix_chkpwd profile unix-chkpwd @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index b496777e9..4bc88faae 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-ca-certificates +@{exec_path} = @{sbin}/update-ca-certificates profile update-ca-certificates @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index 9bef23a77..b7f00b263 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/update-cracklib +@{exec_path} = @{sbin}/update-cracklib profile update-cracklib @{exec_path} { include include @@ -16,8 +16,8 @@ profile update-cracklib @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cracklib-format rix, - @{bin}/cracklib-packer rPx, + @{sbin}/cracklib-format rix, + @{sbin}/cracklib-packer rPx, @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 6948f2812..51961efb3 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-initramfs +@{exec_path} = @{sbin}/update-initramfs profile update-initramfs @{exec_path} { include include @@ -32,7 +32,7 @@ profile update-initramfs @{exec_path} { @{bin}/dpkg-trigger rPx, @{bin}/linux-version rPx, - @{bin}/mkinitramfs rPx, + @{sbin}/mkinitramfs rPx, /var/lib/initramfs-tools/* w, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index d2e36ead0..a40afd994 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-pciids +@{exec_path} = @{sbin}/update-pciids profile update-pciids @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index e5ffca44f..232c92d0c 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-secureboot-policy +@{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb index 2ce61cebf..70b9bc6e2 100644 --- a/apparmor.d/profiles-s-z/update-smart-drivedb +++ b/apparmor.d/profiles-s-z/update-smart-drivedb @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-smart-drivedb +@{exec_path} = @{sbin}/update-smart-drivedb profile update-smart-drivedb @{exec_path} { include include @@ -28,7 +28,7 @@ profile update-smart-drivedb @{exec_path} { @{bin}/cmp rix, @{bin}/ r, - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/wget rCx -> browse, diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index 7a951b7e7..a9c77b5c2 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -19,7 +19,7 @@ profile updatedb-mlocate @{exec_path} { @{exec_path} mr, - @{bin}/on_ac_power rPx, + @{sbin}/on_ac_power rPx, # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 6612846cd..1e5417b15 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -29,11 +29,11 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, - @{bin}/dmsetup rPx, + @{sbin}/dmsetup rPx, @{bin}/grep rix, @{bin}/kmod rix, - @{bin}/ldconfig rix, - @{bin}/losetup rCx -> losetup, + @{sbin}/ldconfig rix, + @{sbin}/losetup rCx -> losetup, @{bin}/mount rPx, @{bin}/sudo rix, @{bin}/umount rCx -> umount, @@ -85,7 +85,7 @@ profile veracrypt @{exec_path} { capability sys_rawio, - @{bin}/losetup mr, + @{sbin}/losetup mr, include if exists } diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter index 1460fb1a7..7cf741dc2 100644 --- a/apparmor.d/profiles-s-z/vidcutter +++ b/apparmor.d/profiles-s-z/vidcutter @@ -28,7 +28,7 @@ profile vidcutter @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/ffmpeg rPx, @{bin}/ffprobe rPx, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 614084c71..7c0443dae 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -39,7 +39,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{bin}/getfacl rix, @{bin}/setfacl rix, - @{bin}/libvirtd rPx, + @{sbin}/libvirtd rPx, @{bin}/ssh rPx, @{lib}/spice-client-glib-usb-acl-helper rPx, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43..d0fc54b7c 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 88c44287d..67b3cf503 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd index cc4ae2959..41541ea84 100644 --- a/apparmor.d/profiles-s-z/whdd +++ b/apparmor.d/profiles-s-z/whdd @@ -25,7 +25,7 @@ profile whdd @{exec_path} { @{bin}/tr rix, # To read SMART attributes - @{bin}/smartctl rPx, + @{sbin}/smartctl rPx, owner @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index 136caa781..b2cfe0091 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_action +@{exec_path} = @{sbin}/wpa_action profile wpa-action @{exec_path} { include @@ -17,14 +17,14 @@ profile wpa-action @{exec_path} { @{exec_path} mr, - @{bin}/wpa_cli rPx, + @{sbin}/wpa_cli rPx, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{bin}/ip rix, + @{sbin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli index 11da65179..eb4efeee9 100644 --- a/apparmor.d/profiles-s-z/wpa-cli +++ b/apparmor.d/profiles-s-z/wpa-cli @@ -7,13 +7,13 @@ abi , include -@{exec_path} = @{bin}/wpa_cli +@{exec_path} = @{sbin}/wpa_cli profile wpa-cli @{exec_path} { include @{exec_path} mr, - @{bin}/wpa_action rPx, + @{sbin}/wpa_action rPx, /etc/inputrc r, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 23f77f840..24f87b5a7 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wpa_supplicant +@{exec_path} = @{sbin}/wpa_supplicant profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr index 7de522fc8..6ef05cc0f 100644 --- a/apparmor.d/profiles-s-z/wrmsr +++ b/apparmor.d/profiles-s-z/wrmsr @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/wrmsr +@{exec_path} = @{sbin}/wrmsr profile wrmsr @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index d618a0db1..381e878fa 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -38,7 +38,7 @@ profile youtube-dl @{exec_path} { @{bin}/ r, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, @{bin}/git rix, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/rtmpdump rix, @{bin}/uname rix, @{lib}/git{,-core}/git rix, diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl index 12fd657c3..a76bf0d89 100644 --- a/apparmor.d/profiles-s-z/ytdl +++ b/apparmor.d/profiles-s-z/ytdl @@ -27,7 +27,7 @@ profile ytdl @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/ldconfig rix, + @{sbin}/ldconfig rix, @{bin}/uname rix, /etc/mime.types r, diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd index 8ac23a07c..42181500b 100644 --- a/apparmor.d/profiles-s-z/zsysd +++ b/apparmor.d/profiles-s-z/zsysd @@ -20,7 +20,7 @@ profile zsysd @{exec_path} flags=(complain) { /{usr/,}{local/,}{s,}bin/zfs rPx, /{usr/,}{local/,}{s,}bin/zpool rPx, # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1 - @{bin}/update-grub rPx, + @{sbin}/update-grub rPx, /etc/hostid r, /etc/zsys.conf r, From 8ae1118de61b750ae39ceebb40dc420931c07f9d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 21:48:53 +0200 Subject: [PATCH 039/798] tests(check): ensure bin is not used instead of sbin. --- tests/check.sh | 11 + tests/sbin.list | 738 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 749 insertions(+) create mode 100644 tests/sbin.list diff --git a/tests/check.sh b/tests/check.sh index 3ddda9827..e35fd8b39 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -106,6 +106,16 @@ _ensure_vim() { fi } +check_sbin() { + echo -e "\033[1m â‹… \033[0mEnsuring '@{sbin}' is used in all profiles:" + while IFS= read -r name; do + mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d) + for file in "${files[@]}"; do + _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" + done + done Date: Mon, 28 Apr 2025 21:57:26 +0200 Subject: [PATCH 040/798] feat(tunable): configure sbin across distributions. --- apparmor.d/tunables/multiarch.d/system | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 11fc6c2a8..6f7995c05 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -14,8 +14,9 @@ @{MOUNTS}=@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/ # Common places for binaries and libraries across distributions -@{bin}=/{,usr/}{,s}bin -@{sbin}=/{,usr/}sbin +@{bin}=/{,usr/}bin +@{sbin}=/{,usr/}sbin #aa:only apt zypper +@{sbin}=/{,usr/}{,s}bin #aa:only pacman @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files From af070877f2e096dcb267b8b83ccf9551e9d1bea7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:09:28 +0200 Subject: [PATCH 041/798] tests: update unit tests to last changes. --- pkg/aa/apparmor_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 9d68596d3..71be0ba0a 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -211,7 +211,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IsMagic: true, Path: "tunables/global"}, &Variable{ Name: "exec_path", Define: true, - Values: []string{"@{bin}/aa-status", "@{bin}/apparmor_status"}, + Values: []string{"@{sbin}/aa-status", "@{sbin}/apparmor_status"}, }, }, Profiles: []*Profile{{ From aeb3614a076f0a666c0d85673110c07f813a41bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:34:17 +0200 Subject: [PATCH 042/798] tests: add some program to the list of tracked files in sbin. --- tests/sbin.list | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/tests/sbin.list b/tests/sbin.list index 3bc1941d1..91057a403 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -40,6 +40,7 @@ arptables-nft-save arptables-restore arptables-save aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -48,6 +49,7 @@ auditd augenrules aureport ausearch +autrace avahi-daemon badblocks bashreadline-bpfcc @@ -76,6 +78,7 @@ bluetoothd bpflist-bpfcc bpftool bridge +brltty brltty-setup btrfsdist-bpfcc btrfsslower-bpfcc @@ -239,10 +242,12 @@ gnome-menus-blacklist gparted groupadd groupdel +groupmems groupmod grpck grpconv grpunconv +grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -252,6 +257,7 @@ grub-reboot grub-set-default halt hardirqs-bpfcc +hc-ifscan hdparm hwclock iconvconfig @@ -298,11 +304,22 @@ iptables-translate iptunnel isadump isaset +iscsi_discovery +iscsi-iname +iscsiadm +iscsid +iscsistart isosize ispell-autobuildhash iucode_tool iucode-tool iw +iwconfig +iwevent +iwgetid +iwlist +iwpriv +iwspy javacalls-bpfcc javaflow-bpfcc javagc-bpfcc @@ -311,6 +328,7 @@ javastat-bpfcc javathreads-bpfcc kbdrate kdump-config +kerneloops kexec kexec-load-kernel key.dns_resolver @@ -359,6 +377,8 @@ lvrename lvresize lvs lvscan +lxc +lxd make-bcache make-ssl-cert mdadm @@ -403,6 +423,10 @@ mount.ntfs mount.ntfs-3g mount.smb3 mountsnoop-bpfcc +mpathpersist +multipath +multipathc +multipathd mysqld_qslower-bpfcc nameif naptime.bt @@ -431,6 +455,7 @@ oomkill.bt opensnoop-bpfcc opensnoop.bt openvpn +overlayroot-chroot ownership pam_extrausers_chkpwd pam_extrausers_update @@ -482,6 +507,7 @@ pythoncalls-bpfcc pythonflow-bpfcc pythongc-bpfcc pythonstat-bpfcc +qemu-ga rarp rdmaucma-bpfcc rdmsr @@ -548,6 +574,7 @@ sshd ssllatency.bt sslsniff-bpfcc sslsnoop.bt +sssd stackcount-bpfcc start-stop-daemon statsnoop-bpfcc @@ -607,6 +634,7 @@ thin_trim threadsnoop-bpfcc threadsnoop.bt tipc +tlp tplist-bpfcc trace-bpfcc traceroute @@ -617,6 +645,7 @@ tunefs.reiserfs u-d-c-print-pci-ids ucalls uflow +ufw ugc umount.udisks2 undump.bt @@ -635,6 +664,7 @@ update-fonts-alias update-fonts-dir update-fonts-scale update-grub +update-grub-gfxpayload update-grub2 update-gsfontmap update-icon-caches @@ -652,6 +682,7 @@ update-secureboot-policy update-shells update-smart-drivedb update-xmlcatalog +upgrade-from-grub-legacy usb_modeswitch usb_modeswitch_dispatcher usbmuxd From 7b55b351effc7e9aca311c0fab06457278a0599b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:41:40 +0200 Subject: [PATCH 043/798] feat(profile): replace @{bin} by @{sbin} on additional profiles. --- apparmor.d/groups/firewall/ufw | 2 +- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/systemd/systemd-sleep-tlp | 2 +- apparmor.d/groups/systemd/systemd-udevd | 3 ++- apparmor.d/profiles-a-f/atd | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-g-l/kerneloops | 2 +- apparmor.d/profiles-m-r/multipath | 2 +- apparmor.d/profiles-m-r/multipathd | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- 13 files changed, 14 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 09f4f06f2..b7f133641 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/ufw +@{exec_path} = @{sbin}/ufw profile ufw @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index b0d606701..9ccd02275 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/grub-bios-setup +@{exec_path} = @{sbin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ada70feec..2d80b673a 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -75,7 +75,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, @{bin}/install-info rPx, - @{bin}/iscsi-iname rix, + @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, @{sbin}/ldconfig rix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp index 60a28d4af..fc9a51067 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-tlp +++ b/apparmor.d/groups/systemd/systemd-sleep-tlp @@ -13,7 +13,7 @@ profile systemd-sleep-tlp @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/tlp rPUx, + @{sbin}/tlp rPUx, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 03bfd6000..1a9d51b35 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -46,12 +46,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmsetup rPx, @{sbin}/ethtool rix, @{bin}/issue-generator rPx, + @{sbin}/kdump-config rPUx, @{bin}/kmod rPx, @{bin}/logger rix, @{bin}/ls rix, @{sbin}/lvm rPx, @{bin}/mknod rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/nfsrahead rix, @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, @{bin}/setfacl rix, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 3a0669c76..8d94da3db 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index f864a605b..d56782267 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -20,7 +20,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, - @{bin}/multipathd rPx, + @{sbin}/multipathd rPx, @{bin}/sort rix, @{bin}/umount rPx, diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops index 815fa4e38..70c8b9460 100644 --- a/apparmor.d/profiles-g-l/kerneloops +++ b/apparmor.d/profiles-g-l/kerneloops @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/kerneloops +@{exec_path} = @{sbin}/kerneloops profile kerneloops @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath index 409834fbc..588f4b6b1 100644 --- a/apparmor.d/profiles-m-r/multipath +++ b/apparmor.d/profiles-m-r/multipath @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipath +@{exec_path} = @{sbin}/multipath profile multipath @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index 14bb16caf..a07691a5c 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/multipathd +@{exec_path} = @{sbin}/multipathd profile multipathd @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 263fab8bb..fc071d80f 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -43,7 +43,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mount rix, - @{bin}/multipath rPx, + @{sbin}/multipath rPx, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 461d27c61..c6e6ca54e 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga profile qemu-ga @{exec_path} { include diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 52fe2af61..c01edd9ec 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/tlp +@{exec_path} = @{sbin}/tlp profile tlp @{exec_path} flags=(attach_disconnected) { include include From 1c499183f2f2b19dda44f69d08dd2b3bd56384c8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 22:43:33 +0200 Subject: [PATCH 044/798] feat(aa-log): add support for the sbin variable. --- pkg/logs/logs.go | 3 ++- pkg/logs/logs_test.go | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 194e6dc03..2443eaace 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -67,7 +67,8 @@ var ( `/att/[^/@]+`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, - `/usr/(bin|sbin)`, `@{bin}`, + `/usr/sbin`, `@{sbin}`, + `/usr/bin`, `@{bin}`, `(x86_64|amd64|i386|i686)`, `@{arch}`, `@{arch}-*linux-gnu[^/]?`, `@{multiarch}`, `/usr/etc/`, `@{etc_ro}/`, diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go index 6ddd5ac9e..376b23f42 100644 --- a/pkg/logs/logs_test.go +++ b/pkg/logs/logs_test.go @@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) { want: AppArmorLogs{ { "apparmor": "ALLOWED", - "profile": "@{bin}/httpd2-prefork//vhost_foo", + "profile": "@{sbin}/httpd2-prefork//vhost_foo", "operation": "rename_dest", "name": "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg", "comm": "httpd2-prefork", From 4f4a8fa8e7ff457c27496885dc086549484cebc9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 28 Apr 2025 23:04:17 +0200 Subject: [PATCH 045/798] test(check): ensurre we only match the sbin name. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e35fd8b39..02ae71812 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -109,7 +109,7 @@ _ensure_vim() { check_sbin() { echo -e "\033[1m â‹… \033[0mEnsuring '@{sbin}' is used in all profiles:" while IFS= read -r name; do - mapfile -t files < <(grep -l -R "@{bin}/$name" apparmor.d) + mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) for file in "${files[@]}"; do _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" done From 018ca1b0b596b1469418a9d3e0916ddff52de149 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 29 Apr 2025 00:14:01 +0200 Subject: [PATCH 046/798] feat(abs): ensure app root launcher can start program in sbin. --- apparmor.d/abstractions/app-launcher-root | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 5d2f74363..0bc7dbeff 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -6,6 +6,7 @@ abi , @{bin}/** PUx, + @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, @{bin}/ r, From b9eaa840bd3aed84c94399d14556e6e6aa955fd2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 29 Apr 2025 00:31:08 +0200 Subject: [PATCH 047/798] fix: integration tests. --- .github/local/needrestart | 1 + apparmor.d/groups/apt/deb-systemd-helper | 6 +++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/local/needrestart b/.github/local/needrestart index 33b23e014..3825baf61 100644 --- a/.github/local/needrestart +++ b/.github/local/needrestart @@ -1,2 +1,3 @@ + @{bin}/waagent r, /var/lib/waagent/** r, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 28de2a8a0..a81ef6d7c 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -18,6 +18,7 @@ profile deb-systemd-helper @{exec_path} { /var/lib/systemd/deb-systemd-helper-enabled/** rw, /var/lib/systemd/deb-systemd-helper-masked/ rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/** rw, profile systemctl { include @@ -27,8 +28,11 @@ profile deb-systemd-helper @{exec_path} { /etc/systemd/ r, /etc/systemd/system/ r, /etc/systemd/system/* rw, - /etc/systemd/system/*.wants/ r, + /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/systemd/user/ r, + /etc/systemd/user/*.wants/ rw, + /etc/systemd/user/*.wants/* rw, include if exists } From d162032af9d5f57dc381dc42681a7ff675d885c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 30 Apr 2025 22:16:45 +0200 Subject: [PATCH 048/798] feat(profile): allow needrestart to scan more directories. --- apparmor.d/profiles-m-r/needrestart | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 2470c527f..567c744b8 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -26,7 +26,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/* r, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, @@ -43,11 +42,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{lib}/needrestart/* rPx, /usr/share/debconf/frontend rix, - @{att}/@{lib}/@{python_name}/** r, - - /usr/share/needrestart/{,**} r, - /usr/share/unattended-upgrades/unattended-upgrade-shutdown r, - /etc/debconf.conf r, /etc/init.d/* r, /etc/needrestart/{,**} r, @@ -56,11 +50,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { / r, /boot/ r, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, - - owner /var/lib/juju/agents/{,**} r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /boot/* r, + /opt/*/** r, + @{bin}/* r, + @{lib}/** r, + @{sbin}/** r, + @{att}/@{lib}/** r, + /usr/share/** r, + /var/lib/*/** r, /tmp/@{word10}/ rw, From 48a37bbf3431c4c79e4651229fbfad223d3f1003 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:36:57 +0200 Subject: [PATCH 049/798] build: configure sbin value according to the target distribution. --- pkg/aa/apparmor.go | 3 +-- pkg/prebuild/builder/userspace.go | 10 ++++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index f0deaffc9..6119a0c91 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -33,7 +33,7 @@ func DefaultTunables() *AppArmorProfileFile { return &AppArmorProfileFile{ Preamble: Rules{ &Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true}, - &Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true}, + &Variable{Name: "bin", Values: []string{"/{,usr/}bin"}, Define: true}, &Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true}, &Variable{Name: "dpkg_script_ext", Values: []string{"config", "templates", "preinst", "postinst", "prerm", "postrm"}, Define: true}, &Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true}, @@ -45,7 +45,6 @@ func DefaultTunables() *AppArmorProfileFile { &Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true}, &Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters &Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true}, - &Variable{Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true}, &Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true}, &Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true}, &Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true}, diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 618b67c17..37bb3a978 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -40,6 +40,16 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) { } f := aa.DefaultTunables() + if prebuild.Distribution == "arch" { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}{,s}bin"}, Define: true, + }) + } else { + f.Preamble = append(f.Preamble, &aa.Variable{ + Name: "sbin", Values: []string{"/{,usr/}sbin"}, Define: true, + }) + } + if _, err := f.Parse(profile); err != nil { return "", err } From 7431867fa4fa885305a0c029a07fe149d88bf760 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:37:31 +0200 Subject: [PATCH 050/798] ci(github): remove useless github specific rules. --- .github/local/needrestart | 3 --- .github/workflows/main.yml | 1 - 2 files changed, 4 deletions(-) delete mode 100644 .github/local/needrestart diff --git a/.github/local/needrestart b/.github/local/needrestart deleted file mode 100644 index 3825baf61..000000000 --- a/.github/local/needrestart +++ /dev/null @@ -1,3 +0,0 @@ - - @{bin}/waagent r, - /var/lib/waagent/** r, diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 15807cfe2..f04ac1381 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -101,7 +101,6 @@ jobs: sudo apt-get install -y \ apparmor-profiles apparmor-utils \ bats bats-support - sudo install -Dm0644 .github/local/needrestart /etc/apparmor.d/local/needrestart - name: Install apparmor.d run: | From dc816178f5768dd1b26deb68061ea8197c781f71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 14:38:52 +0200 Subject: [PATCH 051/798] fix(profile): ensure adduser use sbin. --- apparmor.d/profiles-a-f/adduser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index 135f65067..d971d22f3 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/add{user,group} +@{exec_path} = @{sbin}/adduser @{sbin}/group profile adduser @{exec_path} { include include From 3a568ba3074cc95ccdc0763a9bcd4c439a7d8677 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 15:17:03 +0200 Subject: [PATCH 052/798] feat(profile): add more programs to the list of sbin program. --- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- .../groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/btrfs-convert | 2 +- apparmor.d/groups/filesystem/btrfs-image | 2 +- apparmor.d/groups/filesystem/btrfstune | 2 +- apparmor.d/groups/filesystem/mount-nfs | 4 +- apparmor.d/groups/filesystem/nfsdcld | 2 +- .../freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/steam/steam | 4 +- apparmor.d/groups/systemd/systemd-udevd | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 2 +- apparmor.d/profiles-a-f/chronyd | 2 +- apparmor.d/profiles-a-f/crda | 2 +- apparmor.d/profiles-a-f/fatresize | 2 +- apparmor.d/profiles-g-l/gpartedbin | 6 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 6 +- apparmor.d/profiles-g-l/hwinfo | 4 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-g-l/irqbalance | 2 +- apparmor.d/profiles-g-l/issue-generator | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-m-r/os-prober | 4 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/rngd | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/ss | 2 +- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 287 ++++++++++++++++++ 44 files changed, 338 insertions(+), 51 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index c6fc2dff2..b64317a57 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/aa-notify +@{exec_path} = @{sbin}/aa-notify profile aa-notify @{exec_path} { include include diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 7c53f7c8d..68729b7fe 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -21,7 +21,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{bin}/netstat Px, - @{bin}/ss Px, + @{sbin}/ss Px, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 2778b2b39..3e60798e9 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -55,7 +55,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/lsb_release rPx -> lsb_release, @{sbin}/on_ac_power rPx, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{lib}/apt/methods/http{,s} rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/update-notifier/update-motd-updates-available rPx, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index cfdaeed3f..052180a99 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -20,7 +20,7 @@ profile xdm-xsession @{exec_path} { @{bin}/basename rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/dirname rix, @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, diff --git a/apparmor.d/groups/filesystem/btrfs-convert b/apparmor.d/groups/filesystem/btrfs-convert index 2dccbf1fd..22715c857 100644 --- a/apparmor.d/groups/filesystem/btrfs-convert +++ b/apparmor.d/groups/filesystem/btrfs-convert @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-convert +@{exec_path} = @{sbin}/btrfs-convert profile btrfs-convert @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfs-image b/apparmor.d/groups/filesystem/btrfs-image index 6f18ac095..48be7c381 100644 --- a/apparmor.d/groups/filesystem/btrfs-image +++ b/apparmor.d/groups/filesystem/btrfs-image @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-image +@{exec_path} = @{sbin}/btrfs-image profile btrfs-image @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/btrfstune b/apparmor.d/groups/filesystem/btrfstune index f8fa4a047..24a8ef46e 100644 --- a/apparmor.d/groups/filesystem/btrfstune +++ b/apparmor.d/groups/filesystem/btrfstune @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfstune +@{exec_path} = @{sbin}/btrfstune profile btrfstune @{exec_path} { include include diff --git a/apparmor.d/groups/filesystem/mount-nfs b/apparmor.d/groups/filesystem/mount-nfs index 26f3e2d57..f670b62d7 100644 --- a/apparmor.d/groups/filesystem/mount-nfs +++ b/apparmor.d/groups/filesystem/mount-nfs @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/mount.nfs +@{exec_path} = @{sbin}/mount.nfs profile mount-nfs @{exec_path} flags=(complain) { include include @@ -42,7 +42,7 @@ profile mount-nfs @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/flock rix, - @{bin}/start-statd rix, + @{sbin}/start-statd rix, @{bin}/systemctl rCx -> systemctl, /etc/fstab r, diff --git a/apparmor.d/groups/filesystem/nfsdcld b/apparmor.d/groups/filesystem/nfsdcld index be122a3cb..23ecc576e 100644 --- a/apparmor.d/groups/filesystem/nfsdcld +++ b/apparmor.d/groups/filesystem/nfsdcld @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/nfsdcld +@{exec_path} = @{sbin}/nfsdcld profile nfsdcld @{exec_path} { include diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index bd5a34dcd..b9b2cfd45 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/plymouth-set-default-theme +@{exec_path} = @{sbin}/plymouth-set-default-theme profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 3f5cf6109..e8a0315bd 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -37,7 +37,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 06fdf1601..3274a5e6d 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -19,7 +19,7 @@ profile grub-install @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/kmod rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 0ca05d549..8034d7e54 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -21,7 +21,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/{e,f,}grep rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cut rix, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 6c29d9680..25eccc93d 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -19,7 +19,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{bin}/wsdd rPx, + @{sbin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 4d883303f..b4111d6d0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -76,7 +76,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{shells_path} rix, @{bin}/cat rix, - @{bin}/checkproc rix, + @{sbin}/checkproc rix, @{bin}/disable-paste rix, @{bin}/locale rix, @{bin}/manpath rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..0d7156502 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index fdd9618fc..785f4f448 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -47,7 +47,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/{modinfo,rmmod} rPx, @{sbin}/modprobe rPx, @{bin}/plymouth rPx, - @{bin}/plymouth-set-default-theme rPx, + @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, @{bin}/sync rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 2d80b673a..8d7345fda 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed..11e863972 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{bin}/lspci rCx -> lspci, + @{sbin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{bin}/lspci mr, + @{sbin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 1a9d51b35..3861056b8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -45,7 +45,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{bin}/ddcutil rPx, @{sbin}/dmsetup rPx, @{sbin}/ethtool rix, - @{bin}/issue-generator rPx, + @{sbin}/issue-generator rPx, @{sbin}/kdump-config rPUx, @{bin}/kmod rPx, @{bin}/logger rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb..7fc88e41a 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/lspci +@{exec_path} = @{sbin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index 8d94da3db..aa0a365fd 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -27,7 +27,7 @@ profile atd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sbin}/sendmail rPUx, @{bin}/exim4 rPx, @{etc_ro}/environment r, diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd index 155d82f07..e4a986c8a 100644 --- a/apparmor.d/profiles-a-f/chronyd +++ b/apparmor.d/profiles-a-f/chronyd @@ -8,7 +8,7 @@ abi , include -@{exec_path} = @{bin}/chronyd +@{exec_path} = @{sbin}/chronyd profile chronyd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda index 50d34bad4..d3b6cba6f 100644 --- a/apparmor.d/profiles-a-f/crda +++ b/apparmor.d/profiles-a-f/crda @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/crda +@{exec_path} = @{sbin}/crda profile crda @{exec_path} { include diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize index 8db6bde6f..6f4c86647 100644 --- a/apparmor.d/profiles-a-f/fatresize +++ b/apparmor.d/profiles-a-f/fatresize @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/fatresize +@{exec_path} = @{sbin}/fatresize profile fatresize @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 29bac6a2f..235d0cadc 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -39,9 +39,9 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rCx -> udevadm, @{bin}/umount rCx -> umount, - @{bin}/btrfs rPx, - @{bin}/btrfstune rPx, - @{bin}/dmraid rPUx, + @{sbin}/btrfs rPx, + @{sbin}/btrfstune rPx, + @{sbin}/dmraid rPUx, @{sbin}/dmsetup rPUx, @{sbin}/dumpe2fs rPx, @{sbin}/e2fsck rPx, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f13..459efa23e 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2a1244ef7..fc6b8775b 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -24,7 +24,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/dd rix, - @{bin}/efibootmgr rix, + @{sbin}/efibootmgr rix, @{bin}/efivar rix, @{bin}/find rix, @{bin}/md5sum rix, @@ -53,7 +53,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, @{sbin}/hdparm rPx, - @{bin}/hwinfo rPx, + @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 21165acec..4919d2fb2 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/hwinfo +@{exec_path} = @{sbin}/hwinfo profile hwinfo @{exec_path} { include include @@ -29,7 +29,7 @@ profile hwinfo @{exec_path} { @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, /usr/share/hwinfo/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index f155339b1..e7fdfd95a 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/install-info +@{exec_path} = @{sbin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..01d358fbf 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{bin}/lspci rPx, + @{sbin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance index fec2d7c93..022dc92d5 100644 --- a/apparmor.d/profiles-g-l/irqbalance +++ b/apparmor.d/profiles-g-l/irqbalance @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/irqbalance +@{exec_path} = @{sbin}/irqbalance profile irqbalance @{exec_path} flags=(attach_disconnected) { include diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 8f2d53f76..7783c8005 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/issue-generator +@{exec_path} = @{sbin}/issue-generator profile issue-generator @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index cf77b7ab8..b640d90fd 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -41,7 +41,7 @@ profile monitorix @{exec_path} { @{bin}/tail rix, @{bin}/{m,g,}awk rix, @{bin}/free rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{bin}/who rix, @{sbin}/lvm rix, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index fc071d80f..162c0b743 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -27,10 +27,10 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{e,f,}grep rix, @{sbin}/blkid rPx, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{bin}/cat rix, @{bin}/cut rix, - @{bin}/dmraid rPUx, + @{sbin}/dmraid rPUx, @{bin}/find rix, @{bin}/grub-mount rPx, @{sbin}/grub-probe rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index c3df0072d..ca93ade6b 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -63,7 +63,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{bin}/install-info rPx, + @{sbin}/install-info rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 8ae73c5d0..ebbf0a5ab 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/rngd +@{exec_path} = @{sbin}/rngd profile rngd @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index 019e89e23..b45dd3986 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/setpci +@{exec_path} = @{sbin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss index a942cac4f..2ce6b6b4d 100644 --- a/apparmor.d/profiles-s-z/ss +++ b/apparmor.d/profiles-s-z/ss @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/ss +@{exec_path} = @{sbin}/ss profile ss @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index a9db94276..508ac6eff 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -66,7 +66,7 @@ profile tomb @{exec_path} { @{bin}/tr rix, @{bin}/zsh rix, - @{bin}/btrfs rPx, + @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, @{bin}/e2fsc rPUx, @{sbin}/fsck rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a8..7aa812f79 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/wsdd +@{exec_path} = @{sbin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 91057a403..869729543 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -9,22 +9,29 @@ aa-genprof aa-load aa-logprof aa-mergeprof +aa-notify aa-remove-unknown aa-status aa-teardown aa-unconfined aa-update-browser accessdb +acpi_genl acpid +acpidump add-shell addgnupghome addgroup +addpart adduser agetty alsa alsa-info +alsa-info.sh +alsa-init alsabat-test alsactl +alternatives anacron apparmor_parser apparmor_status @@ -44,13 +51,17 @@ atd audisp-af_unix audisp-filter audisp-syslog +audit auditctl auditd augenrules aureport ausearch +autodep +automount autrace avahi-daemon +avahi-dnsconfd badblocks bashreadline-bpfcc bashreadline.bt @@ -71,17 +82,26 @@ bitesize.bt blkdeactivate blkdiscard blkid +blkmapd blkpr blkzone blockdev +blogctl +blogd +blogger bluetoothd bpflist-bpfcc bpftool bridge brltty brltty-setup +btrfs +btrfs-convert +btrfs-image +btrfsck btrfsdist-bpfcc btrfsslower-bpfcc +btrfstune cache_check cache_dump cache_metadata_size @@ -97,16 +117,22 @@ cfdisk cgdisk chat chcpu +check_mail_queue check-bios-nx +checkproc chgpasswd +chkstat-polkit chmem chpasswd +chronyd chroot cifs.idmap cifs.upcall cobjnew-bpfcc coldreboot compactsnoop-bpfcc +complain +config.postfix cpgr cppw cpudist-bpfcc @@ -116,6 +142,8 @@ cracklib-check cracklib-format cracklib-packer cracklib-unpacker +cracklib-update +crda create-cracklib-dict criticalstat-bpfcc cron @@ -123,7 +151,10 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel +ctstat cups-browsed +cups-genppd.5.3 +cups-genppdupdate cupsaccept cupsctl cupsd @@ -137,20 +168,27 @@ dcb dcsnoop-bpfcc dcsnoop.bt dcstat-bpfcc +ddns-confgen deadlock-bpfcc debugfs debugfs.reiserfs debugreiserfs +decode defrag.f2fs delgroup +delpart deluser depmod devlink dhcpcd dirtop-bpfcc +disable dkms +dmevent_tool dmeventd +dmfilemapd dmidecode +dmraid dmsetup dmstats dnsmasq @@ -172,6 +210,7 @@ e2scrub_all e2undo e4crypt e4defrag +eapol_test ebtables ebtables-nft ebtables-nft-restore @@ -179,11 +218,17 @@ ebtables-nft-save ebtables-restore ebtables-save ebtables-translate +ec_access +efibootdump +efibootmgr +enforce era_check era_dump era_invalidate era_restore ethtool +eventlogadm +exec execsnoop-bpfcc execsnoop.bt exfat2img @@ -196,7 +241,11 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fancontrol fatlabel +fatresize +fbtest +fdformat fdisk fibmap.f2fs filefrag @@ -207,6 +256,8 @@ filetop-bpfcc findfs firewalld fixparts +flushb +fonts-config fsadm fsck fsck.btrfs @@ -229,17 +280,23 @@ funccount-bpfcc funcinterval-bpfcc funclatency-bpfcc funcslower-bpfcc +g13-syshelp gdisk +gdm gdm3 genl +genprof getcap gethostlatency-bpfcc gethostlatency.bt getpcaps +getsysinfo getty getweb gnome-menus-blacklist +gpart gparted +gpm groupadd groupdel groupmems @@ -255,16 +312,36 @@ grub-mkdevicemap grub-probe grub-reboot grub-set-default +grub2-bios-setup +grub2-check-default +grub2-install +grub2-macbless +grub2-mkconfig +grub2-ofpathname +grub2-once +grub2-probe +grub2-reboot +grub2-set-default +grub2-sparc64-setup +grub2-switch-to-blscfg halt hardirqs-bpfcc hc-ifscan hdparm hwclock +hwinfo iconvconfig ifconfig +ifrename +ifstat +import-openSUSE-build-key init inject-bpfcc +inputattach insmod +install_acx100_firmware +install_intersil_firmware +install-info install-sgmlcatalog installkernel integritysetup @@ -273,6 +350,7 @@ ip ip6tables ip6tables-apply ip6tables-legacy +ip6tables-legacy-batch ip6tables-legacy-restore ip6tables-legacy-save ip6tables-nft @@ -292,6 +370,7 @@ ipset-translate iptables iptables-apply iptables-legacy +iptables-legacy-batch iptables-legacy-restore iptables-legacy-save iptables-nft @@ -302,6 +381,8 @@ iptables-restore-translate iptables-save iptables-translate iptunnel +irqbalance +irqbalance-ui isadump isaset iscsi_discovery @@ -311,6 +392,8 @@ iscsid iscsistart isosize ispell-autobuildhash +isserial +issue-generator iucode_tool iucode-tool iw @@ -327,15 +410,19 @@ javaobjnew-bpfcc javastat-bpfcc javathreads-bpfcc kbdrate +kbdsettings kdump-config kerneloops kexec +kexec-bootloader kexec-load-kernel key.dns_resolver killall5 +killproc killsnoop-bpfcc killsnoop.bt klockstat-bpfcc +klogd kpartx kvm-ok kvmexit-bpfcc @@ -347,9 +434,12 @@ libgvc6-config-update libvirt-dbus libvirtd llcstat-bpfcc +lnstat loads.bt locale-gen +logprof logrotate +logrotate-all logsave losetup lpadmin @@ -357,6 +447,7 @@ lpc lpinfo lpmove lsmod +lspci lspcmcia luksformat lvchange @@ -365,7 +456,9 @@ lvcreate lvdisplay lvextend lvm +lvm_import_vdo lvmconfig +lvmdevices lvmdiskscan lvmdump lvmpolld @@ -377,16 +470,21 @@ lvrename lvresize lvs lvscan +lwepgen lxc lxd make-bcache make-ssl-cert +mariadbd +mcelog mdadm mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc mii-tool +mk_isdnhwdb +mkdict mkdosfs mke2fs mkfs @@ -406,10 +504,13 @@ mkfs.reiserfs mkfs.vfat mkfs.xfs mkhomedir_helper +mkill mkinitramfs mklost+found mkntfs +mkpostfixcert mkreiserfs +mksubvolume mkswap ModemManager modinfo @@ -419,14 +520,18 @@ mount.ddi mount.fuse mount.fuse3 mount.lowntfs-3g +mount.nfs +mount.nfs4 mount.ntfs mount.ntfs-3g mount.smb3 mountsnoop-bpfcc +mountstats mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc nameif naptime.bt @@ -436,12 +541,21 @@ netqtop-bpfcc NetworkManager newusers nfnl_osf +nfsconf +nfsdcld nfsdist-bpfcc +nfsidmap +nfsiostat nfsslower-bpfcc +nfsstat nft +nmbd nodegc-bpfcc nodestat-bpfcc nologin +notify +nss-mdns-config +nstat ntfsclone ntfscp ntfslabel @@ -452,22 +566,28 @@ offwaketime-bpfcc on_ac_power oomkill-bpfcc oomkill.bt +openconnect opensnoop-bpfcc opensnoop.bt openvpn overlayroot-chroot ownership +packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv pam_namespace_helper pam_timestamp_check pam-auth-update +pam-config paperconfig parse.f2fs parted partprobe +partx +pbl pccardctl +pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -476,11 +596,26 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc +pidofproc pidpersec-bpfcc pidpersec.bt pivot_root plipconfig +pluginviewer +plymouth-set-default-theme plymouthd +postalias +postcat +postconf +postdrop +postfix +postkick +postlock +postlog +postmap +postmulti +postqueue +postsuper poweroff ppchcalls-bpfcc pppd @@ -502,18 +637,96 @@ pvscan pwck pwconv pwhistory_helper +pwmconfig pwunconv pythoncalls-bpfcc pythonflow-bpfcc pythongc-bpfcc pythonstat-bpfcc qemu-ga +qmqp-source rarp +rcapparmor +rcauditd +rcautofs +rcavahi-daemon +rcavahi-dnsconfd +rcblk-availability +rcbolt +rcbtrfsmaintenance-refresh +rcca-certificates +rcchrony-wait +rcchronyd +rccolord +rccron +rccups +rccups-browsed +rccups-lpd +rcdbus +rcdisplay-manager +rcdm-event +rcdnsmasq +rcfancontrol +rcfirewalld +rcflatpak-system-helper +rcfstrim +rcfwupd +rcfwupd-offline-update +rcfwupd-refresh +rcgpm +rcirqbalance +rcissue-add-ssh-keys +rcissue-generator +rckexec-load +rclm_sensors +rclogrotate +rclvm2-lvmpolld +rclvm2-monitor +rcmariadb +rcmcelog +rcmdmonitor +rcModemManager +rcmultipathd +rcmysql +rcnetwork +rcnfs-client +rcnmb +rcopenvpn +rcostree-prepare-root +rcostree-remount +rcpackagekit +rcpackagekit-offline-update +rcpcscd +rcpkcs11_eventmgr +rcpostfix +rcrng-tools +rcrpcbind +rcrsyncd +rcrtkit-daemon +rcsddm +rcsmartd +rcsmb +rcsnmpd +rcsnmptrapd +rcspeech-dispatcherd +rcspice-vdagentd +rcsshd +rctuned +rcudisks2 +rcupower +rcusbmuxd +rcwpa_supplicant +rcwsdd +rcxdm +rcxvnc +rdma rdmaucma-bpfcc rdmsr readahead-bpfcc readprofile reboot +refresh_initrd +regdbdump reiserfsck reiserfstune remove-default-ispell @@ -524,17 +737,33 @@ reset-trace-bpfcc resize_reiserfs resize.f2fs resize2fs +resizepart resolvconf rfkill rmmod rmt rmt-tar +rndc +rndc-confgen +rngd route +routel +rpc.gssd +rpc.idmapd +rpc.statd +rpc.svcgssd +rpcbind +rpcctl +rpcdebug +rpcinfo +rpmconfigcheck +rsyncd rsyslogd rtacct rtcwake rtkitctl rtmon +rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc @@ -547,38 +776,67 @@ runqlen-bpfcc runqlen.bt runqslower-bpfcc runuser +rvmtab saned +sasldblistusers2 +saslpasswd2 +save_y2logs +schema2ldif select-default-ispell select-default-wordlist +sendmail sensors-detect service +set_polkit_default_privs setcap +setconsole +setpci setuids.bt +setup-nsssysinit.sh setvesablank setvtrgb sfdisk sgdisk shadowconfig +shim-install shmsnoop-bpfcc +showconsole +showmount shutdown +skdump +sktest slabratetop-bpfcc slattach sload.f2fs +sm-notify +smart_agetty smartctl smartd +smbd +smtp-sink +smtp-source +snapperd +snmpd +snmptrapd sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +ss sshd +sshd-gen-keys-start ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc +start_daemon +start-statd start-stop-daemon +startproc statsnoop-bpfcc statsnoop.bt +status sudo_logsrvd sudo_sendlog sulogin @@ -590,9 +848,11 @@ switch_root sync-available syncsnoop-bpfcc syncsnoop.bt +sysconf_addword syscount-bpfcc syscount.bt sysctl +sysusers2shadow tarcat tc tclcalls-bpfcc @@ -638,20 +898,30 @@ tlp tplist-bpfcc trace-bpfcc traceroute +tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs +tuned +tuned-adm tunefs.reiserfs +tunelp u-d-c-print-pci-ids ucalls uflow ufw ugc +umount.nfs +umount.nfs4 umount.udisks2 +unconfined undump.bt unix_chkpwd unix_update +unix2_chkpwd uobjnew +update-alternatives +update-bootloader update-ca-certificates update-catalog update-cracklib @@ -693,6 +963,7 @@ ustat uthreads uuidd validlocale +vconfig vcstime vdpa veritysetup @@ -711,6 +982,7 @@ vgexport vgextend vgimport vgimportclone +vgimportdevices vgmerge vgmknodes vgreduce @@ -719,22 +991,30 @@ vgrename vgs vgscan vgsplit +vhangup vigr vipw +virt-what virtiostat-bpfcc virtlockd virtlogd visudo vmcore-dmesg +vncsession vpddecode +vpnc +vpnc-disconnect wakeuptime-bpfcc wipefs +wiper.sh wpa_action wpa_cli +wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt wrmsr +wsdd xfs_admin xfs_bmap xfs_copy @@ -750,6 +1030,7 @@ xfs_mdrestore xfs_metadump xfs_mkfile xfs_ncheck +xfs_property xfs_quota xfs_repair xfs_rtcp @@ -759,11 +1040,17 @@ xfs_spaceman xfsdist-bpfcc xfsdist.bt xfsslower-bpfcc +xkbctrl xtables-legacy-multi xtables-monitor xtables-nft-multi +yast +yast2 +zdump zerofree zfsdist-bpfcc zfsslower-bpfcc zic zramctl +zypp-refresh +zypper-log From 45d7cf48c4aa5909b34daa168195248aa37c72cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 18:48:31 +0200 Subject: [PATCH 053/798] fix(profile): small improvment raised by the tests. --- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/apt/deb-systemd-helper | 11 ++++++++--- apparmor.d/groups/bus/dbus-system | 1 + apparmor.d/groups/network/rpcbind | 2 +- apparmor.d/profiles-m-r/needrestart | 2 ++ apparmor.d/profiles-m-r/run-parts | 2 +- apparmor.d/profiles-s-z/unhide-tcp | 2 +- apparmor.d/profiles-s-z/which | 2 ++ 8 files changed, 17 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 827e9fcf7..e1a9918e1 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -152,6 +152,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.timesync1 @{bin}/** Px, + @{sbin}/** Px, @{lib}/** Px, /etc/cron.*/* Px, /etc/init.d/* Px, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index a81ef6d7c..77fe1f455 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,14 +16,19 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /var/lib/systemd/deb-systemd-helper-enabled/** rw, - /var/lib/systemd/deb-systemd-helper-masked/ rw, - /var/lib/systemd/deb-systemd-user-helper-enabled/** rw, + /etc/systemd/system/* w, + /etc/systemd/user/* w, + + /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, + /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, + /var/lib/systemd/deb-systemd-user-helper-enabled/{,**} rw, profile systemctl { include include + capability net_admin, + /etc/ r, /etc/systemd/ r, /etc/systemd/system/ r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index ee64c6497..4dec1d407 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -47,6 +47,7 @@ profile dbus-system flags=(attach_disconnected) { @{exec_path} mrix, @{bin}/** PUx, + @{sbin}/** PUx, @{lib}/** PUx, /usr/share/*/** PUx, diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index f9dcac8d1..1d81292fd 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/rpcbind +@{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 567c744b8..c2bc8b2b6 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,6 +59,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + /tmp/@{word10}/ rw, owner @{run}/sshd.pid r, diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index f6d40b0c5..8adb0f748 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -232,7 +232,7 @@ profile run-parts @{exec_path} { @{sbin}/dkms rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPUx, @{sbin}/update-initramfs rPx, @{lib}/dkms/dkms_autoinstaller rPx, diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp index c4b30b884..8827bca14 100644 --- a/apparmor.d/profiles-s-z/unhide-tcp +++ b/apparmor.d/profiles-s-z/unhide-tcp @@ -22,7 +22,7 @@ profile unhide-tcp @{exec_path} { @{bin}/fuser rix, @{bin}/netstat rix, @{bin}/sed rix, - @{bin}/ss rix, + @{sbin}/ss rix, @{PROC}/@{pids}/net/tcp{,6} r, @{PROC}/@{pids}/net/udp{,6} r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index 855db3f4b..cc95a17f9 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -17,7 +17,9 @@ profile which @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/ r, + @{sbin}/ r, @{bin}/**/ r, + @{sbin}/**/ r, @{lib}/ r, @{lib}/**/ r, /opt/**/bin/ r, From 8f250f451c8a0ce2e9aabcb54edf28af7f1d42db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:23:42 +0200 Subject: [PATCH 054/798] doc: add sbin. --- docs/variables.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/variables.md b/docs/variables.md index 7dc8e5ff6..1bcee8f93 100644 --- a/docs/variables.md +++ b/docs/variables.md @@ -168,7 +168,8 @@ title: Variables References | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` | | Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` | | Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` | -| Bin | `@{bin}` | `/{usr/,}{s,}bin` | +| Bin | `@{bin}` | `/{usr/,}bin` | +| Sbin | `@{sbin}` | `/{usr/,}sbin` | | Lib | `@{lib}` | `/{usr/,}lib{,exec,32,64}` | | multi-arch library | `@{multiarch}` | `*-linux-gnu*` | | Proc | `@{PROC}` | `/proc/` | From ad4bfab4f22d8decb271fe7958890601ccc4e3e9 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Sat, 26 Apr 2025 22:04:27 +0300 Subject: [PATCH 055/798] loginctl-linger --- apparmor.d/groups/systemd/loginctl | 1 + apparmor.d/groups/systemd/systemd-logind | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index ca43277aa..a6406ab70 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -12,6 +12,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { include include include + include capability net_admin, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a879d02ec..a56e16298 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -56,7 +56,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /swap/swapfile r, /swapfile r, - /var/lib/systemd/linger/ r, + /var/lib/systemd/linger/{,@{user}} rw, @{run}/.#nologin* rw, @{run}/credentials/getty@tty@{int}.service/ r, From 83806c1b357bf36be96473f150a34bc87a272e9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:38:57 +0200 Subject: [PATCH 056/798] fix(profile): ensure cmus can read the home directory fix #728 --- apparmor.d/profiles-a-f/cmus | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus index c3916890f..750fe9345 100644 --- a/apparmor.d/profiles-a-f/cmus +++ b/apparmor.d/profiles-a-f/cmus @@ -18,6 +18,9 @@ profile cmus @{exec_path} { /etc/machine-id r, + / r, + owner @{HOME}/ r, # For pwd + owner @{user_music_dirs}/{,**} r, owner @{user_config_dirs}/ r, From c969faf6e813eb9f311be907fc1a5b3bf8e336e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:46:32 +0200 Subject: [PATCH 057/798] feat(profile): add initial version of sshd-auth. Fix #725 --- apparmor.d/groups/ssh/sshd | 1 + dists/flags/main.flags | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 3ae1326d8..fe5a6f1cd 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -65,6 +65,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{sbin}/nologin rPx, @{bin}/passwd rPx, @{lib}/{openssh,ssh}/sftp-server rPx, + @{lib}/{openssh,ssh}/sshd-auth rPx, @{lib}/{openssh,ssh}/sshd-session rix, @{etc_ro}/environment r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 453d5f73a..e57be4377 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -292,6 +292,7 @@ snapd complain snapd-apparmor complain snapshot complain speech-dispatcher complain +sshd-auth complain ssservice complain startplasma complain startx attach_disconnected,complain From 5edde91d44d99a2526de52fd43afa757cd2880f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 19:56:34 +0200 Subject: [PATCH 058/798] fix(test): update test to the new value of bin. --- pkg/aa/resolve_test.go | 2 +- pkg/prebuild/builder/core_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/resolve_test.go b/pkg/aa/resolve_test.go index 5c9c9026f..1e4a54fe5 100644 --- a/pkg/aa/resolve_test.go +++ b/pkg/aa/resolve_test.go @@ -85,7 +85,7 @@ func TestAppArmorProfileFile_resolveValues(t *testing.T) { { name: "simple", input: "@{bin}/foo", - want: []string{"/{,usr/}{,s}bin/foo"}, + want: []string{"/{,usr/}bin/foo"}, }, { name: "double", diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 5a1a39da0..06ceb1d28 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -209,7 +209,7 @@ func TestBuilder_Apply(t *testing.T) { want: ` @{exec_path} = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file - profile baloo /{{,usr/}{,s}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { + profile baloo /{{,usr/}bin/baloo_file,{,usr/}lib{,exec,32,64}/{,kf6/}baloo_file,{,usr/}lib{,exec,32,64}/*-linux-gnu*/{,libexec/}baloo_file} { include @{exec_path} mr, From 87e82b15056f66956d583eab389713eeb76a63c4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:15:24 +0200 Subject: [PATCH 059/798] fix(profile): modernise fuse-overlayfs. fix #726 --- apparmor.d/profiles-a-f/fuse-overlayfs | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs index da61184a3..91b279d20 100644 --- a/apparmor.d/profiles-a-f/fuse-overlayfs +++ b/apparmor.d/profiles-a-f/fuse-overlayfs @@ -10,14 +10,21 @@ include profile fuse-overlayfs @{exec_path} { include - capability sys_admin, + capability chown, capability dac_override, capability dac_read_search, - capability chown, + capability fowner, + capability setfcap, + capability setuid, + capability sys_admin, + + mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + mount fstype=fuse.overlayfs options=(rw,nodev,noatime) fuse-overlayfs -> @{user_share_dirs}/containers/storage/overlay/**/merged/, @{exec_path} mr, - mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **, + @{bin}/mount rix, + @{bin}/umount rix, owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl, From 3cc39debfb5544872af9a6c468720e5eca97f5a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:27:03 +0200 Subject: [PATCH 060/798] feat(profile): improve kde integration. --- apparmor.d/groups/kde/DiscoverNotifier | 2 +- apparmor.d/groups/kde/baloo | 17 +---------- apparmor.d/groups/kde/baloorunner | 29 ++---------------- apparmor.d/groups/kde/dolphin | 42 ++++++-------------------- apparmor.d/groups/kde/kalendarac | 1 + apparmor.d/groups/kde/kcminit | 2 ++ apparmor.d/groups/kde/kconf_update | 5 +-- apparmor.d/groups/kde/kded | 9 +++++- apparmor.d/groups/kde/kiod | 1 + apparmor.d/groups/kde/kioworker | 4 ++- apparmor.d/groups/kde/ksplashqml | 3 ++ apparmor.d/groups/kde/startplasma | 1 + 12 files changed, 35 insertions(+), 81 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 197f90f88..3ec36976d 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -41,7 +41,7 @@ profile DiscoverNotifier @{exec_path} { /var/cache/swcatalog/cache/ w, /var/cache/swcatalog/xml/{,**} r, - owner @{user_cache_dirs}/appstream/ r, + owner @{user_cache_dirs}/appstream/ rw, owner @{user_cache_dirs}/appstream/** rw, owner @{user_cache_dirs}/flatpak/{,**} rw, diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index 5ceb04725..e53bf4039 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -45,22 +45,7 @@ profile baloo @{exec_path} { @{run}/mount/utab r, @{run}/udev/data/+*:* r, - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index e3fca1f8f..8410408b3 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,33 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 93780d889..802ba0a96 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -29,6 +29,9 @@ profile dolphin @{exec_path} { @{exec_path} mr, + @{lib}/libheif/ r, + @{lib}/libheif/*.so* mr, + @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @@ -81,8 +84,10 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/dolphinrc.lock rwk, owner @{user_config_dirs}/kde.org/#@{int} rw, - owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk, + owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.*} rwlk -> @{user_config_dirs}/kde.org/#@{int}, + owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, + owner @{user_config_dirs}/knfsshare.lock rwk, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/#@{int} rw, @@ -93,44 +98,15 @@ profile dolphin @{exec_path} { owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int}, - owner @{tmp}/dolphin.@{rand6} rwl, + owner @{tmp}/dolphin.@{rand6}{,.lock} rwlk, @{run}/issue r, @{run}/mount/utab r, owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c4:@{int} r, # For TTY devices - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices - @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index 661090bc1..a45652c7b 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -25,6 +25,7 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/akonadi-firstrunrc r, + owner @{user_config_dirs}/akonadi/ rw, owner @{user_config_dirs}/akonadi/akonadiconnectionrc r, owner @{user_config_dirs}/emaildefaults r, owner @{user_config_dirs}/emailidentities r, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 93378bf76..e11de6a48 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -26,6 +26,8 @@ profile kcminit @{exec_path} { owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/gtkrc-2.0{,.@{rand6}} rwl, owner @{user_config_dirs}/gtkrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl, + owner @{user_config_dirs}/kcminputrc.lock rwk, owner @{user_config_dirs}/kgammarc r, owner @{user_config_dirs}/touchpadrc r, owner @{user_config_dirs}/touchpadxlibinputrc r, diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index 49da5e3ca..ee42fef98 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -32,14 +32,15 @@ profile kconf_update @{exec_path} { @{bin}/qtchooser rPx, @{lib}/kconf_update_bin/* rix, @{lib}/@{multiarch}/kconf_update_bin/* rix, + @{lib}/qt6/bin/qtpaths rix, /usr/share/kconf_update/*.py rix, /usr/share/kconf_update/*.sh rix, /usr/share/kconf_update/{,**} r, /usr/share/kglobalaccel/org.kde.krunner.desktop r, - /etc/xdg/konsolerc r, - /etc/xdg/ui/ui_standards.rc r, + /etc/xdg/*rc r, + /etc/xdg/ui/*rc r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 9efaec4fc..c9fa538df 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -55,6 +55,7 @@ profile kded @{exec_path} { @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, @{python_path} rix, + @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -87,6 +88,12 @@ profile kded @{exec_path} { owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, + owner @{HOME}/.var/ w, + owner @{HOME}/.var/app/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/**/ w, + owner @{HOME}/.var/app/org.mozilla.firefox/.mozilla/native-messaging-hosts/org.kde.plasma.browser_integration.json w, + owner @{HOME}/.var/app/org.mozilla.firefox/plasma-browser-integration-host w, + @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, @@ -120,7 +127,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index f6a7ba95a..cf9646051 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kiod{5,6} profile kiod @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 592e5811e..1d091fd09 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -42,7 +42,7 @@ profile kioworker @{exec_path} { #aa:exec kio_http_cache_cleaner - /usr/share/kio_desktop/directory.desktop r, + /usr/share/kio_desktop/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, @@ -56,6 +56,8 @@ profile kioworker @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* r, + @{sbin}/ r, + @{sbin}/* r, @{lib}/ r, @{MOUNTDIRS}/ r, @{MOUNTS}/ r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index be59fe842..13f1216a5 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -14,11 +14,14 @@ profile ksplashqml @{exec_path} { include include + ptrace read peer=startplasma, + @{exec_path} mr, @{lib}/libheif/ r, @{lib}/libheif/*.so* rm, + /usr/share/color-schemes/* r, /usr/share/plasma/** r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 773122f57..b69d7fdb9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -40,6 +40,7 @@ profile startplasma @{exec_path} { /etc/machine-id r, /etc/xdg/menus/{,**} r, /etc/xdg/plasma-workspace/env/{,*} r, + /etc/xdg/plasmarc r, /var/lib/flatpak/exports/share/mime/ r, From df6378cec091741c2b53ba49e1dd35106d9629eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:34:35 +0200 Subject: [PATCH 061/798] feat(profile): improve common freedesktop profiles. --- apparmor.d/groups/freedesktop/pipewire | 1 - .../freedesktop/pkla-check-authorization | 18 ++++++++++++++++++ apparmor.d/groups/freedesktop/upowerd | 1 + .../groups/freedesktop/xdg-desktop-portal | 6 +++++- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 ++--- .../groups/freedesktop/xdg-document-portal | 3 ++- .../freedesktop/xdg-user-dirs-gtk-update | 3 +++ apparmor.d/groups/polkit/polkit-agent-helper | 10 ++++++---- apparmor.d/groups/polkit/polkitd | 6 ++---- dists/flags/main.flags | 3 ++- 10 files changed, 41 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/groups/freedesktop/pkla-check-authorization diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index f4c9367cd..ad4eb57c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -41,7 +41,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { / r, @{att}/ r, - owner @{att}// r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, diff --git a/apparmor.d/groups/freedesktop/pkla-check-authorization b/apparmor.d/groups/freedesktop/pkla-check-authorization new file mode 100644 index 000000000..ff5b72f71 --- /dev/null +++ b/apparmor.d/groups/freedesktop/pkla-check-authorization @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pkla-check-authorization +profile pkla-check-authorization @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index a8244bce9..4061af4c8 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -13,6 +13,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ae20e3751..59a24a3b3 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -10,7 +10,6 @@ include profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include - include include include include @@ -18,6 +17,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -73,6 +74,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, + # The portal can receive any user file as it is a file chooser for UI app. + owner @{HOME}/** r, + @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/xdg-desktop-portal/* r, owner @{user_share_dirs}/xdg-desktop-portal/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index cff06d867..ff4a6730a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -32,8 +32,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell), - #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk dbus receive bus=session path=/org/freedesktop/portal/desktop @@ -58,7 +56,8 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, - / r, + / r, + owner @{att}/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index c56729248..91a203d3a 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/xdg-document-portal profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include capability sys_admin, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 8892bd1ce..224bc2337 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 7f5ecd107..e663c299e 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -25,10 +25,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term, kill) peer=gnome-shell, - signal (receive) set=(term, kill) peer=pkexec, - signal (receive) set=(term, kill) peer=pkttyagent, - signal (receive) set=(term, kill) peer=polkit-*-authentication-agent, + signal receive set=(term kill) peer=gnome-shell, + signal receive set=(term kill) peer=pkexec, + signal receive set=(term kill) peer=pkttyagent, + signal receive set=(term kill) peer=polkit-*-authentication-agent, + + unix bind type=stream addr=@@{udbus}/bus/polkit-agent-he/system, dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 38f05275b..46d7adc60 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -11,6 +11,7 @@ include profile polkitd @{exec_path} flags=(attach_disconnected) { include include + include include capability setgid, @@ -25,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/pkla-check-authorization rPUx, + @{bin}/pkla-check-authorization rPx, @{bin}/pkla-admin-identities rPx, /etc/machine-id r, @@ -68,9 +69,6 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fdinfo/@{int} r, - # Silencer - deny /.cache/ rw, - include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e57be4377..2d1f96c1f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -258,8 +258,9 @@ os-prober attach_disconnected,complain pam_kwallet_init complain pam-tmpdir-helper complain passimd attach_disconnected,complain -pkttyagent complain pkla-admin-identities complain +pkla-check-authorization complain +pkttyagent complain plank complain plasma_waitforname complain plasma-browser-integration-host complain From a98b8bbc0dd0447918497addd4008c476732703b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:39:10 +0200 Subject: [PATCH 062/798] feat(profile): improve dbus rule in the gnome profiles. --- apparmor.d/groups/gnome/deja-dup-monitor | 8 ++++++++ .../groups/gnome/evolution-calendar-factory | 5 ----- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-calendar | 2 ++ apparmor.d/groups/gnome/gnome-characters | 4 +++- apparmor.d/groups/gnome/gnome-clocks | 1 + .../gnome/gnome-control-center-search-provider | 3 ++- apparmor.d/groups/gnome/gnome-initial-setup | 5 +++++ apparmor.d/groups/gnome/gnome-session | 1 + apparmor.d/groups/gnome/gnome-shell | 9 +++++++-- apparmor.d/groups/gnome/gsd-housekeeping | 3 ++- apparmor.d/groups/gnome/gsd-power | 3 ++- apparmor.d/groups/gnome/localsearch | 2 ++ apparmor.d/groups/gnome/nautilus | 3 ++- apparmor.d/groups/gnome/seahorse | 3 ++- apparmor.d/groups/gvfs/gvfsd-network | 10 +++++----- apparmor.d/groups/gvfs/gvfsd-recent | 6 +++--- apparmor.d/groups/gvfs/gvfsd-smb-browse | 4 ++-- apparmor.d/groups/gvfs/gvfsd-trash | 10 +++++----- apparmor.d/groups/gvfs/gvfsd-wsdd | 17 ++++++++++++++++- 20 files changed, 71 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index 90a5b0f64..af7fa51b0 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -23,6 +23,11 @@ profile deja-dup-monitor @{exec_path} { #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor #aa:dbus talk bus=session name=org.gnome.DejaDup interface+=org.gtk.Actions label=deja-dup + dbus send bus=session path=/org/gnome/DejaDup + interface=org.gtk.Actions + member=Activate + peer=(name=org.gnome.DejaDup), + dbus send bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll @@ -30,6 +35,9 @@ profile deja-dup-monitor @{exec_path} { @{exec_path} mr, + @{bin}/chrt rix, + @{bin}/ionice rix, + /usr/share/glib-2.0/schemas/gschemas.compiled r, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index f856a06d2..25f8ecc7f 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -57,11 +57,6 @@ profile evolution-calendar-factory @{exec_path} { member=Complete peer=(name=org.freedesktop.DBus, label=gnome-calendar), - dbus send bus=session path=/org/gtk/vfs/metadata - interface=org.gtk.vfs.Metadata - member=Move - peer=(name=:*, label=gvfsd-metadata), - dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 4440b80e3..1a05892b6 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -50,7 +50,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 97309c1a7..c81e591cf 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,6 +14,7 @@ profile gnome-calendar @{exec_path} { include include include + include include include include @@ -22,6 +23,7 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar + #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9511e781f..890a54691 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,11 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include - #aa:dbus own bus=session name=org.gnome.Characters interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus own bus=session name=org.gnome.Characters + #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 13f161dfd..bdffedb72 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -20,6 +20,7 @@ profile gnome-clocks @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.clocks interface+=org.gtk.Actions + #aa:dbus own bus=session name=org.gnome.clocks.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 3dfd1bf03..201abe4b4 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,11 +10,12 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include - #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider + #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index e8a0315bd..cf7dc2506 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -31,6 +31,11 @@ profile gnome-initial-setup @{exec_path} { #aa:dbus own bus=session name=org.gnome.InitialSetup interface+=org.gtk.Actions + dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=com.canonical.UbuntuAdvantage), + @{exec_path} mr, @{bin}/df rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index ce6abe6d9..e0ff334db 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -28,6 +28,7 @@ profile gnome-session @{exec_path} { @{bin}/manpath rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/run-parts rix, @{bin}/sed rix, @{bin}/tput rix, @{bin}/tr rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 05156bac1..615cb1b05 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -75,6 +75,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem + #aa:dbus own bus=session name=org.freedesktop.a11y.Manager #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications @@ -90,10 +91,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.gnome.* label=gnome-* + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus # System bus @@ -113,6 +115,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Session bus + dbus send bus=session path=/org/gnome/** + peer=(name=org.gnome.*), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus.Properties member=GetAll @@ -373,7 +378,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability sys_ptrace, - ptrace (read), + ptrace read, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 55b0c3a51..9dec92df4 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -10,10 +10,11 @@ include profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include - include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 9bba24751..0d09a0e9c 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-power profile gsd-power @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,11 +19,13 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 74a4e0f36..263604ba7 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -26,6 +26,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 @{exec_path} mr, @@ -61,6 +62,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 373593440..60bbfb344 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,8 +28,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.freedesktop.FileManager1 + #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 921f6aa30..2f190dfab 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -16,12 +16,13 @@ profile seahorse @{exec_path} { include include include + include include include include include - #aa:dbus own bus=session name=org.gnome.seahorse.Application + #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 87851fc16..adda9b958 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -18,27 +18,27 @@ profile gvfsd-network @{exec_path} { dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member={MountLocation,LookupMount,RegisterMount} - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gvfsd-dnssd), + peer=(name="@{busname}", label=gvfsd-dnssd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label=gnome-control-center), + peer=(name="@{busname}", label=gnome-control-center), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1ec5f2e60..042b66a68 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -23,15 +23,15 @@ profile gvfsd-recent @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index f285a3c15..59d778133 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -26,12 +26,12 @@ profile gvfsd-smb-browse @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 683d271a8..9acfd6c86 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -24,27 +24,27 @@ profile gvfsd-trash @{exec_path} { dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=:*, label="{gnome-shell,nautilus}"), + peer=(name="@{busname}", label="{gnome-shell,nautilus}"), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name="@{busname}", label=gvfsd), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name="@{busname}", label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 25eccc93d..c7dce4f57 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -10,11 +10,25 @@ include profile gvfsd-wsdd @{exec_path} { include include + include + include network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name="@{busname}", label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name="@{busname}", label=gvfsd), @{exec_path} mr, @@ -23,6 +37,7 @@ profile gvfsd-wsdd @{exec_path} { @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/gvfsd/wsdd rw, include if exists } From 97ddc0de63d2d6c65bf27d44b3490e80a6f58b2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:39:38 +0200 Subject: [PATCH 063/798] feat(profile): add sshd-auth --- apparmor.d/groups/ssh/sshd-auth | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 apparmor.d/groups/ssh/sshd-auth diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth new file mode 100644 index 000000000..cb4defc0f --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-auth @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-auth +profile sshd-auth @{exec_path} { + include + include + + capability setgid, + capability setuid, + capability sys_chroot, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + @{sbin}/sshd.hmac r, + + include if exists +} + +# vim:syntax=apparmor From fa317ad91b7a5bdac87955105aa5844a69d529b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:40:26 +0200 Subject: [PATCH 064/798] feat(profile): improve netplan generator. --- apparmor.d/groups/network/netplan-generate | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 60ec7656f..64f8399e1 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -21,9 +21,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { /etc/netplan/{,*} r, + @{run}/NetworkManager/ rw, + @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, - @{run}/NetworkManager/system-connections/ r, + @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, @{run}/systemd/generator/multi-user.target.wants/ w, @@ -43,13 +45,13 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/ rw, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, - @{sys}/devices/**/net/*/address r, - @{run}/netplan/ r, @{run}/udev/rules.d/ r, @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw, + @{sys}/devices/**/net/*/address r, + profile systemctl { include include From dd7841f4e9f86fa64d86f0999fc163f18c1f42d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:42:12 +0200 Subject: [PATCH 065/798] feat(profile): pacman: ensure ghc-pkg is run independant from pacman. --- apparmor.d/groups/pacman/pacman | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 8d7345fda..9cf9d6a36 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -66,7 +66,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gdk-pixbuf-query-loaders rPx, @{bin}/getent rix, @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rix, + @{bin}/ghc-pkg-@{version} rPx, @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, @@ -102,7 +102,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/which rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix, + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, @{lib}/vlc/vlc-cache-gen rPx, /opt/Mullvad*/resources/mullvad-setup rPx, /usr/share/code-features/patch.py rPx, @@ -110,7 +110,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /usr/share/libalpm/scripts/* rPUx, /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, - # For shell pwd, keept as it can annoy some users to see error in pacman output + # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, # Install/update packages From 6423e962a0b95886de259e92a6f3529a9051e724 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 1 May 2025 20:45:07 +0200 Subject: [PATCH 066/798] feat(abs): update dbus interface abs. --- .../bus/org.freedesktop.RealtimeKit1 | 17 +++++++++-------- .../bus/org.freedesktop.Tracker3.Miner.Files | 4 ++-- .../bus/org.freedesktop.UPower.PowerProfiles | 11 +++++++++++ .../abstractions/bus/org.freedesktop.hostname1 | 4 ++++ .../abstractions/bus/org.gtk.vfs.Metadata | 4 ++++ 5 files changed, 30 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 34b15010c..0c6abbdbe 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -2,15 +2,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow setting realtime priorities. Clients require RLIMIT_RTTIME in the first -# place and client authorization is done via PolicyKit. Note that setrlimit() -# is allowed by default seccomp policy but requires 'capability sys_resource', -# which we deny be default. -# http://git.0pointer.net/rtkit.git/tree/README +# Allow setting realtime priorities. abi , - #-aa-dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -18,8 +14,13 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 - member={MakeThreadHighPriority,MakeThreadRealtime,MakeThreadRealtimeWithPID} - peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon), + member={MakeThreadHighPriority,MakeThreadRealtime} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + + dbus send bus=system path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files index 48fa7e394..c55736c1e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files +++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files @@ -7,12 +7,12 @@ dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint interface=org.freedesktop.Tracker3.Endpoint member=Query - peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner), + peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles new file mode 100644 index 000000000..3d3980f81 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index d2a0b1d83..e6182bead 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.hostname1), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata index ae1b928c2..ce6e60082 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.gtk.vfs.Metadata path=/org/gtk/vfs/metadata label=gvfsd-metadata + dbus send bus=session path=/org/gtk/vfs/metadata + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gvfsd-metadata), dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata From da97ffb63ce29a0212be21a822430b6d9cb51d63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 2 May 2025 22:59:40 +0200 Subject: [PATCH 067/798] fix(profile): ensure gdm uses sbin. --- apparmor.d/groups/gnome/gdm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index dca6cda16..e35d165a2 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gdm{3,} +@{exec_path} = @{sbin}/gdm @{sbin}/gdm3 profile gdm @{exec_path} flags=(attach_disconnected) { include include From 38b9bf673edd265dcfaf42a3a62e25dccfadf93f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:20:34 +0200 Subject: [PATCH 068/798] feat(tunable): dbus: ensure compatibility across multiple distribution even on apparmor 4.1 --- apparmor.d/tunables/multiarch.d/profiles | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d18030d68..e966623d4 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -14,8 +14,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}=dbus-system//&unconfined -@{p_dbus_session}=dbus-session//&unconfined +@{p_dbus_system}={dbus-system,dbus-system//&unconfined} +@{p_dbus_session}={dbus-session,dbus-session//&unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system From f6c0893d90facd12a1b1f039634aca1d8b6a611c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:30:25 +0200 Subject: [PATCH 069/798] feat(abs): update dbus rules for gtk4. --- apparmor.d/abstractions/gtk.d/complete | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 700e5e305..99cf70d97 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,14 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(name=@{busname}), - dbus send bus=session - interface=org.gtk.Actions - member=DescribeAll - peer=(label=gnome-shell), - dbus receive bus=session interface=org.gtk.Actions - member=Changed + member={Activate,DescribeAll,SetState} peer=(name=@{busname}), - dbus receive bus=session + + dbus send bus=session interface=org.gtk.Actions - member=Changed - peer=(label=gnome-shell), + member=Changed, dbus send bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties From 6d8eda6b8735626d5c2d25a810fb7600a4e3d60e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 3 May 2025 18:34:37 +0200 Subject: [PATCH 070/798] feat(profile): update some dbus defintion for gnome. --- apparmor.d/groups/gnome/gdm-generate-config | 2 ++ apparmor.d/groups/gnome/gnome-control-center | 11 +++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/session-migration | 10 ++++++---- apparmor.d/groups/gnome/yelp | 1 + apparmor.d/groups/gvfs/gvfsd-wsdd | 1 + apparmor.d/groups/network/nm-dispatcher | 7 ++++++- 7 files changed, 28 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6d621f18b..359eeb75f 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,6 +18,8 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, + ptrace read, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 994c8e445..1f0b6239e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -43,9 +43,20 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell + #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences + #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 615cb1b05..bfd695959 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -87,6 +87,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 9af0d4714..aeb46f6c0 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -15,14 +15,16 @@ profile session-migration @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{python_path} rix, - @{bin}/gsettings rPx, - /usr/share/session-migration/scripts/* rix, + @{sh_path} rix, + @{python_path} rix, + @{bin}/dconf rPx, + @{bin}/gsettings rPx, + /usr/share/session-migration/scripts/* rix, /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/session_migration-* rw, owner @{user_share_dirs}/session_migration-* rw, diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index b3f27187b..058b9697a 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -10,6 +10,7 @@ include profile yelp @{exec_path} { include include + include include network netlink raw, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index c7dce4f57..0064d682b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,6 +11,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 726798180..87207e2b7 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -26,7 +26,12 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} + interface=org.freedesktop.NetworkManager.Settings.Connection + member=GetSettings + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, From f936088ae73c2443c314d2e21c1a692d22c3b089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 19:51:49 +0200 Subject: [PATCH 071/798] doc: add abstraction architecture. --- docs/development/abstractions.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index 9390945f8..f1ac6e18e 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -19,6 +19,27 @@ This project and the official apparmor-profiles project provide a large selectio All of these abstractions can be extended by a system admin by adding rules in a file under `/etc/apparmor.d/.d` where `` is the name of one of these abstractions. +## Architecture + +Abstraction are structured in layers as follows: + +- **Layer 0:** for core atomic functionalities. They cannot include other abstractions. + + E.g.: *this resource uses* `mesa`, `openssl`, `bash-strict`, `gtk`... + +- **Layer 1:** for generic access. Cannot be architecture or device specific. Needs to be agnostic. + + E.g.: *This program needs/has this resource.* `nameservice`, `authentication`, `base`, `shell`, `graphics`, `audio-client`, `desktop`, `kde`, `gnome`... + +- **Layer 2:** for common kind of program. Only present inside `abstraction/common`. Multiple layer 2 can be used alongside with layer 1 and 0 abstractions. + + E.g.: *This program kind is* is a game, an electron app, a gnome app, sandboxed with bwrap app, a systemd app... + +- **Layer 3:** for application. Only present inside `abstraction/app`. The use of a layer 3 abstraction usually means you should not use any other abstractions (but base). Not a strict rule, but a good practice. Mostly used to provide common rules for subprofiles where the subprofiles only need to add rules for the specific use case. + + E.g.: *This program is* `firefox`, `sudo`, `systemctl`, `pgrep`, `editor`, `chromium`... + + ## Application helper Abstraction that aims at including a complete set of rules for a given program. The calling profile only needs to add rules dependant of its use case/program. From 4e21ef53e655db487bded716efde11251a3f604a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:01:28 +0200 Subject: [PATCH 072/798] feat(profile): systemd: add nsresourced. --- apparmor.d/groups/systemd/systemd-fsckd | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 38 +++++++++++++++++++ .../groups/systemd/systemd-nsresourcework | 22 +++++++++++ .../groups/systemd/systemd-stdio-bridge | 22 +++++++++++ dists/flags/main.flags | 2 + 5 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/systemd/systemd-nsresourced create mode 100644 apparmor.d/groups/systemd/systemd-nsresourcework create mode 100644 apparmor.d/groups/systemd/systemd-stdio-bridge diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd index 33a433a09..7abde7c90 100644 --- a/apparmor.d/groups/systemd/systemd-fsckd +++ b/apparmor.d/groups/systemd/systemd-fsckd @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-fsckd -profile systemd-fsckd @{exec_path} { +profile systemd-fsckd @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced new file mode 100644 index 000000000..d1beae428 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourced +profile systemd-nsresourced @{exec_path} { + include + include + + capability bpf, + capability perfmon, + capability sys_resource, + + signal receive set=usr2 peer=systemd-nsresourced//&systemd-nsresourcework, + + @{exec_path} mr, + + @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + + @{run}/systemd/nsresource/ rw, + @{run}/systemd/nsresource/** rw, + + @{sys}/devices/kprobe/type r, + @{sys}/fs/bpf/ r, + @{sys}/fs/bpf/systemd/ rw, + @{sys}/fs/bpf/systemd/userns-restrict/{,**} rw, + @{sys}/fs/cgroup/system.slice/systemd-nsresourced.service/memory.pressure rw, + @{sys}/kernel/btf/vmlinux r, + @{sys}/kernel/security/lsm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework new file mode 100644 index 000000000..734717c44 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-nsresourcework +profile systemd-nsresourcework @{exec_path} { + include + + capability sys_resource, + + signal send set=usr2 peer=systemd-nsresourced, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-stdio-bridge b/apparmor.d/groups/systemd/systemd-stdio-bridge new file mode 100644 index 000000000..5f3bc2e36 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-stdio-bridge @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/systemd-stdio-bridge +profile systemd-stdio-bridge @{exec_path} flags=(attach_disconnected) { + include + include + include + + signal send set=term peer=@{p_systemd}, + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2d1f96c1f..3a0b70264 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -346,6 +346,8 @@ systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator complain +systemd-nsresourced complain +systemd-nsresourcework complain systemd-portabled complain systemd-remount-fs complain systemd-resolve complain From 3e0c3067d89b3d87cf093d5a2ea6863c2e890142 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:05:54 +0200 Subject: [PATCH 073/798] feat(profile): systemd: add some generators --- .../systemd-generator-friendly-recovery | 23 ++++++++++++++ .../groups/systemd/systemd-generator-rc-local | 28 +++++++++++++++++ .../groups/systemd/systemd-generator-snapd | 20 ++++++++++++ .../systemd/systemd-generator-sshd-socket | 28 +++++++++++++++++ .../groups/systemd/systemd-generator-sysv | 31 +++++++++++++++++++ dists/flags/main.flags | 5 +++ 6 files changed, 135 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-generator-friendly-recovery create mode 100644 apparmor.d/groups/systemd/systemd-generator-rc-local create mode 100644 apparmor.d/groups/systemd/systemd-generator-snapd create mode 100644 apparmor.d/groups/systemd/systemd-generator-sshd-socket create mode 100644 apparmor.d/groups/systemd/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd/systemd-generator-friendly-recovery new file mode 100644 index 000000000..1af9fe22f --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-friendly-recovery @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/friendly-recovery +profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/cat rix, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd/systemd-generator-rc-local new file mode 100644 index 000000000..3e8bec6c5 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-rc-local @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-rc-local-generator +profile systemd-generator-rc-local @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd/systemd-generator-snapd new file mode 100644 index 000000000..8544a7938 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-snapd @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/snapd-generator +profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{PROC}/1/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd/systemd-generator-sshd-socket new file mode 100644 index 000000000..f08df7d90 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-sshd-socket @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/sshd-socket-generator +profile systemd-generator-sshd-socket @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network netlink raw, + + @{exec_path} mr, + + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, + + @{run}/systemd/generator/ssh.socket.d/{,*} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv new file mode 100644 index 000000000..4feb65d51 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-sysv-generator +profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + /etc/init.d/{,**} r, + /etc/rc@{int}.d/{,**} r, + + @{run}/systemd/generator.late/* w, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3a0b70264..adced30c9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,14 +329,19 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain +systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain +systemd-generator-snapd attach_disconnected,complain +systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain +systemd-generator-sysv attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain From 74dcf2defc35609514354e8e99848874bc9de86d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:31:10 +0200 Subject: [PATCH 074/798] feat(profile): systemd: improve some ctl tools. --- apparmor.d/groups/systemd/bootctl | 2 ++ apparmor.d/groups/systemd/busctl | 13 +++++++++++++ apparmor.d/groups/systemd/coredumpctl | 3 ++- apparmor.d/groups/systemd/localectl | 7 +++++++ apparmor.d/groups/systemd/loginctl | 18 +++++++++++++++++- apparmor.d/groups/systemd/resolvectl | 2 ++ 6 files changed, 43 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 28c2851fa..12fcceaea 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -15,6 +15,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability mknod, capability net_admin, + capability sys_resource, signal (send) peer=child-pager, @@ -36,6 +37,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { /{boot,efi}/loader/entries.srel w, /{boot,efi}/loader/random-seed w, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/machine-info r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 8b32b348f..c31b28836 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -34,6 +34,19 @@ profile busctl @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Monitoring member=BecomeMonitor peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Monitoring + member=BecomeMonitor + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={GetConnectionCredentials,ListNames,ListActivatableNames} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index e77f326fe..d1ee1141c 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -10,8 +10,9 @@ include @{exec_path} = @{bin}/coredumpctl profile coredumpctl @{exec_path} flags=(complain) { include - include include + include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index db8e7b21b..7a5c67623 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -10,9 +10,14 @@ include profile localectl @{exec_path} { include include + include capability net_admin, + signal send set=cont peer=child-pager, + + #aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed + @{exec_path} mr, @{pager_path} rPx -> child-pager, @@ -20,6 +25,8 @@ profile localectl @{exec_path} { /usr/share/kbd/keymaps/{,**} r, + owner @{PROC}/@{pid}/cgroup r, + include if exists } diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index a6406ab70..c65bb4edd 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/loginctl profile loginctl @{exec_path} flags=(attach_disconnected) { include - include include + include include + include include capability net_admin, @@ -26,6 +27,21 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, @{bin}/ssh rPx, + /etc/machine-id r, + + @{run}/log/journal/ r, + + /var/lib/systemd/catalog/database r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{PROC}/sys/fs/nr_open r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dc3090c5a..5c436f6c1 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -13,6 +13,8 @@ profile resolvectl @{exec_path} { include include + signal send set=cont peer=child-pager, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved @{exec_path} mr, From 37f70a0030f99cd48932182103ed56d0dda112fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:33:18 +0200 Subject: [PATCH 075/798] feat(abs): minor abstraction improvement. --- apparmor.d/abstractions/app-open | 2 ++ apparmor.d/abstractions/app/firefox | 1 + apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 | 4 ++++ apparmor.d/abstractions/common/app | 3 +-- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/abstractions/webkit | 4 +++- apparmor.d/abstractions/wine | 1 + 7 files changed, 13 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 73b2e4580..8c74d1f08 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -60,6 +60,8 @@ # Backup @{lib}/deja-dup/deja-dup-monitor PUx, + @{bin}/gnome-session-quit rPx, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 602651587..73cb82070 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -98,6 +98,7 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/remote-settings-startup-bundle- w, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index d15d5c5ba..feaced7c3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -5,6 +5,10 @@ abi , #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + dbus send bus=system path=/org/freedesktop/GeoClue2/Agent + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label=geoclue), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index f2201bd64..cc802ef06 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -34,8 +34,7 @@ dbus bus=session, dbus bus=system, - /usr/cache/** r, - /usr/local/{,**} r, + /usr/** r, /usr/share/** rk, /etc/{,**} r, diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 10655740a..7fc20c293 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -32,7 +32,7 @@ # If one is blocked the next is used instead. # The orcexec file is placed under /home/user/ also when the /tmp/ dir is mounted with the noexec flag. owner @{run}/user/@{uid}/orcexec.@{rand6} mrw, - #owner /tmp/orcexec.* mrw, + owner @{tmp}/orcexec.@{rand6} mrw, #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index c4410d026..9481d4fec 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -8,7 +8,7 @@ mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info, - @{bin}/xdg-dbus-proxy rix, + @{bin}/xdg-dbus-proxy rix, # TODO: stack me @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix, @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, @@ -26,6 +26,8 @@ owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw, owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw, + @{sys}/firmware/acpi/pm_profile r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 139b03450..28d15cf76 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -11,6 +11,7 @@ owner @{tmp}/.wine-@{uid}/ rw, owner @{tmp}/.wine-@{uid}/** rwk, + owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From b07be6863656e351ad0c19add7753c65e9066b2b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 4 May 2025 20:38:15 +0200 Subject: [PATCH 076/798] fix(profile): directive format in localectl. --- apparmor.d/groups/systemd/localectl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 7a5c67623..b49065fd7 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed @{exec_path} mr, From bb58c07871876838713bc4a50368f37c35690158 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Sat, 10 May 2025 01:56:01 +0800 Subject: [PATCH 077/798] offices_names: add wps --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index d6b8e424f..198776f9b 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -85,7 +85,7 @@ @{archive_viewers_names} = engrampa file-roller xarchiver # Office suites -@{offices_names} = libreoffice soffice +@{offices_names} = libreoffice soffice wps # Help @{help_names} = yelp From 29a352d78ffb8cd85dc194278d0d8d6fc87dcfb5 Mon Sep 17 00:00:00 2001 From: gjpin <3874515+gjpin@users.noreply.github.com> Date: Sun, 4 May 2025 16:16:58 +0100 Subject: [PATCH 078/798] feat(profile): xdg-permission-store: allow screencast --- apparmor.d/groups/freedesktop/xdg-permission-store | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 81c6fd1cb..3b15d9688 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -47,6 +47,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/devices rw, owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, + owner @{user_share_dirs}/flatpak/db/screencast r, include if exists } From e044fbe5656763632e8b9551ae350096ce759c8d Mon Sep 17 00:00:00 2001 From: gjpin <3874515+gjpin@users.noreply.github.com> Date: Sun, 4 May 2025 14:23:03 +0100 Subject: [PATCH 079/798] git//ssh: allow execution of ksshaskpass --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 71bace3c3..457e79d2a 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -132,6 +132,7 @@ profile git @{exec_path} flags=(attach_disconnected) { network netlink raw, @{bin}/ssh mr, + @{bin}/ksshaskpass ix, @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 8697a6a7e1d78f99ee2ee19cd10dfca6d4ccaaa5 Mon Sep 17 00:00:00 2001 From: beroal Date: Wed, 14 May 2025 18:40:40 +0300 Subject: [PATCH 080/798] `cheese`: video capturing (#730) --- apparmor.d/profiles-a-f/cheese | 53 ++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cheese diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese new file mode 100644 index 000000000..cadd1beab --- /dev/null +++ b/apparmor.d/profiles-a-f/cheese @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/cheese +profile cheese @{exec_path} { + include + include + include + include + include + include + include + include + + network netlink raw, + + @{exec_path} mr, + + @{bin}/bwrap Px -> gnome-desktop-thumbnailers, + @{open_path} rPx -> child-open-help, + + @{system_share_dirs}/gnome-video-effects/{,*.effect} r, + @{system_share_dirs}/ladspa/rdf/{,**} r, + @{system_share_dirs}/thumbnailers/{,*.thumbnailer} r, + + /etc/machine-id r, + + owner @{HOME}/ r, # file save dialog + owner @{user_pictures_dirs}/{,**} rw, + owner @{user_videos_dirs}/{,**} rw, + + owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, + + @{run}/udev/data/c@{dynamic}:@{int} r, + owner @{tmp}/flatpak-seccomp-@{rand6} rw, + owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From f83e24b1b7a9c2bcc9ff326c3bec08335cea8735 Mon Sep 17 00:00:00 2001 From: tpaau-17DB <113297655+tpaau-17DB@users.noreply.github.com> Date: Wed, 14 May 2025 20:17:06 +0000 Subject: [PATCH 081/798] Add profile for spotdl. (#736) * Add profile for spotdl. * Change `rpx` to `rPx` * Remove copyright --- apparmor.d/profiles-a-f/ffmpeg | 1 + apparmor.d/profiles-s-z/spotdl | 40 ++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/profiles-s-z/spotdl diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 5196881a7..8633444d8 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -28,6 +28,7 @@ profile ffmpeg @{exec_path} { /var/lib/dbus/machine-id r, owner @{HOME}/.Xauthority r, + owner @{HOME}/.spotdl/** rw, # For spotdl owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, diff --git a/apparmor.d/profiles-s-z/spotdl b/apparmor.d/profiles-s-z/spotdl new file mode 100644 index 000000000..be31bb0d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/spotdl @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 tpaau-17DB +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/spotdl +profile spotdl @{exec_path} { + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + + @{exec_path} mr, + @{python_path} r, + + @{bin}/ffmpeg rPx, + @{bin}/ffprobe rPx, + + owner @{user_music_dirs}/{,**} rwk, + + owner @{HOME}/.spotdl/** rw, + + owner @{user_cache_dirs}/spotdl/{,**} rw, + owner @{user_config_dirs}/spotdl/{,**} rw, + + owner @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor From 888954744f0e45b42d188f237a609a0fc3da7089 Mon Sep 17 00:00:00 2001 From: Yifan Zhu Date: Tue, 6 May 2025 18:34:43 -0700 Subject: [PATCH 082/798] fix(abstractions): allow link in thumbnail write --- apparmor.d/abstractions/thumbnails-cache-write | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write index 5e64fc66f..e3b559418 100644 --- a/apparmor.d/abstractions/thumbnails-cache-write +++ b/apparmor.d/abstractions/thumbnails-cache-write @@ -10,7 +10,7 @@ owner @{user_cache_dirs}/thumbnails/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png wl, - owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} w, + owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} wl, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ w, owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png w, From be0b63724c8cc61d2f1cafc20d9ba4551e6cc5e2 Mon Sep 17 00:00:00 2001 From: beroal Date: Wed, 14 May 2025 23:19:27 +0300 Subject: [PATCH 083/798] `v4l2-ctl`: a CLI utility for managing webcams (#731) * v4l2-ctl * abi 3 to 4 --- apparmor.d/profiles-s-z/v4l2-ctl | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-s-z/v4l2-ctl diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl new file mode 100644 index 000000000..e398049de --- /dev/null +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/v4l2-ctl +profile v4l2-ctl @{exec_path} { + include + include + include + + @{exec_path} mr, + + /dev/media@{int} rw, + /dev/video@{int} rw, + + include if exists +} + +# vim:syntax=apparmor From c972607ca47bcb2a69771aa8b2adbb62790cd177 Mon Sep 17 00:00:00 2001 From: Roman Beslik Date: Fri, 25 Apr 2025 16:48:58 +0300 Subject: [PATCH 084/798] wmname --- apparmor.d/groups/freedesktop/wmname | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/wmname diff --git a/apparmor.d/groups/freedesktop/wmname b/apparmor.d/groups/freedesktop/wmname new file mode 100644 index 000000000..1d2c7aa23 --- /dev/null +++ b/apparmor.d/groups/freedesktop/wmname @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Roman Beslik +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/wmname +profile wmname @{exec_path} { + include + include + + @{exec_path} mr, + owner @{HOME}/.Xauthority r, + + include if exists +} + +# vim:syntax=apparmor From 10966661916160134fd86af30a03f6958470db03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:36:46 +0200 Subject: [PATCH 085/798] feat(profile): general minor update. --- apparmor.d/groups/firewall/firewalld | 1 + apparmor.d/groups/freedesktop/wireplumber | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 ++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 3 +++ apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gvfs/gvfsd-computer | 1 + apparmor.d/groups/polkit/pkexec | 1 + apparmor.d/groups/polkit/polkitd | 2 +- apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/utils/uuidd | 1 + apparmor.d/groups/utils/whereis | 1 + apparmor.d/profiles-a-f/finalrd | 9 ++++++--- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 6 +++++- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 1 + apparmor.d/profiles-m-r/power-profiles-daemon | 1 + apparmor.d/profiles-s-z/wpa-supplicant | 1 + 17 files changed, 29 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 7a6b7a9cf..ddf0291ee 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -33,6 +33,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{python_path} r, @{bin}/ r, + @{sbin}/ r, @{bin}/alts rix, @{sbin}/ebtables-legacy rix, @{sbin}/ebtables-legacy-restore rix, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7d0836f7a..aa6928298 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -50,6 +50,7 @@ profile wireplumber @{exec_path} { owner @{user_config_dirs}/wireplumber/{,**} r, owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, /dev/shm/lttng-ust-wait-@{int} r, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index ff4a6730a..b77ad03d7 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -61,7 +61,9 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { owner /var/lib/xkb/server-@{int}.xkm rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, owner @{gdm_config_dirs}/dconf/user r, + owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d82443..8c637920b 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, + owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + owner /dev/shm/lttng-ust-wait-@{int} rw, + include if exists } diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 07a6ff6ed..871203e6c 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -16,7 +16,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(term, hup) peer=gdm*, + signal receive set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 0a520d138..6eebca738 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -13,6 +13,7 @@ profile gvfsd-computer @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/pkexec b/apparmor.d/groups/polkit/pkexec index f4fc76639..8c6d868da 100644 --- a/apparmor.d/groups/polkit/pkexec +++ b/apparmor.d/groups/polkit/pkexec @@ -21,6 +21,7 @@ profile pkexec @{exec_path} { @{exec_path} mr, @{bin}/* PUx, + @{sbin}/* PUx, @{lib}/** PUx, /opt/*/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 46d7adc60..4dc1380c0 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -20,7 +20,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { capability sys_ptrace, audit capability net_admin, - ptrace (read), + ptrace read, #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b3ee8a5da..38d803655 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -150,6 +150,7 @@ profile snapd @{exec_path} { @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, + @{run}/mount/utab.act rk, @{run}/snapd*.socket rw, @{run}/snapd/{,**} rw, @{run}/snapd/lock/*.lock rwk, diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 0f03325c8..787914537 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -16,6 +16,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner /var/lib/libuuid/clock.txt rwk, + owner /var/lib/libuuid/clock-cont.txt rwk, @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, diff --git a/apparmor.d/groups/utils/whereis b/apparmor.d/groups/utils/whereis index 32d4ffa51..36e457998 100644 --- a/apparmor.d/groups/utils/whereis +++ b/apparmor.d/groups/utils/whereis @@ -15,6 +15,7 @@ profile whereis @{exec_path} { @{exec_path} mr, @{bin}/{,*/} r, + @{sbin}/{,*/} r, @{lib}/ r, @{lib}/go-*/bin/ r, /usr/{local/,}games/ r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index 74c6ad3b1..bc6c4cf62 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -42,8 +42,9 @@ profile finalrd @{exec_path} { @{lib}/systemd/systemd-shutdown rPx, /usr/share/finalrd/*.finalrd rix, - @{lib}/{,*} r, @{bin}/{,*} r, + @{lib}/{,*} r, + @{sbin}/{,*} r, /usr/share/finalrd/{,**} r, /usr/share/initramfs-tools/hook-functions r, @@ -54,10 +55,11 @@ profile finalrd @{exec_path} { / r, - @{run}/initramfs/{,**} rw, @{run}/ r, - @{run}/mount/ r, @{run}/finalrd-libs.conf rw, + @{run}/initramfs/{,**} rw, + @{run}/mount/ r, + @{run}/mount/utab r, @{PROC}/@{pid}/mountinfo r, @@ -66,6 +68,7 @@ profile finalrd @{exec_path} { include @{bin}/* mr, + @{sbin}/* mr, @{lib}/@{multiarch}/ld-linux-*so* mrix, include if exists diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 46aece91a..509769698 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 +@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 8f5e66cbc..758ead716 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,8 +10,12 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include + include + include + include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index cf51936da..3484ea298 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -21,6 +21,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { /usr/share/misc/ r, /usr/share/misc/intel-microcode* r, + /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index fe4e35724..43f27b2fc 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,6 +12,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include + include include capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant index 24f87b5a7..b20c6f1b4 100644 --- a/apparmor.d/profiles-s-z/wpa-supplicant +++ b/apparmor.d/profiles-s-z/wpa-supplicant @@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) { @{user_config_dirs}/cat_installer/*.pem r, owner @{run}/wpa_supplicant/{,**} rw, + owner @{run}/netplan/* r, @{sys}/devices/@{pci}/ieee*/phy@{int}/name r, From 415c09ca88c8ed25e023174acaf4d97b69a49dea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:43:58 +0200 Subject: [PATCH 086/798] feat(tunable): add alias from which.debianutils to which. --- apparmor.d/abstractions/app/editor | 4 ++-- apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/aptitude | 3 +-- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 2 +- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- apparmor.d/tunables/multiarch.d/system | 3 +++ 32 files changed, 35 insertions(+), 33 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index d21930d81..1c0b87e6a 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,8 +12,8 @@ @{sh_path} rix, @{bin}/nvim mix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, - @{bin}/which{,.debianutils} ix, + @{bin}/vim{,.*} mrix, + @{bin}/which rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index dbbba9d4d..559e58504 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -87,7 +87,7 @@ profile apt-listchanges @{exec_path} { @{bin}/ r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, owner @{HOME}/.less* rw, diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index eb8a8cd8d..e3a6a794b 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -174,8 +174,7 @@ profile aptitude @{exec_path} flags=(complain) { @{bin}/ r, @{editor_path} mrix, @{sh_path} rix, - - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index b4f70689c..7001da3fe 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 709eb79a1..0a97d4052 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 8268db2e1..3da31e332 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index fcf5e4430..1778d4b7e 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index f264de78c..83eb22428 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,7 +14,7 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/{,e}grep rix, @{bin}/nice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index 76657dc94..a471b2844 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index f0757187a..ec9690938 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 742531b41..0604eba3a 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index c4b9de0b3..63a664096 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 445531691..4eb916aab 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..9804ddcb0 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index c7478292c..e5489c2b4 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -47,7 +47,7 @@ profile gsd-xsettings @{exec_path} { @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 8034d7e54..c4c24efc9 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which{.debianutils,} rix, + @{bin}/which rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 5623901fb..f4fcfa50d 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{sbin}/ip rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 15c7f27ad..1307313d9 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index db67de319..6af2cd38d 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df8394..43edd3233 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index 7c5486c50..cecb0e22d 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index 79f8c2fc7..b2dc7b92d 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 10c1f445b..515d2234c 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 0e27fa5ae..10e085799 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index 8d17ef3d6..c077f3836 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 0c3c669a0..655566c74 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index 15957b348..e4e8a36e2 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 4fdbb5a52..86d94c7a1 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index a40afd994..bba603690 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index 8858a80f1..eb26a4967 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index a332bd20b..61151a7db 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 6f7995c05..3f6e0f890 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -67,4 +67,7 @@ alias // -> /, +#aa:only apt +alias /usr/bin/which.debianutils -> /usr/bin/which, + # vim:syntax=apparmor From 877452519d3138bd4a98dc7ef3cd3dec78a5b9dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 22:49:58 +0200 Subject: [PATCH 087/798] feat(profile): unix-chkpwd: Add read capability to profile Following the Security Technical Implementation Guide, it is better to set the permissions to 0000 for the shadow file. However, since PAM version 1.6.0, after this change [0], unix-chkpwd will unconditionnaly read the shadow file. And with the previous restriction, the binary has an access denied to the shadow which blocks user authentications. Moreover the PAM changes is needed to fix the CVE-2024-10041. Giving the read capability to the unix-chkpwd profile allows it to function properly. See bug report [1]. [0] - https://github.com/linux-pam/linux-pam/pull/686 [1] - https://bugzilla.suse.com/show_bug.cgi?id=1241678 Signed-off-by: vlefebvre --- apparmor.d/profiles-s-z/unix-chkpwd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd index 4b7d35c32..7407a9f99 100644 --- a/apparmor.d/profiles-s-z/unix-chkpwd +++ b/apparmor.d/profiles-s-z/unix-chkpwd @@ -14,6 +14,7 @@ profile unix-chkpwd @{exec_path} { include capability audit_write, + capability dac_read_search, # To read shadow with 000 permissions. network netlink raw, From 36f9ae04582b48a06985ec79a3638ccb5a3fb64a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 14 May 2025 23:05:00 +0200 Subject: [PATCH 088/798] fix(profile): ensure deluser use sbin. --- apparmor.d/profiles-a-f/deluser | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 5262e9065..1f5d6f0a7 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/del{user,group} +@{exec_path} = @{sbin}/deluser @{sbin}/delgroup profile deluser @{exec_path} { include include From 04dc921eb1ee2fe164015417ec4898044d87ef8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 15 May 2025 22:09:52 +0200 Subject: [PATCH 089/798] doc: rewrite the introduction page. --- docs/assets/avatar-icon.png | Bin 0 -> 34202 bytes docs/index.md | 150 ++++++++++++++++++++++++------------ docs/install.md | 4 +- docs/overview.md | 48 ++++++++++++ mkdocs.yml | 1 + 5 files changed, 153 insertions(+), 50 deletions(-) create mode 100644 docs/assets/avatar-icon.png create mode 100644 docs/overview.md diff --git a/docs/assets/avatar-icon.png b/docs/assets/avatar-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..80170da1e99b85bc3ddf2a25ef03bf23d4284036 GIT binary patch literal 34202 zcmeFYhf`DE_XUcgC{0AAizo=F2uPQ%Qj{u6Q$mqm0zq0r=VJk+iGUQTBE2^u!X=;} zO?odOiAo7I^xobH{=V;jcr#BYaxJk{1g;dDb$qj>v@hX;7}i7!>@=tgwwY^+!i5zzFhd|>6hqOCk@vs-fFM0 zss+So|AaKw&!!5s)zOtK56Q~dZgoh@ilt!X4W+YSeq+?D$^Bfv z@SY0uEs7=l0j1}SOEfn==bsn)Z|UI~$>$q18!rhw%LQg89IBg@)o#a4Em72ZrUb3Hzf26Lp*Zh(;`6lN(d=XFrLe=0s2#=Yf{*;REiF3; zDq8(!i>5vV+wcqj-YVQB31>IKf)2BycDACKr^cGq_<5T5{f<5y{(WOhI(q$tlH#N= zh38WAU;!*~aos1`<>^o=D$@Cm>9PDL#%*6$D5Uq}Ob_W(kiF$XMjW z$ILw*m$josuj#{c?~kqaV)g!3aezy<#AZP3I)8MwS2;{6+H1V^P|+vNc+KbivC&?P z8|?p%6m|(clx;iEd0LSJ+4Ewq<{XtC<(j5 z&j^_vRP2Pj-K!Sa4a{_7WmN0CMszpRjj0ak9y{aBdXD0hDMjx6c-%@$0e4iZFuT=Q zgEBo^Motm;7Up2`pyWpN80E2#4Ts15w!%m5^)p0>1@PHR^N0#@$>i)!lpn1h)|jPO z-93Jbhs}wEiymW*Qe(TL+MR7gh-dpZMKqjL=c9UiXg`?mO8{?bQ!0-pC>oC)a&diXuplQ@{i|OK>lSUBZv^qSu$c-{ zwt6q-K|!9@#{g+%bf6zi$k9zoJ;Py#gH(= zqI_g?elTxhINZKK>~K(1WYT4Jkl()&A0lU6_#AS^9VD?akVm7RUxf~vK2fvm_psu4 zW*?|#3UP|4Mz)XbZ58be2GgAZKK^f)p_;I_6a9I#IIiD8ZFog);BIn1)NJSU)1ec; z0e^pon>^iIb0F%lcbxemMz=4L7gdq@i08f1^$WddM6H2pA8iu)=2>=RVnJ*NNAwjo z*B>&)b5y{BpZSUa1xz<3QPpR?Gid)*qTzrTD0|16QDOqAAN6zL(<|a`M_;c*ZP|71 zvQ!>cYDHZ3<-PggtClJ}W2JRWzI&YTqy7qcFZi1EJw;jhzDZKF8zIU)%qo$6mwJd5 z=h@_XFbf8v?UIovO141W>%aSj9dHFnR!)t=jxVggKGg0$-8)nAe1Zjl^*=z>H_`70+E2OsPG`52=rdYxCh(eD>NTmc*`- zjc{wT)@774z&B8H(nplE7j1CoI?o$Yef1uL`--%!_RM_$57dOgb0TYx`QBtlzw72F z^swS~+;yrmqby+%l zFV)kaWNBP!nX{Vm;*&>rJ7l^r6&B#9~0pjTAQ6;|;V7yySY8q^@`(xSK zy<7FJZ%8|bQsM!dh4~9gW=H>}`a4zlZ!Boc$?Q;{v38Uf^)_)8mTJoAE}LWnYwMvf zC^6;qQ&e!u3a{4h!rf}@GjDo!7ggoI9Z@pJfT&l=(Mph8!)doGBo93-JBE32x9lY|o+fK_E5a0a zHl23IDhmcKMeKh1o7~SKyEWI#V%pn?K4NV>$q zI{D&#_cgY)@?;-rp}kx2vQz+3a;wM0P~Kl6)rJ3E2$?pI7gE)QFDa);I_1}G#m;ZU zERAP3txXTDTS_y{4{N}XGf`l1=@Xi;6bb?R$f(i3lagBuKh0!H|NQA@V`nhCU9()p$F0NjqVW-e18k=S$XC zrfvB0BYGY=t9v(%wZe;NlTe~ZEMU7g(qV||tl7yzF~inxu!s(N?V2ZjnyNN`jgpc) zu<<1Wz#UoB*@Bt_E5%oe{AMNO*LIoxc25u6CuAl>ZQlLV89EYQpKxW=*Qzt|M9^t4 zWP;~+j9MR^s?BQGvsxXL?*(()8kDcG2GLuvt)|j?wGvTqP;n8L9)Y7V%%8%Xs;UqOb zry(3IBDWY=qj;#??L3~JV~Wq6Fp;NwG)wo$2Aagb)Q0_)tl2nLBjiEvHGZ?&kPrK! zRP#&49TNrpP%~6>Ft<{lFU$(tz`%<8QO?!(-E5zHh-{L{S==KGij^RS;If219l0N$ zKN?(}rDSuG)P`|)IgUgAos7qu^_VE<+TXuy`GzC8cf+;jeqU3#x>v{DA}zETsv-;MPH_4az0?pUc;QmVg4jKcoAEc^Cc-9DR%ac2ICoyAz&rC!XIXgwK!66X>1 z2NR>&SySxu3lhx<@arZ5LhCvPjF#?$SuC?yDYG0{$#Z>_fS_J~`UK}LZYaguydTLa z+uQWt$6@~HDrsWXLrp7)gMI99b1m}aq8)&Z-tgRDK?c{DJ&R0%KHK7AU^I8Q_D%}M zy$n%Ly5+YdFg(0pQ(gHRqr^2^9Rb_GN}*;Zb8f4_uFW!!ur6wgZ!CG*E{R-lPbrjlMX} zxp`ZOVwyUOEw&s?G*V-%=q>K+(P;2Fu{$7y6F%tIZ>y~7Z2flSLA}Y;?@G|OAUWxG zq{(ZbO(Au&`a=g3?-D=p)1yfv7Lj4r9QgI3OYy{_M7EsD*=clHfO1mKkugI ztTDEji4*#QTT8Sy zjfqR|PN=eHy%|RB)T^rcgH%&o9js(&EGJTNg5EiGTTdIhBmy)3jB^0oHdHMAqZD}E zlT_=Bm(TD}cdvFa;}ilIjIwu>y7a*62)+}HZ zQ;Xu_>Z8YFh1d{Y{4qJ%Xsvz^0ii*yg1Gsb*m#Gb^?ue%;Ws7ke3sg(%ZPAZ?2nT_ z>KHf^a9Y*dOcW9qU#~y!fB*Msb;l{rt>oA{?K;mI+qdQ!rrPV^K7pT*oq13|?jV-skfJNwq> z$*$*B&xp5Sg+6shS{n>>4o6E24ilsUZztjvkIiJO|0u#~>4hDr=$$=4ZZL5rJ+DFT zG}R!cvT7D;E1q+)=&w9^7+S$9KNqSHJ}%-&COejy+-k&yF75sVQsmZLsZ(Fw=jT3e3@|L>_V0wqT089m8aFsza!u`wQw3f_ z+`hzVP&ULyWRI+s>|QwO=FIf1b@x^Rkpz!3E2QmKc;n&nn4{% z=D);!BR#FBO71;#Uv!_OAwFN~6m7kItSu{Fbloo6?(?eI|FTxOszIF9uuV%pdxAwG zyP^P=v*ewX>y*Qq!=&X>q+{$5wVTo#%ywe?gVSG@hvb|s2&;LKTKwFYWQ7ZC!SB+Wt`nEEN3PlEce*Z#QPeH z?>!vbV+a;5-8>hReIM5&enXA@L+_aoK8$VBMzK?`Plye@$O3snkGE^i!u88?Mf-hT zMqa%;4o(Q07dpeo`@L{~loSw}Y@j@0#2BFw+E%3=>~xEQKe3WfHA5SBA5aQ~y0Arf zmvQ-{_|$-^IJ1|b#P#B(Oj8laSX`do zBF*VZytTXo2*{6mmbDlwZ>+e9F96Jb!QvN}7A+vt_MI1`k8PwIv=!-%>A`U%DswqESi_v5o#%QO0uAj?Ep&A#@k`TLjF z9jt(tk|b@Lm-Q(i^!u}O#e1D^4Q+D2zRT?Ad8Hk>KEFB8qTs^FS*j&tm*jEBu1~h= zxnIX=AaL$golvWk)J62xN*~V;Wb$0!TGvn(F(sovTWjjY$%zli(4MQ7V$f*wT>i|5 z;?Q$yoo&q9@0|M1R6XZ9rL}v0?%!TZ=k)I}}tVafT6EPsB2 zBH*5VrB=!p+AcXinDV%x+RYOSg+ia1d@Q>?)*|%fO_kc2r)#ei zOFMUycfJF3CFJHDZ7R-%tI(cBpZ@tiATv9gukyCh+@SyI`&TW)xf$8Zj0Rl3XlTHF zNeJl<5d$~TX-Zi&PRV@5#Ux&rVoK>1VM^AjMffCjR7{wT_~VJ%b~$ar|@Hv za}!Fkk^=Z%67H}oN!HM{FHcxI@4ypsd?Ee*3SQ>1`}{g*$sOj4)r|k&XMFq(?(n*H4}@T@E+- zLpZ+*?^}Q^#W1u#hyCmc6f7~@Q?zWhcd)nDKEk!}8amI|#aEta`KFGhoWBzP`oE|f zYyGiqc|9DbrV{U;0A?JhI^47@SNRI1-*<-LrDxO9qPb#rcX#c)3o_SE&65niO1;$P zyWdX>`Z$w%b|g~n%h}mbdNG?09XE$2D$5{6?U|zYl=GjUe>;@BgGWkD!rNt?Ny&`n z@jWokuh3glz)0UYCY(_HfBGikq>SUibNT;0r@iQeQo?slrHJt_5iQFSWMpKiG1kie z#=BR{Z?jVx?lbYp4oW%~FEO;5IA9!HSEum6nXQ+!%j6wPgOO8w4a${2npHUZLG^Zc zIp5}H%AD@QGwJ9789S7pCg!Qdqc5|k0WoKMas;D9OZ2ST1mjAZ=jM6V@ zyxKAdr*oTG*Oo~AVCj@c@(jqO2@ve!SqxyzTomT9oN*kB%!HhiSI%Ru(beg*P&#?f zOQ$%ktf?LdlXKJ?;5V90M65u60Hv&yeQOJO+}GwPs~KzWMo)JzWI3mB{9>)c`q5c( zOnkq)F1IpYUiXa`h7ZR0jEmW58fs{`{U}XRKan>}{}yl2OB%ZKKp4P!POW;HWWzCD zJ&KJ(CzQg&qhbag&IqcHkX|2$o}NiH7U%wLy=p2YefqMSms=q2d^-Bhn90AD1*%s< z*A!u<_M~xXm0%oW`qn9DtM))7T0zM<#`xn8u$X(Dd3t1jrdHMV=MWvd)`D^FGmF3- z)At})TDsJupKa&KmJp0Zpp+_mSDDX2Z6z9}$*+54!;!}w7^z!0Qnu2UEkWlMb1CH+ zPF0AO3^Lk52b7Wmx^{vddW$#z3X%IQwNHwWQk<;vre*2&9ZVd}&q{{X%IXrd-9026 zXR>go$<_>XKttEKV5Vw`vbJ4s8xY$&s`QxSuYXsr{)JDTJ2F@VgIv)SEODN2GjcG& zFGLDR44MygMjZN@nQ5l**IasrJx~02aS_2IrwGE6LL$BXAmOzOJHZ3On*DS-t(#5tnS z-cZ0BSxNicwQq)dR@Xb*Ov}tqnoIf7?an)UQ!bK6)d`#XdUn-`Oan8?-f7-HA(tfo zF?Udj@E;*!xWq(H*9%p5&R8p2`1#57dOheGYKgwuhK#R1_C$Wi79aCRe;$9{_3kc{8#=m*o zPa?~T<$FbdvnE67K?34yF~+OC#pwtJn~s?rclmN-fwS0CHbAZsvGgV}aqzJs;qvQ! z|GxU52mtih+44R}wMK-^%;H>r%HY36yo$CoX%ES-1Or@!=T4xsTuPR% z(Env4wO8!xpL1mc;oIop)y{|%Q(B_#ez5dvqdrRQ)Ih#o zEjh?M1~ou&o*Tu)q0WYEbfVflGcbr-RQVs~BU1St+^mCYe{}B6EiHBMk5$l{=^JQz3>ECft-86r%Gb{fhPDa6Ad)G_W9?( zU?XjFhWUr6w2{k{{CPwvQmWHvW4p#eNtaPT^5dO__jH)7=a^UjIE#hdiG+|eGjvRl zfZH@Rl3vbm>OAhAOvIPsP9F~d9|7Uv)}G|t6eJpCq9!Ujx0Gi5KX(NlZf4Nn$A*?K zvYtV06IKmG7qYt}se}HHL{OUH))&Z`Va`Obwpqd#;!v-wt>aAV&wgyE>sDcGzzN{r| zs842y-w{{Fa8ZT&OEO18Q}Rx`_H1rm0$fNXO3F7Xfu_^{LhIxr0`UfWU>uJc>iDEj z5B)iyyY%dT`lMsFP~Wgh&Xb=Yiqp-r|;1&rnefV6jPJ>wH+;DI(*N z5xEe`4@06H{n539^w6wZZhe5>j8+v?KXvLPSdEU~F{^kzpSN#MGLA=&nM;|?SRXT= zjtAvm!?$0drq!w`&Pod zu1@zWJTJJy1;h8Nc25-Yg&#@weD>HCzjEFiaN;Wmhey>ES6#i`wLX|BpD*(D|g@aw6A3(JRmFS zTg%lr`o@ni|Jd>5)BcMYErQM(8XEeI#n(C2DxtQeSZ{#~>EvvBFKY)+3NpVnx{9B} z`R`&^yK)^y7UyOM|LQ^Ta?-0Fa&G9{nSI*oZ>z4oQaqwVDd^1G zQ2fym6~QUnni$@*H+%kgGr8eZdravii^UibX_VBGxo9-Pswv1KP|!K60fAal6U3vd zb4xk=3+_J8%(q0Kkf4nq^m@WK)SNzbv>s>x67u(?tJwTGtaT{uBW zz>qJ1^ajLuBg+cf%l7rL4aclhiHzZ_Mm*Fzr!XsU{NmB?_YsxV7D^!vi0-z?%9n)Z z+KCupG7(Tq<9Ye;l~iEwn$h)(B>mHkh+UrclI$tLr!cI&0|IdiJ|fXP(-YR+K5377 zsG0Y2hor>r`u^Akxm<(x4i<}CH&=#|@EZ?*M4&YoVJ5(^4e7r+b7;9uG`CrG@H6) z5XjX`^KUpb@7jgq#4Wu49!jqQhr>C*MyQia_-B{Hx{1jU%&{WLZ~RPAzwOE?b6Q}y z@7q7eB5$n>8Gr(E>lfYWhT>>9FF)fl^Y2?A>0CxaK93!G>$G@jp=%F>$rR^Okb*?N z9MK9cXEJQ>v=(v}85->pdn!e9Bvus-Wu1e#|9MH(=__=R4*D|1 zSz^^LyHlEkBZ0hdfgD#SE=>kNvMZ%YU7CgMu&?_9l9#xUSy79K>PDe|F=2X$hIr3H z7EM7bG%$Qf5UvA>erhf?&If8gvS7-yT`bA^zFQf3P*{o+)B+hxM4&i&`u6fdD7%6D zX^I>5*`R*rXermMNG@GLmk2Jc%LzzM$|{&cvds%`^{5`Z;j622QP^js5r%}Anx+#T(jNql8egFm{z4AF9bLHeD6b! z8>-}X0C2{0|JX@ua+OWg_-64&;7)e1nJ>b#DKZ%w?()0ADRd-lMI0I>Shq?ilJWK# z?*)lAcA9m6%QyPeSZuuNgL8*a6L+2|xp|4Te1*2G%5fWa|6%79)gKTk&2}h_D@diU zwJPu=NvEI2_yrfm{l9Kc8@#!Yje8*%kJ)=yFKiJp+EA?AE~`B%=zN!i!|+$m6h%l} zL^jg@jXUHE*& zP^-Igh-7emLH+4-(IfD;)ZatL0ioJvtJab-9Cl-}Hk`1V8R z1!$@O`xfQLBGI=%wFTm(bgC19f=e$1fk0F*3b{rR>P?^eabzX(;|OLD3cFVAR(IWP z`#Y<-y@k0Ho15{UJF)Y1U3K^77B?M|sj8d?dQ4CS*1b6srXlTEAl%O)Fn`q&M*9k?`M%tURhQpILC&S9TU2ljM+Rp_AN z2v>kh6oY4H3mJVmd_N)mK7xZ7d9BeL{acc~uC`2Iou~VHKH;0kt{kJCOghW=>mpev zZd8n{WP~o^f887S_G*zsV&u=TvFXJSyU`TI+jA|^(UOqLTU?vdoqfM&`2i0AP`iv9>-MnU84;t zr88ytmT2%ksp6IQ@ZQ*}5L;z^_PZ86e)bZR5w-M=Si z$xi|cN+cePbkbq`jDuK#RMW>WKqi?~X7Y=h_DPkCJs6~)U`qFcI*w18z5lS|1$Z4C=xCUV{y;jGBrwA z&9+%BFG_WN;I^bWZ0=8JlUIfU;@4+e@N`}yWbg*e59ZxD%7zWrkwi97mz}?ra;V?E z8FyB^=;kdRu<7rpt`cXW6Xeq_l@&Xj`9Mh|@5iLySDprhh=wr}6H@C()RlQ3X|<>w zTI)35)&lb-!e$T^X+O${))0j)hbK%Puf|9a4P1%jReVz@PRvO_Z-yRs?05l z_U(uMY;DZJ!ELZ7N|MlM+B>XOzlI#Ss}cIa5hb4l$=arpm%sqcE*hHhh&jJ94E{b` zP|_*z)k299(BR!1kiGz;h5sNThm|wv8IiobtM8RYRwcbhB=QOjuP5`6TcZ?~E0s72 zfnr1gC`gSS!|*Y{(I!L78vh;|CZt>k|dvw#DZ#PPafe#O%@Hn+GYy1#OnEw z;K{;``GZlnX|?te#JAF`Q4l7~pt zySVX{jQt$7)QMPpwsKgB0W{jljM6?3C%5hHfwTjP^a2jag`ih0g|%@^9HHVz)4c+c z;;tjS$D6%bHt{faWFs3@Zx}u!xJ4)9CG9&#;)HlNLXEx8#CfCG~-!#f9$1u z2X2)Eq{Le1KDHH`G;U@^3DH|$Z_Li@xu`gbd8dVrrdbfgneg$|`|JTQ({B8X_)<1j zwPfVpKeK#x8PJ9_Dr9}lwD~SPx#;E<#(^#L0B-&_c|tM&m5%`Sx2mPxD#lD25H?`H zx8>u9(=3UOpYaB(2k@>ae&@IOoHo^B>+Yv7NOn-S^w)7BfLHK z&(&@xYo3o6(~ABRkG>~)s84bFPS&psQ|B`<2(GS;FAB!Wp|IcfkPAj zl=-N4%!HMUkRwstr8Qbq%-VzjPryyZ=Dn-BgqGOfEPFN&BJKZ}pnO=6^>+`WYETF@ z1qR*=hnO~IfR>H(-qesn5a{yFFb)6efX(2%1}mrI@r$~5<5BxZs(k*&8n^{!pE#{a zkxC)sFV#~1ozMhwxy-EXG}|?)cR*|bOO*9Mo-2PZr^lDhyN$#)RM#FBwR5<8K$vL5XkdE4lk`Kv5kb7p(XLxO?d?9CZD^6t@&Ma*7@f_x@NkC(`k-5`+sslk&ow-1^~T z^nTbm%e&ysgyc2CyQBLD1;JX((%v6yE*KxTT<{*Y(!sZ2@1zr2t{trQN7Y z5uP5m6%_rIak8LagXw>_F%SycTSeh9mfGaA7e4N4?ImulB*~(0lCI%G(!9N*3pI2!}ZTl}&?M%pr;rGu!rhJ=f-&sg}N><-lkmTy_HyGe`|J z3P>6gr)p{yx~5dDIei!I-{kQGWt7cZQ^sS20s?u|KQ?w2N_}f`Q(Ccds(|qH$LSaW z-wJ*^FOJc?iHCy~9&Wq7FS~A5CcpIFS$H`ZH0foUUz+6N5_3l5Ua#{pVp?Ryf_s|^e} z@4585H#_yuL3vIo$DX{Q1w3gW{Ewn~Rwa|)fPgt&HB(yP8i-r=H+Jx*WXS=@{;sUF z^vuwTXTgAPLA@;wJqU>J^OVyKb7)={q&K0<|hsbF13ojqQ?|?ioSn z#=GkyC6ljT{2ZNoI=_%jNQ( zXM*_LN5O%G#3una9*%Tw!#;e7U{H~^0PwTcnKdY4Pe+q20m~}o2raJBW(22TeXB$D z3rN%#bE$nZff(YBle^MogscO*k~cPd&-JnZK$Ir;y3n)I7ah_7f~!F$H!Hw_ip85n zhn%S*%Qhq`LzEe>bs%39s%>Gq>?@n$goVe@f;c^Brj!>DL#1TbtF(YA zt}O%siFcGrd?n*CQzp^4Nb*cH`SdH;WR)CmCw$7Kcrs3}J(R*UotBQ-@;7NdV5#Kl zx>Q**OK@Qx2hslROI`fOjD=ronDMupZ3*v;>Nh!;wAHYK>2-b(2D)__-GZYxV}ECk z6t!#V_ZCO<7Po$JDt}&ld!W&Qb75;Pd8YPg$pdeu_#0QvF6;Uzq+9XR?-0{yEmf{Y zwhD=j4!2s4g2u?ADB6X|hGL%M$q`D<;ia%wfK+h&iUwa4vxnZ9IS)`j6_ET|^lZxT zxBPzkxuaFZNZIVf3vY40X^LyzhefDYQt~MB0p@;2f#Zn8PtyU`Y;g(+cJG|&>bs}S z(O-csIfvO!rn>m*B!jT<;Ld;K>lJukDEqcFE~yk-V;3?#?pc7EaNjPIa2*=58X;@@ zd}a{qSqu=l(eh##?i#&&l8C!d9P-k{G_9-qk#gA5zWK^Z>m~HP-^z;hGiOks0c{%b zWHsL*sgLDE*Oq7b@Tf<$Xnadt`#yVv5D>g`66@M2sw0BBikx~O(+bo`x;Nk_BzQlrhpT%P=E_E^KEJTiFPbFvUSIGthHMw6uzFcU0 zK79K!IPRXt`zC?f!=MtV94M(;ROw~|sWm|LtqEDA*w3UW2BcdkLIJ^44QbjyI+g1Tr!wLGsK~H9$SLeE89CYrE5r6zBaRoL*26kCSZ8qt1k zAdiZ6RdZLhc}fe{;wI5$Pra>!${y@~u1qa%-$UV3V%!jQCPf;w zB_leaHp8qLaVi?(d(AKmN3c?);*BI1)4(H1tzxb@RdFaoST=dyR`qz#?CRySDQV|0 zS!bap{9{2WNc$0>;vR6ZBJ6Y~D6yM@NR{vrL z6%w0%tzc1bkF3)zb98H|Ktw7eJLJDNzPf8e(n1$Vbl22o(LsWB#U0DrZ)TYke}No$ zqdR;Q0979^MF`UIFlop5n z<|gvE9rg>TOe|?Ld(4CY&;&ohGPn@!3G~!&ACMHL!#Q}ya9=iIUu!3#aI0}L3qbHF z#DP|QS1DXo^LNp`5o-jQ=X`-$!;PDx$rGUJ5@}A_tS>oNAowOyPzTgR9K>>wU*-}P z@Q+UmLzq!%`n%Jds#o}lC{3feF&utm7J44!5FI zQz_(*@(`vRy2a`yp6><^`0b35WdPBgWE7ul`jWKoX-Kd${i^JS*iS@7ZuMlqtte&Z zYN_33-?dC?HnV0jvx`*|3_qj>z%{48STWI(!So-xAseM$H^{+WIvV>_Ky1O+$?65G zCA(5Fy#+N_N!?Ih9j3C4+bbY?}X& zA_Kx+GNLre^+jWa=#chZkW#B_4LX3f99fOKwNRCbHL1Vsy?$RB{twAHG)Jm^)w{m0 zrJC(X3P~W)TipR^pA<8C^_Fz|nzAmBO zbdWrT%}_rH#3Onh2xii_MkRT`=(I&d;X#5o+ByFjd8SXHK_(NK({^v^K#8T}AQ_dr zy(4q?QpuhRr@;D<8<`Wo)8--3%I1a^LQ9^LN$s$OmCZ_={B|oPcq|G+i7I$0kK5d^ zxmCK|qL#e3Kh4jy3+T|@+8Yu-OQ&ft8&|+dk$3bW;5x*+ICSe;aZf1y>Gx=GNEQdC zx6C|TAAZZir2QDLFG5?F6|b(bw9rZ%d-+3rA{r~rw*r*Z$2F$%asnx)TfsRwz4I)2 zNM2qnPWi)H6X8J`C}9ragfdCi0co4Lo&mfkymDaepCaJ=#N49pBryHgV1=t5#)sjNYT zY;Dg7|B&9Dg;1tnAjkaT@D$j)?em3b)kt3kuKZ1RwC$-@88JZ7?!R|zgAHwND3P5( zOlXH?c91V+{lD2Sa-t`LA+vbMaI{o_-*4edEG_sE!P}{9yk#MPsW#y!TniweJ;+D;mnMHJ(m>{`_UOu9 z*_HNPY&lnjl3f2lbo7SbT|jQF+xfpoq85B^Ug8q1C(J}{^sh3bikXbcu5BEJ$vdOO z8cEA_L}#Ry!H8h?sKj%ybnTi);ILzR>(RjGTEi&-+BuflSF>h%-shH9x`Z~i7+Rsw z;@3d+RaX%0)aO6ehA}5Rsf-nHh1#4aLaWmT{JA{;NPl|US%wic6VN@H=j zRWg;wQn^P_<^S#iUKITXD5-U7~X zv8y(bMO%xA*oNZkev@Bf&OxrxVtmpZjn*BfetjEwxs9?-N$xn`{SE+lil(;tr)FS| z#DXu;PrCS)_^oyAPoi0T;MBhWSL8?zh(hWo zQW(*;8Te0*A#!{%S6L|*yZ=7euITp2{b2}am0jQEL_S1Au?!GkQ||5(APq&QS9ixq zn~qq$jZ)c}aP1L00HoCmZQ2IAA8j9ipcgG`zFeS+t(i~RV%rx{DoHap`~|{>h1{fA zISVrd6>_}G&Wyub6Sdv%l5Ie+t3Umne95IY38ebZj>$W%dVd~}Iwk;hcCj&f`_Vvc z$Sr;0hGW)q6Bt|t*&BfavkRy#jRESzP14XuyF^8LQk??k#fE*By{^`*FSA_NB8NYj zF15umnh)ll{T)QKdi^~KH0EHYT-}+Q^#_q;kR~BE&^WDwq0fot!>u#8&v~xq!>l(; zMaxB-uS}0JfE5}4x%KYK$Lph?zYw-2bJF01;4{(`mT$X9E8HGC=NgPG&Mpqta+ZKD zOn>@tBUkF{I^p$MxbTjLsY-@v6@&olE741nm3(l5-wQ1G1Z?!F^c^VY5Swn?`txghuFN@DgCDWVvjYY^P zigh=3?0L!B6~C;Qw@S9+p$Qt#W4KE`lK(Z?I$y%T`iY?NG%KEeUS_9k(|>s{)O7s| zv$Lpbg-y4?{KuQK^(<==JWx>?n(f?~YV^*_MzKc2`d@6JVP}_A+@U6PeZ~gAqs;iW zyX?wuMb|6DYEECrh~&-yM#8G5<(-T!UY?tL8K~FOpklPNN{$tKs@(hLp=p5Me}>lq zLS0>LB9k+}8|*VJWeIA+Z>W~Jc{e(_)f*G>Hib5Z(KS9bl`mQZOoMUD=5)QQL*dU_ zL^kSnf>;1?0u*10Z`-DJnSA_;Z;iioV2c*5wPZ8bXFuED^J(3=D>?kqTj%rI3X<`= z-tfvaF>>9xAA-uc&c>qWZ`2saNpm|sQdoaR&|@Sv*}wkJXzgP0V=%DAtJpL*ucN4o zciYojhFV9zhn3D>U!*Y#gClwJO6P;boK|ohBF%wsucoiUA)94_2@5AoXO<7 z0#ge1DLA7$Ct}r>a?(^#{%(XJfIW>%>Qad zqqT2-VIW%;_opbvjKGfj`J60zY{cqkMg;A3qBR5K`C~FGg)v?C6Rc(g9|8s<)PI0* zMRq`U(Lv@3<#koHg(K%>)?3-DlZmlx2N%PC^(-Vt5xd`eYRq*aVyU6FWljZuv7RBX z8Nn_ZGNoWKKB#fEr7TKkz;v~>e(^Pm)1s>v=`m9@5KdlRnn>EcjBI>N=XF=3c~dN& ze4_-5U*=o*r3QO5^ef0jnhhRtCI-SjQxfx$x&Zv{CEtfnXBnt&Z5e?*Dn54^PP_+tSY64|Vw~Rm z7XU+lUwfQ`#TkLKRo#H|tu58H5hJTtyw+d2L-R@_9?_Cig0b{a=#2{_1IXwQ<$xA3 z7C>f!r=Oq^+fOSDT&up+&sBEK*72uK-TMeGci20n=zvQ>v%UK%C4(v>^u4PFW@aFe z5x5yG0Lp_Zl@!VRmqNvE(P6C5s|TLeHJTfC(V1n-GQCVO-tBIa=uA#-8xgA2fnE1~ zA9kH^e&O}{uu4km^m8(EHz@2bRs=_MEbCv*@A-e)d+)ENw*B zEFGw&@2|VUhg1{TQ77l^aW~ht_X2ou-Bl2QozK0>a$bq^9C;PpQs10;AlJZ<{|^*6 zmvk4KKms(<6aR0rmeORd==7_yDal`qtL8Hq&IGBf_tY$kxoNx=9z;o~I{aE2A7$J& zWOMJ#UqpA)q*iqcX|a!(`S$%D zXxZD_n^S7Dm_SqnGPP9?Cb#!+0lfrVge?ZpOd&F~@ea*z$OLc^ZWrF1m&~B?dxxE< zX|)0Ozb@yGdHCvL?bOqT-g*!tXcpl3BU?_Z3aa* zk~{f6GFHj~WMU=y&!^ua?*XDRJ0l^l?GdN?UFsTea$)t-=!*iW25Kb?qg+?tKRoS< zV-{q_098X>oFSnhAu@rT6#=|Z4IfWawI2t5wbg(Dt~!Y*{AcY2zkTNSR3rghIF;)e7DT4l`@92vm5mbzuAfReON529G{cpJ297cCcmfM1ZfVK!!QbCgZO+gk+6=wku z3ZfTR7QOa&u<+A)2JuOwA4k(M?Rr}q8og*e4d49f#(npjvn|T9xt=H0lmS$G5=lJ$ zl1b-xmt4l%Q5B3ymWSc);ISI!%%y^E#Zud!2Pwf|X9x=XBFjqvSi!X%J&*TV_rH9t zTmQDkow)M>@GyRzTbtInZ9o=I^8R-9PZYPE6=lnA1ZUHm#0(Kern0;Oca9}YlK?w=;V)~FuhQ`{t*m1A0Py8j z${uHXb+m*3@V#>e9Q7QpBmYBsWkvuKgXX@)Fh>n65C0=>A!`f^KQLrfE`NOGrI8L# zh*Nch=+thA25|S2KbM$>vISVt_|c*!qKy*UV6`z-a>h#^F~pdGdeADe6>bXdeK$?=Y|gRPD=Gk3Kl8|TT7Poq#0P6E zItvgwA~nNe3%NFu9>mxV7C`pzA%Yiy68O!&*OoYb=?Ayj-Ks2lk5Ea<#jSWcOBS)= zs@hszMp?+m1SOxuMwI~OF>}nUK!VKm z97Q-g=c(3||bp?2^Lh}VpH`nxWBzx^MZ z_H)u=Mzv@GLEUso+Se&ippmAbV2On)x%s!t+jc;oCLf-DlVSzNEM;lk8Vk|pPk3f> zFZrv^)u83cnN?c5mcqT%vEVPdJ1DOkk}WAfR?n9^PTPEcUH8e5{>k7PEKXV5)|yo3 zh|3_W3IbQq4hT$BOLgM>YVgh}WTSO{Ub#2yG!k*dsok)U^%hw)^-=w@%WEW~z~m6i z-&fO`&p`+I*!NJhoCVZE{laksI;S|6-Qy}#kH}G1?%+xZ>-mq=XUjtX*DH9Mi7>YWa=u{l;2|F6S zuuj-MiC;bK*sd-RI%+zux7n_($ED6;ZB2NFk+@qjeVK6%->+0R|i-cD_U~G#``BI2=RtoWu{rw0|OZhWE5hG}8f zBBOq8tG0rpz>S3oxeqjLP~Nz$eFTr}6^Hr%rsI=6HN}!W=|UsXE3>;j_k1O8zvHBW4i#5&Wr``Muv`x* z4aLK12-P4V^WffbV&z+6r&DbNOjhP5Iql~oGm)##>E0fmN`2#iReR2`OsN;osC4M5 zQ+FzFxyZ^p!2xeg%zdEKu}Y~bcllP=J)XtblOW-SWZnr!1i_~k|4EC<(GB{##I>Nv zysK;$+zBuBtc4OI1Mi3N5nJs^1L0Loj!%Xv`%-E9+QFy0k;lVM?d9a99@?bv%0-Od zDj!t8Kz=gD{DSWq$?xlauWdMB6-wUa?h|WfRKfzk+4z=KhtP=4hqtOisFKjWdt)X< z-aipDS-PLNzgR1d3!`C)MUtsUUP5NUa`u6+7Dv6)O_*IpGyk3P8ewfY4(r{@ySuDt zNm$USVB6^V@HHH|79Ck}H0 z9)Bs)#^PPI|57;g|1dh{-}DxUD!zdBS+3MnOivPlk}Aw&enQCe|Qy8=~ys-6F>bDULVr(s^g;tc;M$B~~*-uMPj zlvvZM7CD1US)pf@^0FXM@r;vRb-Hu34Q^Vk>EpA^7Ai+4u%N|8We$RMV!x8D?~@bF zChJY`>nKfnA+!Yp+QJ?#-Tinb_3!R}xD{&qkoSLUId_gys|v26r;%G zV&nHdMQA4bQxD~DGjC7367ti&#b+cDi(mpm)FQCL0_wf_k7P*?oSBB#L4O)ez*Oxb zfC%*~<3Z&LourZQus(Vr-M3KgcRY`~+M@(g`;0V|R*2PFmeMp!jE8#TT# z>b#(Rc%YHAIuXk6xWpu3JWhOl%h$lypKES~4JugPQvU+mfDc3sgK&NRZmmxYL*XYd zyUF1Krs5vB?E}Vq!tez2RRsX{-=rn>C({raR-vaKuU#JrYoA!TW@%gHjfU3x>D*~< zwh^VuX6jcUZ8TwlFBVq8>}?cTLw~0!>r

F>;O84mNs`kFMPn{@)_Kznjt)>VR2}oi?mxG+Yg0e}5SltUdTFZiXLHc49<%sZ zR4T`}Gp4dz9fqP!ReVZ|@H8UL)O;WP@U=(v{>FUk_w%Gv{8yeRrLmn)^lpzvP>Fq` z|3Dt%cb^?6Sh%=Y-jO>(oc(-y1*_|uxB9O#9cN11A}}wuI5%MaVc7kY6j3PI)y%Jx=q_Vu0Fkdy<+=VPK#02O_V5=haV)vfgd*KK~yo+1`s> z&lbF~6p!F6S!FW#!+Y@kK6oS^7Ki=LQ0;(+v1L!6+V}hxzi^f=XU{#AM)dq1@!+2L z5C4&hcnxi*v9q<_^B?R3LhfJ!eEzOGnX(L|jWDCNl8VU->2;-Ap*#>3u^tO{Ew|55&FQ^dxYsXdwhpnA1oUff0-Sibj}V0& z^$9nQp_`Q?sIup?*#Y7cA{BD%<^2%Yx8{n4=(+;nPw*A*aSKDPE70OAI~~J6VIZ8p zgmg#bTrQmy1(OeKj_ZC&X)}jd1gQ4+(tc#pef?DDgaaOYbpU#CAhXaiCwS_^B*!in zS}CXGd7Lk^B~LB`2vrl8JYL;WyC(hL6eb*udC-I|WN75nmuyBquB*^~)9(3i$cpEO zzkfEsP@4v?GGiFTU5oUOP+?Odm7Je$Ia+7=HAuD|)A-k_-6r}oXhU7A;9`Yv7^#f+ zOm9-gBD{Ub;M?sK7S_WEh^GcX^X`{KwZW$+1}7Ev{aWaOb?IYEQq7XvkK~~S?8oda zin5u|=F`PSDHPgh1P5Cu1#V;kMr5UCWW6~I@AvxMnR&+})4Cn583vaQDU*5xJt?}# zI^iM$F|;fN%v*ZjmkY8CwL(WlElHST88yWntA%~5@hain0yqM=tvPm?~5 z3IYsdSt2mp`9cGTYDlzuy|8JR7OlL&6T(fX2N4qO4wu9uOrx31RPTAjoAj<|svBJKk?UrP!&nTB`9VR4RZD8Ud5t_i&uUZ~9LMjt+BgIn(2%`O?=BQ<-Y6S4af zeTXHpz}K>#*xa%!(4-g=*&9b4`fU~*+N>BK9>~oGO=?`JI5@9JPPl|N`AQbF=Y+y4 zr^XtNec@EV(f#=3^xbsG1=6XL`=hvO(7p+;>U0Gb`+IF_6ywnITiLqsbZ3lN?bC?A zPUU)~z&$rDh_MNCQkgerg*UHP7y`##tB@AB6Nr_Z4XvO}2`{*x=HrC7y%rjT#LaVj z@H(hUW_$4FjQ3E4@ybD~T}CPVM%=9l{f^8#Ef5g@$Dn>)5Uy9)k!IgVjI**5+mZMa zyA_9At3D0-v(3=MV&xe5{W>2YXi5=tMH&J|5HvSTQ7S<6#o1Pwb^nP-cZuy{z zYgkvLkYJ`BxxIj@m`zrF>JWk``#%kx0%s$age?LI<&Z*cIAA!}qZJOHOxc1T$~M+` z!o+PUSJ;J2Hg5<4nJkWrV!}lL{1o8*EN4x*H(D1s;hVs1%W~~X0^;~>c7#eJl+8tQ zW=LnA9vf_uk6qO=jo?-bZ?9)CMIQYin-m9@N86=-8eG0uEIO0hn8>`2vllF`z6IKU zkFVrr@QZt7Z;`Y1{V*%%zV+!}aDgX`#jC#VO>tkm$&B4%_sz_Xgd;|c4$)>U-zP-( zAQ=`sCR>CAkeW*1>#JaE`ktw&u41t^UP#WekSKVfnwL=~ zZj&#|+u+2d_@r!0wogyGA;Qr|dark<^JA75oiThV#uMqD#| z`D`J8^}Pq{P{K5#z|uyui> z3kShdb4@?r+BK=`Rm9k(stmPyOqMpK&;!&zi2pQ*sbGbEaTR`*n@e#QDZs1j|19z- z6XAg)QSR4j=Qp2B&Gko)K6Y6KP~9?xK~g9lBhe7%Mm8tyc_Pv*k0(C!fp7wL`37o&+c2^;;Qkt0Kf3&2z|6lF;PrlDL^adRvux6&@sj6A)G%WpP|P2%Z3 zZpbkJI8lL|oZfQ330_pIN<@>?R*)xY9?TjL;DMug2e6{|OKR(CBq~54oTJdeFQkn} z>>ev`AgS@Susq;6cuY(JS}bK_A!92Yvx07DDB?b{HK>0#lNd2t->hW2-0y*}Iu4vDDy-b*TU{Na91&Kzps0{9 z2=+zcna@b!{gIdD0HSWYWiJgL-Lv$1{-REhKBn4lel#}GD(oj$x)?l7v=8&==ft-> zLu`a=uC?3Xi12{2s2^d2!%}>FI>Au?XkNgr&b{PGxzZP=|4O1ihcuS=5`D<_dwZ2#M2xQ4nE%AJz$J5)mCSLBCT+;bBU==@% zllEjh*~L`-3W{(R@oaa}V}Iu9uqy8r0eJrG49_zs!8Ry0VNuLuS!UOF*+WBwZ%7+< zj|kY|R+xRQq2iNT1N#SL-`Hlw`dOQFKIYm~9%v}>OmzZ+Or6@`dW+G8w2Gr>JMFZv zg7EPgh;Q+Qn9h$EK3`ae1dXd{H)B_yw`KG=+9&YbTjSg1Pq!-zjoi)d^QtWc|Cz1h zMJs)>x^<5e9;$HxFzeTqd!*!lq1UE1693dfngPyLCWv#6B`%jht}nWKdkO6YNNt2h zphob)!h;Zt9OkM&?@M_MFsG`?y6nBEjO(Y=1nkS}j2kdQkw5mKo^EfNMnrIMXd|)t zG*?(!;(<`hL(!?JV+CFNms%dPhWc4j_g)2kiv7vr{cbp5DGEEbfuVLB=FTU&FE38D zI>pXi&(D_}C+c+QKz2DNYpy_#T7PwTIHs|&ka5#e4qwt{6be@N&yFwcdU_8L(7KA_ z15F0Bs|J{`eTvXsayM73aJYzcM2gZnd)7e3NTtp0N=IIq)gHLA&?h$&ZllS7TB5dT z&}bf-f^R?1b%XP|{b$X!DGP9ebXcRjE4-()Q@vnTu9}yk@&$X;mtODF+YkfqoL4(} zv{ll|SuU92Tga3Om{be+Kd#6Mt)&qJ)4@*t>DOn(DlNR-KQ;lO1+PJtZ~;-C+=-T% z^^fctO#G8CmugtxeP=5Ba=ij#HMJT zu^S=WKxuzZ@|Ve)CLI`RUQ27^@BWYfe=fig#lRIGF4FMAJ;EN_#0%(Pm2_%WXE_Kb za{T2s`P6Md?2IPE8yeJ8MmxX_wIPR3xm9UMfhzZzO10BJf32)#TPls<*eJ=;2mah(d8h^N6|mp`K7=dH@KUn z>742i;r%}k#DhSHCTvs4Gxy^nwv;;WB`^(2ynxvaKp2ZObdCNR%4^&v;&i;D%;oOT9N0h=`8228x@T z=DISF+vCJ64air%klJUHRqlVD=u34afO4l{slqH7kG%hF11G&vb$Ir5Kz$eK8D3k& z%nub-olGpN;T|ztIB}zIhuhTjPLswW26>efJkO^4@<_IlSiAXYG#~k#qhhuHvzTAE zl+jAKFHLiOy4rLpm)3LnGR7>h^IC|V0iHM5#+>DR<||}qmwq}MyNBs5TqCl=MC(Fv zxvDFU;r+qU)P~i`B{xRECe~aFQJR3;z1+?uK8PfIOzyC&`I!e@gqPyrxLS0e;nU^f zW~GxMrIbt_Xm8e=`-i`>Pc*sDII`|Rv~~L8A>?~&b_WpWh9PF@+bFLjlx^|#(lF-h zP?wtLr&AI8ah~$Jz!W}yA3`sFKVO=65|)W+In2g#%vfpAEB$4?wR`tp>PRNYQ5{nG z6{t3dji|DHvdrs=$4Fxz8kXuOFry`V%x)->t^XK=61F23$Y-U1P>qe0Yw6-ttEHYW z?cFOzs~!+jHL7aZxJf-YC?!{w#JKfpmYLQLAHM>9o%Y%Pg?}?;19K?nqh{?fKGNH^|QZ-D$XvZrCDvj4ywo5FH<_c5xTPRLh2iP zL^SoH8`i_DAP`U&9r06Tr@*^i-*m)5fy+3CV!BmIeJn9-9vBq%X9#Aey*5u)fUMew zFFhK#1fYsDY1TWNg+FxL9fgioOEX`aHX;vKd`uWR>YHLNWWlgHG@1F8Q4GA6>m8R9 zNUxAKrXRh-@S+GUIFAt~2ALh*14pMwJCLCkGUO@J^I3gfwNvf8Zf7lLNG$NZ0lA-sge{xsML>ZWauTU6 z4$l3qc$hSh=59$6X#p;9Tv&ZC0L8t}dnQrt>oEtVtuKGA->x)u?2yFJV)kXZb>8doqh&>$f{}tA)3zVP+$PG4}rov2E8} zK$O}T^~tQXYVnUc(3VOAkV{50`wbiT0w;@^p97VJi&s9~0HM+X6rJCznm#LHW(Km# zQj3GjzNk6~l1an}M5Ycs*M@D!BU%`HQl3HQX$%diF z#tD5&(cK8@nMpXRIaeU3XEc`!2LS+0AX`y9lPc?aLj!S`B*J$E>Vj3snBrd@ z*4p7AJ`9&AI`_3Oihx_<5Dh-)-#$Kaww8Z9{i*4J-)+J`F1l_t*=lAhfROPKP7BOE&*UT|{w3|VThgSM$nF&+i$qr-Yu`SUAeY&xk zxgGHk&}uV|Es2-1^Fq%zffkc$NEC=;UD7P1)DusuIs2zVIXT0d?Xde)A z7i>}vtDMhU&{eQLTZ#FAz{+6f;S{OFM(Scg)Wd^ZC2pq>QB7Kpjexc|gTG~u$uh8K z`xABMGs1n`Hzc)~(BW3&>Mm@#WTbHVNv+@b_MqP_|+m-j@ipzwsl$(~U05z@oYFDWXJ|P9Jy|h*uJ@F`M>s%!F19Hz{ zqFvJ=YrxlM+QPKZq6w$l(RRUqY?sOxPQMRd2I{YvkN}?4A}Ruk{Tvm+yO03@Si1a8H(4<5m70wcLsKhbV>~gHXr$MqAesWyur3wTQ5irRZrs z4-8PdZ&#WLIFe%IR;F8)|HR7zIb9;Rh-N^rfoF@A8zH&iu(E)!02j-GF%>0Kb^wl$ zIGkD?Jl6&{ul)76KMQv0$}_D9KkRy6%z5N{AF2E^nl2W_1lj}&=dt@3b! z;V-YhZe};1k~P$FvF^RS`g?5!^ijRPGc#lGj$^8VAwxD)$6n7{m=JD15Wmq%t_Ntp z4F3h7G430$P+u=Iqr)TXXWQWwKPA!D!=Q^Zr4{fmmi!+d>4`EqPaZ5S86;N8Wv%44 zi!Qpx72KB^z0zA`wRq^zgb8Wdt>Nbu;K!6GOxCbLEld5Vx$=g=sBTttaU@6jj%2J| zdKFn2xy!n{Tv#W3uEzS(^J{dR4eq97d*3-`MyFn3!CXoIA(0q;t3pHfRFSTcuW$5N zi)v*Czt}%Skbc_!>SqfFGEvk0{S+;MLuIO%hV-OG^6`TNwHVNMOy3>MHObiGWr!2O z&$&ToHTyRp%PQ`qUI^K{A8RqP6U%s&y;rKn#VIH%o4SVo!gn4sww)mM@LGrz7j!2D zeotg*-F@xz=c#uf-rqxnCV0E-)~{!N^!YldAXD&hLJiAi2k4 zU`FMrjX8<-TSALXB4D%k$#Wsa)8pxG(xHemRZVRCom%dKq7I07ea$-5E zntOfu*U+W&`#$v$K0|y0xLILf+>pUfM}HS^VeM|QUqJZPPdKR%Nd3$n-^MheIWpqn zh}>Y?&uJXGAzLrs7j9@aFqwz!JRtJB3A>GCz9t(%=F6ywcgcLlLoO@oH04}D7a{VZ z%!|*RpL^h73VCwR{(n_pOG9Wty_p#eRKnjoi}Q;G|1Hi6dGWkB@ZoZRw&4#~@7)~x zWU8-Z)?WpI%AkF#!Ij$RCn1WmE_cbAmYZB{a6&*XMDfVcE>tvC=d3GB0st55{W~1_ z!ExGHC9g|cBb9EP449OrtJd5&djkJ;P6PfasN03p+$mG)cd8W@3BWl;>`68ioq z1jc2ytW-uDO4=;=;bNbY*a(^rsW1y+6<#LE+W??0DOEdejx31!{j8mGOD~kqO??SCihnY9vV2 z%#7f4b4Ogni0~LcPoEH{rqLHCsgc3EIjWZO7KRj9>X#q(?sWsr&(P}DA15z?aMuglIu$Je?yU7+YgZpYR8_^uZca~;)!dqb!JX|& zuNncrg22+dA;5XoRYxpx?*q1x3P3meG&QR6A+C7m)86?>CNroCdnY-O4eElC9M1Q) zuRkX6oIgW!wqcC>`aB~?{(){2Nzil$Ss+(p(q&(~|M?9iq1Hd=Nv_w2wJNt|-ZHp- za1q&fh-1`=8ZTc#g)v1F)eFWlobf&2BpctY#n3c|LDI#NyMP-#I(>i1)<5x$xZgor za#})K>fMAR9^0x=jmf6jkE$ta7E*G3IQ><7nr1^BR&BQb&^4l9Z+G1ALabfIp8=q4 zgAku&9+KPfQ-`_(l2?eFRX1pYLDO2V2iA51M)=iz^4lHK5&At#)kkvhZP7J$w$u{6 z7?Nq#XDno@aQ?~ZX~=s@oHK(QUj!?Tl|BA}+x$C7)} zXRyJne3}z)aQ|;CaY39%k}7m>v4%6mEqm=$dv8@{_L5TlKmn>n2^##Rmm!||Vd=u- zDL_uxRAO-DE%MaV%}~#yau@E&_HWeA8}`p*@T1kP`G8Y&QMA8*sq6UDtlDL?`iEkB zOv2NaJLiQHMfo-l&ug=GS}A`0T&pf#)w^1wlt_82+Yfh;fa|(P5JKXLdzCpvL{?p;m=DpigyCMn;&A#lhS@h+nJWFXN3Lkflqq( zpjyNI2)jp<6=!Ecx;~WHT!(gA57;qKp*7vXgy8$iOb8D$bx_T2LR1R%@&18GuH$(X z+zp(Pm2BvjK@Rp6OP_{v;?Id8Al+zSij`kB*u0ssxAs9$J&q4m_F~-(k;hB~G6ZUS2c%95uJ5SAV}7;-Ep`X_!7u>s+LRvhP(Xm7m7k!urc+t|sL!-+wpq~UGz7zsUfDwnT`q>ljmOJZOap|F@WQ{;RVT)HdQctZAH=F zyK>$3yoN_Ls=Rr?#mf1qq7q;6D5e-pv5JCIHF->PY_m>mszSp7$5|?=!Iqa34|!n|@tOp=ImI2u|Mc-8RDB zVsW~RsfufsSNJR^pfc*=#_Ka`=u~0x!=mFwCNnyXoz2mDD-j5D1Z3JxG_6ixugR4H z9qj(f5GlwQV^lTKK!CAW4kO6CW zwM0BfuIS*LsV3_+sEbNoEp~dkVeTj=8i-8M-65vP+5gE>SEapozB>l3FN3VrRL77M z;tn7BK3ux1V!HiTQ|GmCgoGh>(~73Z{D&63ZoqY-xK zs3cGowf{6EDl^}7O|Uf2^lFj}RcEBP?VoUgl?fkHXD^7*%7A|&_+H;=flz^&3~-0Q z;zZh;jB&d{z&hgZD)eHQ-{-A|_BB-|2_F2*Rir4iTKB&{9 zTcTrJP-2u_gCMm9dju!!`}{n2V~21qo9^3V`IQz_p(WWWHh`u`~ z3%cZsNxq7rKw$yW1AN#xVEL`?cfziR|q%C;I)nTayHF1~`65s=P7_d0G zdW;-!e(tI;b6(r?_nMGd2@43Ky!Z@U-v!*i2Xj;mBF2=HtzTplrjJ`oBTrK8a`ex3 z{Xw|5!pd}@?Z5kxU+WzZ&N_bjsS#FL?}miUS^So(dM^;?-$(E)t&sfphCgS{B0Yr~ zfX4~E0XpO|yOX_Pw*~ovJ?mlrs%-9u-^>-5(Hij-tk9v&Hz#3yHq~n()YnJ{ z#ye$!8=y?!SQELHR^M5Y24J(uHRD_C

)X(z6CbX-WdOZlq<)d!BVN)>HUTgLe*Y z%jukyPa*UkNxEl^J(zhMZC@sDN(fD%4>6UO2etEjDKhs-1nVuiZ+!bVI0mS7F6$f3 zYKJ=~$qwp}YG(&rcymP0W?BNb#FVf6Rv0|03_X5UrNLu+C;xXI<{D>+;EKHN?!e23 zON3jQ2`X?kJ{y1UoKhA@c>}116Iv)7bh6x=$O9$z!$~#hUGd!?yO*k zef2>&mXLRmXqR#CI-WDFkzm%?;1&;hy+qUOwzoejRCkYQ=w`y4*Qa7k+@kI6c$(|+ z4DDj5(QCx3ORIVEq02FD_AJFD4zSDhoeR27OlTM_RF~%K2?tD|x{%d6NUkeS&#!48 zS}z)!ReSb8?YFx6KgT<6#Xfu2DTkxO$^#l-ZupuCQL~D0Z`%(Gkq(`#86}N2kA$5n zz`9FcC8ihTqd;;$-iZ7xtUZqdf^*OSQ{QETY<)fNq6poY%(rv=Ndz@#$_x+jN^Ey_ zfp?8M!Yrqg*7EY{hAzuJADk~_oYyBYB>ZjuZBLM;P>kLF@LM81A9(|9QFSb)rE+$7 zIG4tD#H>?}zeraR8DP<5wQzAWIoJl?Y zF>L#DPM}Uao2;`jb{TDaOaDkEq6q2vy}_!SHBj{>VV!53uI484GM#fr+L6UHkvMhu zAie5_z9N%*E8e>Au2@drxv^|k3WT>VHk49OiI9&l7Vl??cZw`3+yu`c61;=cd&Vt$yA z7f4dFXLCFZPsRB9TQ-=?kS;g>7#F0v-Xv$)rj^u05MODrpj|_3wYLlUE5I~SEzwsZ zb0so#nE{`}*9T~WRxcOcluX?n88j+V7`Hu z@WR)B6k3iG4PC;P9wld^e1H7aB_srB)!Wno%r92uDf0&o%H<;N1=2EGf1);u%tD0Q z;IPt*@LS}xkrp#2eEqf`6BC-k;Qq)p3Suc7JHHCTHD6_ooCrScQIc0Y=gfQEp3YP~ zu(NqjAwDfksqXEPcF2<|e!M>1h#_^JLQoopkuJm%uQ*kgdve*~nY#^HImrD4e%k{9 ztvj#EUNHc^$kK1MAi_nbTVZyKogXO4#nqVkoMLZvAq+DUIz^bxMB5$4xfa8S2BA`Z zL(mq8#>B!a-^_pw`1Wa(*h<-25>s98Y4NYoc1yV9l2uyFyRRbUk1I-Fh{{Wm= zpv1SM@a+Ghh!bqqY9pzcH~U##)Vc70%pRBfD-OuRxjdUhbCdbA-en=-2jGd>4aPQfj)k0pP5u=L#O=kKq(26X+=b~oEp z$A;PY;S(AroFl6bz7wY8x#;@X015i;5xH?*D-i?75b+mT*;$j5DOpp))>W1VD0;K_9*nPH|KWT#BeNAzwBz;S!dw!>&jq!OV|JP_b zy1)0eA3rktsW=Nb$;R)}tv_t=5v2a^5a0|BL!d?0*L&fG%;=8nWu4J;tX-qPDUc#M z_3tfZ6Tl9g_Gb~6SDec~aF|_Q_7p@@Sobr&4cF~tuvfgXEYjsH#vx!O@>I1E1rY_( z3cS(;Pa79nZ6f>ZFG!?H7M=U{0fqIWP0c&_PAx>+XKG{BraTMF=6=dDjuSFqU}we! zq4k%*RNgqcZ(mAKC1+jNYZwc)5nBy;(Sew3r*l;V@WN;|(EfBHT_DZ&RtGL=w`TPg zn{exRE75Xg{4>(izH&LMvuA_l5*kVk9dCo*-7o!q>U%^BR30Gx_tHGm%G({W7JSR* z`6dIdwFQ}&#|+)Seyti?bn!C-;BsB6DB(Ui%R4>V5K0U@!cB(K4e@Jm(S44it$XGL zfp=DBMEdI6?;NQdEH^7WEpBkGHmeeq{ib5=i7dJirXr+03S?-Vx8}|X0`Ad)e7LkQ z4GfwzxjVFag!iK}s`~pJ-HnOMKtLtVtZ{65MrLBI1SZrfDWKK>y0z>%x(_5DL?o?+J^xgk;V=V@N<8JXv%hD?jK0IWbp=kD zoS`C)BG8VkHvDIz8Ohzv@f*Is-R33`{%~7jpi5ZyD8S=g&2Kkt)6rAs9I-Pp_PM|y zjEJ_srF1NqPLhBRtr@cy>doHj*HLXK_FjncvilF0T$ML+7-x7}HaXJ=cnD7vl-Gw( ztJYq_)LcCO0=Ng=gHUgkt!WgE^~sT8x;T7G(hfWuZ{w%pU~XgcTL03Svz76eDxZP! z{&zJP;VzN(!$Y^x3*9F+8S>%?M_n!qZs0tV=6R38dL5%R%Sj@wO8fLqQm1xG(|Rg( zx9v4miV*47`KaOQ|GuWQxG$EWChT^aFTgAI=Wd`{T}^h?Uv&TP^MBO}Joi5lPiPG1 Uuo0TuJ`-H~iNRyI`tvvc2MfGVlK=n! literal 0 HcmV?d00001 diff --git a/docs/index.md b/docs/index.md index 39679d01a..5e6c70c56 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,52 +1,106 @@ --- title: AppArmor.d +hide: + - toc --- - - -**Full set of AppArmor profiles** - -!!! danger "Help Wanted" - - This project is still in its early development. Help is very welcome; see [Development](development/index.md) - -**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. - -### Purpose - -- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` -- Confine all Desktop environments -- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` -- Confine some *"special"* user applications: web browsers, file managers, etc -- Should not break a normal usage of the confined software - -See the [Concepts](concepts.md)' page for more detail on the architecture. - -### Goals - -- Target both desktops and servers -- Support for all distributions that support AppArmor: - * [:material-arch: Arch Linux](install.md#archlinux) - * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) - * [:material-debian: Debian 12](install.md#debian) - * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) -- Support for all major desktop environments: - - [x] :material-gnome: Gnome (GDM) - - [x] :simple-kde: KDE (SDDM) - - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* -- [Fully tested](development/tests.md) - -### Demo - -You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ - -### Presentations - -Building the largest set of AppArmor profiles: - -- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* -- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* - -### Chat - -A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org + + + +

+
+
+
+ +

apparmor.d

+

Full set of AppArmor policies

+

apparmor.d is a collection of AppArmor profiles designed to restrict the behavior of Linux applications and processes.

+

Its goal is to confine everything, targeting both desktops and servers across all distributions that support AppArmor.

+ + Get started + + + + Demo Server + + +
+
+
+
diff --git a/docs/install.md b/docs/install.md index ff4a1b6bb..a18185fbf 100644 --- a/docs/install.md +++ b/docs/install.md @@ -89,7 +89,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different. + **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`. @@ -125,7 +125,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf !!! warning - **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different. + **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`. diff --git a/docs/overview.md b/docs/overview.md new file mode 100644 index 000000000..fb6712a14 --- /dev/null +++ b/docs/overview.md @@ -0,0 +1,48 @@ +--- +title: Overview +--- + +!!! danger "Help Wanted" + + This project is still in its early development. Help is very welcome; see [Development](development/index.md) + +**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes. + +### Purpose + +- Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord` +- Confine all Desktop environments +- Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland` +- Confine some *"special"* user applications: web browsers, file managers, etc +- Should not break a normal usage of the confined software + +See the [Concepts](concepts.md)' page for more detail on the architecture. + +### Goals + +- Target both desktops and servers +- Support for all distributions that support AppArmor: + * [:material-arch: Arch Linux](install.md#archlinux) + * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu) + * [:material-debian: Debian 12/13](install.md#debian) + * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse) +- Support for all major desktop environments: + - [x] :material-gnome: Gnome (GDM) + - [x] :simple-kde: KDE (SDDM) + - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)* +- [Fully tested](development/tests.md) + +### Demo + +You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/ + +### Presentations + +Building the largest set of AppArmor profiles: + +- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* +- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* + +### Chat + +A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org diff --git a/mkdocs.yml b/mkdocs.yml index 153af0d4e..12783b566 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,6 +138,7 @@ nav: - Home: - index.md - Getting Started: + - overview.md - concepts.md - install.md - configuration.md From daa6a1239b810dbc4458869a59a896dca42296df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:20:08 +0200 Subject: [PATCH 090/798] feat(profile): improve protonmail-bridge-core. --- apparmor.d/profiles-m-r/protonmail-bridge-core | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 92d379724..493199974 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -12,8 +12,9 @@ abi , include @{exec_path} = @{lib}/protonmail/bridge/bridge -profile protonmail-bridge-core @{exec_path} { +profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include + include include include @@ -25,7 +26,7 @@ profile protonmail-bridge-core @{exec_path} { @{exec_path} mr, - @{bin}/pass rCx -> pass, + @{bin}/pass Cx -> pass, @{lib}/protonmail/bridge/bridge-gui ix, @@ -49,7 +50,6 @@ profile protonmail-bridge-core @{exec_path} { @{PROC}/1/cgroup r, @{PROC}/sys/net/core/somaxconn r, - deny @{bin}/pass x, deny owner @{user_passwordstore_dirs}/** r, profile pass { @@ -76,6 +76,7 @@ profile protonmail-bridge-core @{exec_path} { owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, + owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} rw, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} rw, deny owner @{user_passwordstore_dirs}/**/ r, From a46967cb43e643efc925644b234093f249fdc313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 14:56:51 +0200 Subject: [PATCH 091/798] feat(tunable): add papers to the list of document viewers. --- apparmor.d/tunables/multiarch.d/programs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index 198776f9b..b3e36cae7 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -76,7 +76,7 @@ @{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli # Document viewers -@{document_viewers_names} = evince okular *{F,f}oliate YACReader +@{document_viewers_names} = evince papers okular *{F,f}oliate YACReader # Image viewers @{image_viewers_names} = eog loupe ristretto From 043dc3fc0589d3c361dd9e4a1cdf543fab8284df Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 15:23:24 +0200 Subject: [PATCH 092/798] feat(profile): add paperspecs to cups backend. --- apparmor.d/groups/cups/cups-backend-beh | 1 + apparmor.d/groups/cups/cups-backend-bluetooth | 1 + apparmor.d/groups/cups/cups-backend-brf | 1 + apparmor.d/groups/cups/cups-backend-dnssd | 1 + apparmor.d/groups/cups/cups-backend-hp | 1 + apparmor.d/groups/cups/cups-backend-implicitclass | 1 + apparmor.d/groups/cups/cups-backend-ipp | 1 + apparmor.d/groups/cups/cups-backend-lpd | 1 + apparmor.d/groups/cups/cups-backend-mdns | 1 + apparmor.d/groups/cups/cups-backend-parallel | 1 + apparmor.d/groups/cups/cups-backend-pdf | 6 ++++-- apparmor.d/groups/cups/cups-backend-serial | 1 + apparmor.d/groups/cups/cups-backend-snmp | 1 + apparmor.d/groups/cups/cups-backend-socket | 1 + apparmor.d/groups/cups/cups-backend-usb | 1 + 15 files changed, 18 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cups-backend-beh b/apparmor.d/groups/cups/cups-backend-beh index e2dbc1b51..1e9fe5b78 100644 --- a/apparmor.d/groups/cups/cups-backend-beh +++ b/apparmor.d/groups/cups/cups-backend-beh @@ -13,6 +13,7 @@ profile cups-backend-beh @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-bluetooth b/apparmor.d/groups/cups/cups-backend-bluetooth index ada4926ce..78ffbac77 100644 --- a/apparmor.d/groups/cups/cups-backend-bluetooth +++ b/apparmor.d/groups/cups/cups-backend-bluetooth @@ -13,6 +13,7 @@ profile cups-backend-bluetooth @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-brf b/apparmor.d/groups/cups/cups-backend-brf index 27e98efc3..6d50b284f 100644 --- a/apparmor.d/groups/cups/cups-backend-brf +++ b/apparmor.d/groups/cups/cups-backend-brf @@ -15,6 +15,7 @@ profile cups-backend-brf @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index f45b99216..1009a0ef2 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -14,6 +14,7 @@ profile cups-backend-dnssd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-hp b/apparmor.d/groups/cups/cups-backend-hp index 636121553..cd9af3d7f 100644 --- a/apparmor.d/groups/cups/cups-backend-hp +++ b/apparmor.d/groups/cups/cups-backend-hp @@ -13,6 +13,7 @@ profile cups-backend-hp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-implicitclass b/apparmor.d/groups/cups/cups-backend-implicitclass index ba85c62fa..c71295f83 100644 --- a/apparmor.d/groups/cups/cups-backend-implicitclass +++ b/apparmor.d/groups/cups/cups-backend-implicitclass @@ -13,6 +13,7 @@ profile cups-backend-implicitclass @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-ipp b/apparmor.d/groups/cups/cups-backend-ipp index b473ecaa3..8d61f4072 100644 --- a/apparmor.d/groups/cups/cups-backend-ipp +++ b/apparmor.d/groups/cups/cups-backend-ipp @@ -13,6 +13,7 @@ profile cups-backend-ipp @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-lpd b/apparmor.d/groups/cups/cups-backend-lpd index af2901be0..89b62b569 100644 --- a/apparmor.d/groups/cups/cups-backend-lpd +++ b/apparmor.d/groups/cups/cups-backend-lpd @@ -13,6 +13,7 @@ profile cups-backend-lpd @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-mdns b/apparmor.d/groups/cups/cups-backend-mdns index 0b9cce0da..9e5dfbe0f 100644 --- a/apparmor.d/groups/cups/cups-backend-mdns +++ b/apparmor.d/groups/cups/cups-backend-mdns @@ -13,6 +13,7 @@ profile cups-backend-mdns @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-parallel b/apparmor.d/groups/cups/cups-backend-parallel index a985e5042..b4340b2ed 100644 --- a/apparmor.d/groups/cups/cups-backend-parallel +++ b/apparmor.d/groups/cups/cups-backend-parallel @@ -13,6 +13,7 @@ profile cups-backend-parallel @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 7782ecb11..6f658b064 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -14,9 +14,10 @@ profile cups-backend-pdf @{exec_path} { include capability chown, + capability dac_override, + capability dac_read_search, capability setgid, capability setuid, - capability dac_override, unix peer=(label=cupsd), @@ -30,10 +31,11 @@ profile cups-backend-pdf @{exec_path} { /usr/share/ghostscript/{,**} r, - /etc/papersize r, /etc/cups/ r, /etc/cups/cups-pdf.conf r, /etc/cups/ppd/*.ppd r, + /etc/papersize r, + /etc/paperspecs r, /var/log/cups/cups-pdf*_log w, /var/spool/cups-pdf/{,**} rw, diff --git a/apparmor.d/groups/cups/cups-backend-serial b/apparmor.d/groups/cups/cups-backend-serial index 3959a091d..26811ab59 100644 --- a/apparmor.d/groups/cups/cups-backend-serial +++ b/apparmor.d/groups/cups/cups-backend-serial @@ -13,6 +13,7 @@ profile cups-backend-serial @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, /dev/ttyS@{int} w, diff --git a/apparmor.d/groups/cups/cups-backend-snmp b/apparmor.d/groups/cups/cups-backend-snmp index 5badd529a..816f6c25b 100644 --- a/apparmor.d/groups/cups/cups-backend-snmp +++ b/apparmor.d/groups/cups/cups-backend-snmp @@ -19,6 +19,7 @@ profile cups-backend-snmp @{exec_path} { /etc/cups/snmp.conf r, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-socket b/apparmor.d/groups/cups/cups-backend-socket index 3efcf183b..f8f36a056 100644 --- a/apparmor.d/groups/cups/cups-backend-socket +++ b/apparmor.d/groups/cups/cups-backend-socket @@ -13,6 +13,7 @@ profile cups-backend-socket @{exec_path} { @{exec_path} mr, /etc/papersize r, + /etc/paperspecs r, include if exists } diff --git a/apparmor.d/groups/cups/cups-backend-usb b/apparmor.d/groups/cups/cups-backend-usb index fa21e0204..7d9dbd237 100644 --- a/apparmor.d/groups/cups/cups-backend-usb +++ b/apparmor.d/groups/cups/cups-backend-usb @@ -21,6 +21,7 @@ profile cups-backend-usb @{exec_path} { /etc/cups/ppd/*.ppd r, /etc/papersize r, + /etc/paperspecs r, include if exists } From 00327dfae17112aac14ab572ddb1ed026797465c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:38:48 +0200 Subject: [PATCH 093/798] feat(profile): minor improvements. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/apt/unattended-upgrade | 7 +++++-- apparmor.d/groups/grub/update-grub | 5 +++-- apparmor.d/profiles-a-f/acpi | 1 - apparmor.d/profiles-a-f/evince | 5 +++-- apparmor.d/profiles-g-l/kmod | 14 +++++++++++++- apparmor.d/profiles-m-r/mkinitramfs | 6 ++++++ apparmor.d/profiles-s-z/spice-vdagent | 2 ++ 10 files changed, 35 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5c33a1866..947dba149 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, @{pager_path} rmix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, /root/ r, # For shell pwd diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 04907876e..08e1400b2 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index c700e325f..59f7a54f6 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which{,.debianutils} rix, + @{bin}/which rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 3e60798e9..8413d9975 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,13 +10,14 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include include + include include capability chown, @@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/ r, + /etc/apport/report-ignore/{,**} r, /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, @@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/* r, /var/log/unattended-upgrades/{,**} rw, + /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, + /var/lib/dpkg/info/ r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index 1996b346b..ff17c160a 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -14,8 +14,9 @@ profile update-grub @{exec_path} { capability dac_read_search, @{exec_path} mr, - @{sh_path} rix, - @{sbin}/grub-mkconfig rPx, + + @{sh_path} rix, + @{sbin}/grub-mkconfig rPx, /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi index 2914180e6..3b42be234 100644 --- a/apparmor.d/profiles-a-f/acpi +++ b/apparmor.d/profiles-a-f/acpi @@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/virtual/thermal/{,**} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 5ae754138..b7b087309 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -44,13 +44,14 @@ profile evince @{exec_path} { /usr/share/poppler/{,**} r, /usr/share/thumbnailers/{,*} r, - owner @{user_share_dirs}/ r, owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{user_config_dirs}/evince/{,*} rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.pdf r, owner @{tmp}/evince-@{int}/{,**} rw, - owner @{tmp}/gtkprint* rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 0338e3975..ccc8d6913 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{bin}/basename rix, @{bin}/false rix, @{bin}/id rix, - @{sbin}/sysctl rPx, + @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, @{lib}/modprobe.d/{,*.conf} r, @@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, deny unix (receive) type=stream, + profile sysctl { + include + + @{sbin}/sysctl mr, + + /etc/sysctl.conf r, + /etc/sysctl.d/{,**} r, + /usr/lib/sysctl.d/{,**} r, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index ad626192c..eaf5645f3 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 9562fec75..c73f5f678 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/task/@{tid}/comm rw, + /dev/udmabuf rw, + include if exists } From 2bad07f5ffe85486104bb775df646bb5cc5aad6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 18:44:59 +0200 Subject: [PATCH 094/798] doc: hide the date of revision on the front page. --- docs/index.md | 5 +++++ mkdocs.yml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index 5e6c70c56..9602207d0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -19,6 +19,11 @@ hide: display: none; } + /* Hide the date of revision */ + .md-source-file { + display: none; + } + /* Get started button */ .md-typeset .md-button--primary { color: var(--md-primary-fg-color); diff --git a/mkdocs.yml b/mkdocs.yml index 12783b566..e5244a529 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -15,7 +15,7 @@ repo_url: https://github.com/roddhjav/apparmor.d edit_uri: edit/main/docs/ # Copyright -copyright: Copyright © 2021-2024 Alexandre Pujol +copyright: Copyright © 2021-2025 Alexandre Pujol # Configuration theme: From f9f409716434735336e9de871cad8fcfb329cd4f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:12:24 +0200 Subject: [PATCH 095/798] feat(abs): add the path abstraction. --- apparmor.d/abstractions/app-launcher-root | 7 ++----- apparmor.d/abstractions/app-launcher-user | 10 +++------- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/path | 23 +++++++++++++++++++++++ apparmor.d/groups/children/child-open-any | 7 +------ 5 files changed, 30 insertions(+), 22 deletions(-) create mode 100644 apparmor.d/abstractions/path diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root index 0bc7dbeff..7f7e2a673 100644 --- a/apparmor.d/abstractions/app-launcher-root +++ b/apparmor.d/abstractions/app-launcher-root @@ -5,15 +5,12 @@ abi , + include + @{bin}/** PUx, @{sbin}/** PUx, /usr/local/{s,}bin/** PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/{s,}bin/ r, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user index 800de5106..3f35d5882 100644 --- a/apparmor.d/abstractions/app-launcher-user +++ b/apparmor.d/abstractions/app-launcher-user @@ -5,6 +5,8 @@ abi , + include + @{bin}/** PUx, /opt/*/** PUx, /usr/share/** PUx, @@ -18,13 +20,7 @@ @{thunderbird_path} Px, @{offices_path} PUx, - @{bin}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - - @{user_bin_dirs}/ r, - @{user_bin_dirs}/** PUx, + @{user_bin_dirs}/** PUx, include if exists diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index cc802ef06..0d63b72c8 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -27,6 +27,7 @@ include include include + include include include @@ -39,12 +40,8 @@ /etc/{,**} r, - / r, /.* r, - /*/ r, - @{bin}/ r, @{lib}/ r, - /usr/local/bin/ r, owner /_@{int}_/ w, owner /@{uuid}/ w, owner /var/cache/ldconfig/{,**} rw, diff --git a/apparmor.d/abstractions/path b/apparmor.d/abstractions/path new file mode 100644 index 000000000..dee241b29 --- /dev/null +++ b/apparmor.d/abstractions/path @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Common directories in $PATH, used by launchers and interactive shells. + + abi , + + @{bin}/ r, + @{bin}/*/ r, + @{sbin}/ r, + @{sbin}/*/ r, + + / r, + /usr/ r, + /usr/local/bin/ r, + /usr/local/sbin/ r, + + @{user_bin_dirs}/ r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any index 1259d7708..446627e85 100644 --- a/apparmor.d/groups/children/child-open-any +++ b/apparmor.d/groups/children/child-open-any @@ -14,6 +14,7 @@ include profile child-open-any flags=(attach_disconnected,mediate_deleted) { include include + include @{bin}/** PUx, @{lib}/** PUx, @@ -22,12 +23,6 @@ profile child-open-any flags=(attach_disconnected,mediate_deleted) { /usr/local/bin/** PUx, /usr/share/** PUx, - @{bin}/ r, - @{user_bin_dirs}/ r, - / r, - /usr/ r, - /usr/local/bin/ r, - include if exists include if exists } From efba6e164e8dcb99e26856394f924333b302fa60 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:22:00 +0200 Subject: [PATCH 096/798] feat(profile): add initial profile for decibels. --- apparmor.d/groups/gnome/decibels | 37 ++++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 38 insertions(+) create mode 100644 apparmor.d/groups/gnome/decibels diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels new file mode 100644 index 000000000..88d292b07 --- /dev/null +++ b/apparmor.d/groups/gnome/decibels @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/decibels @{bin}/org.gnome.Decibels +profile decibels @{exec_path} { + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/gjs-console rix, + + @{open_path} rPx -> child-open-help, + + /usr/share/org.gnome.Decibels/{,**} r, + + owner @{user_music_dirs}/{,**} r, + owner @{user_pictures_dirs}/{,**} r, + owner @{user_torrents_dirs}/{,**} r, + owner @{user_videos_dirs}/{,**} r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index adced30c9..bcebd472d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +decibels complain dino attach_disconnected,complain discord complain discord-chrome-sandbox complain From 5a448cb39dda25ddf11ce446af10dda253613bc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:23:35 +0200 Subject: [PATCH 097/798] feat(profile): add initial profile for papers. --- apparmor.d/groups/gnome/papers | 51 ++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 +- 2 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/papers diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers new file mode 100644 index 000000000..ee829d8f3 --- /dev/null +++ b/apparmor.d/groups/gnome/papers @@ -0,0 +1,51 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/papers +profile papers @{exec_path} { + include + include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + @{exec_path} mr, + + @{open_path} Cx -> open, + + /usr/share/poppler/{,**} r, + + owner @{user_share_dirs}/gvfs-metadata/{,*} r, + + owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/gtkprint_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} rw, + + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, + + profile open { + include + include + + @{browsers_path} Px, + @{help_path} Px, + @{bin}/papers Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index bcebd472d..70d484953 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -257,7 +257,7 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -pam-tmpdir-helper complain +papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From 8d374ed8761dfd518e7d4f09e8ec699261d76b56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:27 +0200 Subject: [PATCH 098/798] feat(fsp): add tunables for the future systemd executor profiles. --- apparmor.d/tunables/multiarch.d/profiles | 2 ++ pkg/prebuild/prepare/fsp.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e966623d4..92ab19fc9 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -9,7 +9,9 @@ # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` @{p_systemd}=unconfined +@{p_systemd_executor}=unconfined @{p_systemd_user}=unconfined +@{p_systemd_user_executor}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index e46efe0e8..0d4c23076 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -40,7 +40,9 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") + out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") + out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") if err := path.WriteFile([]byte(out)); err != nil { return res, err } From dbd0a7d271930f6a85ceda79feab610599b54222 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:25:58 +0200 Subject: [PATCH 099/798] feat(tunable): add the efi variable. --- apparmor.d/tunables/multiarch.d/system | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 3f6e0f890..d7834cc8a 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -22,6 +22,8 @@ # Common places for temporary files @{tmp}=/tmp/ /tmp/user/@{uid}/ +# Common places for EFI +@{efi}=/boot/ /efi/ /boot/efi/ # System Variables # ---------------- From 4beb096532ab6c60c376fb4a3acf070e11e2d56b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:29:33 +0200 Subject: [PATCH 100/798] feat(abs): expand zsh abs to more default locations - Add support for oh-my-zsh - Add support for gitstatus & p10k - Add more zsh config dirctories. --- apparmor.d/abstractions/zsh | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index a22895c91..ff90849c0 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -10,24 +10,40 @@ @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr, - /usr/share/zsh/{,**} r, /usr/local/share/zsh/{,**} r, + /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh/{,**} r, /etc/zsh/* r, - owner @{HOME}/.zshrc r, - owner @{HOME}/.zshenv r, + owner @{HOME}/.zcompdump-* rw, owner @{HOME}/.zsh_history rw, owner @{HOME}/.zsh_history.LOCK rwk, + owner @{HOME}/.zsh_history.new rw, + owner @{HOME}/.zshenv r, + owner @{HOME}/.zshrc r, owner @{HOME}/.oh-my-zsh/{,**} r, owner @{HOME}/.oh-my-zsh/log/update.lock/ w, - owner @{HOME}/.zcompdump-* rw, + owner @{user_cache_dirs}/oh-my-zsh/{,**} r, + owner @{user_cache_dirs}/p10k-@{user}/{,**} rw, + owner @{user_cache_dirs}/p10k-dump-@{user}.zsh{,.*} rw, + owner @{user_cache_dirs}/p10k-instant-prompt-@{user}.zsh{,.*} rw, owner @{user_config_dirs}/zsh/.zcompdump-* rw, owner @{user_config_dirs}/zsh/{,**} r, + owner @{user_share_dirs}/zsh/history rw, + owner @{user_share_dirs}/zsh/history.LOCK rwk, + owner @{user_share_dirs}/zsh/history.new rw, + + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo rw, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.lock rwk, + + @{PROC}/version r, + owner @{PROC}/@{pid}/loginuid r, + include if exists # vim:syntax=apparmor From d74a47764665fbdcbfd74ec8d0549b557ab1075e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:33:03 +0200 Subject: [PATCH 101/798] feat(tunable): add @{backup_path}. --- apparmor.d/abstractions/app-open | 7 ++----- apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 8c74d1f08..27f0c96fc 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -26,6 +26,7 @@ @{image_viewers_path} PUx, @{offices_path} PUx, @{text_editors_path} PUx, + @{backup_path} PUx, # Others @{bin}/amule Px, @@ -41,6 +42,7 @@ @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, + @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, @{bin}/kgx Px, @@ -57,11 +59,6 @@ #aa:only opensuse @{lib}/YaST2/** PUx, - # Backup - @{lib}/deja-dup/deja-dup-monitor PUx, - - @{bin}/gnome-session-quit rPx, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 733f8925c..cb889ee19 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -69,4 +69,7 @@ # Terminal emulator @{terminal_path} = @{bin}/@{offices_names} +# Backup +@{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index b3e36cae7..c1eea10b3 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -93,4 +93,7 @@ # Terminal emulator @{terminal_name} = kgx terminator konsole +# Backup +@{backup_names} = deja-dup borg + # vim:syntax=apparmor From 3b1fe1f931337c7e6d9428797866045effe3e0ca Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 17 May 2025 22:41:43 +0200 Subject: [PATCH 102/798] feat(tunable): fix and use terminal_path. --- apparmor.d/abstractions/app-open | 4 ++-- apparmor.d/tunables/multiarch.d/paths | 2 +- apparmor.d/tunables/multiarch.d/programs | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 27f0c96fc..c7d2a86c8 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -18,6 +18,7 @@ # Labeled programs @{archive_viewers_path} PUx, + @{backup_path} PUx, @{browsers_path} Px, @{document_viewers_path} PUx, @{emails_path} PUx, @@ -25,8 +26,8 @@ @{help_path} Px, @{image_viewers_path} PUx, @{offices_path} PUx, + @{terminal_path} Px, @{text_editors_path} PUx, - @{backup_path} PUx, # Others @{bin}/amule Px, @@ -45,7 +46,6 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, - @{bin}/kgx Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cb889ee19..059f337fd 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -67,7 +67,7 @@ @{help_path} = @{bin}/@{help_names} # Terminal emulator -@{terminal_path} = @{bin}/@{offices_names} +@{terminal_path} = @{bin}/@{terminal_names} # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index c1eea10b3..cddb1a7d2 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -91,7 +91,7 @@ @{help_names} = yelp # Terminal emulator -@{terminal_name} = kgx terminator konsole +@{terminal_names} = kgx terminator konsole ptyxis # Backup @{backup_names} = deja-dup borg From 053ce04c8e040c47095b32468d8e046033a14466 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:09:06 +0200 Subject: [PATCH 103/798] feat(tunanle): add the sqlhex variable. --- apparmor.d/abstractions/common/app | 3 ++- apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/gnome/gnome-music | 4 ++-- apparmor.d/groups/gnome/localsearch | 8 ++------ apparmor.d/groups/gnome/tracker-miner | 6 ++---- apparmor.d/profiles-a-f/dropbox | 3 ++- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 3 ++- apparmor.d/profiles-g-l/gpodder | 3 ++- apparmor.d/profiles-m-r/protonmail-bridge-core | 4 ++-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 ++- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 6 ++++-- apparmor.d/tunables/multiarch.d/system | 3 +++ 17 files changed, 30 insertions(+), 27 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 0d63b72c8..99da31590 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -59,9 +59,10 @@ owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, - owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, + owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, + owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 8d35bc8e0..bb824c7cb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -82,7 +82,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - /var/tmp/etilqs_@{hex16} rw, @{run}/.userns r, @{run}/parent/** r, diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 7874e95ff..511a48987 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -51,8 +51,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 263604ba7..1503ba747 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,12 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex12}@{h} rw, - owner @{tmp}/etilqs_@{hex12}@{hex2} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/mount/utab r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e10d81bb2..d35f6467f 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -63,10 +63,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner /var/tmp/etilqs_@{hex15} rw, - owner /var/tmp/etilqs_@{hex16} rw, - owner @{tmp}/etilqs_@{hex15} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index eecdb2e6d..b4baf1d0c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -61,7 +61,8 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index c6746843d..5971764f0 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -34,7 +34,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 75d5197ae..71addde64 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -67,7 +67,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{hex16} rw, + /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index 562980d35..cebfc955f 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -36,7 +36,8 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index 7ccf428c3..dd7a20eb7 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -47,7 +47,8 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 493199974..ee7adab75 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -43,8 +43,8 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 33435fa8d..24e0c61dd 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -54,7 +54,7 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 32c05e55b..1d3850ba5 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -54,7 +54,7 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index 89395f8b5..d1194abf5 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -47,7 +47,8 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner /var/tmp/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 6a337a66b..84bbcf1f2 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -68,7 +68,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{hex16} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 67b3cf503..6f4c120a0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -59,11 +59,13 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{tmp}/.mount_wechat@{word6}/ rw, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - owner /var/tmp/etilqs_* rw, - @{HOME}/.xwechat/{,**} rwk, + owner @{user_documents_dirs}/xwechat_files/{,**} rwk, + owner @{tmp}/etilqs_@{sqlhex} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index d7834cc8a..f1be21e49 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -54,6 +54,9 @@ # System Internal # --------------- +# SQlite temporary files (hexadecimal from 12 to 16 characters) +@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} + # Shortcut for PCI device @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} From 94991165421ca3bc422af6893792bb3aa5dfbd9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:39:32 +0200 Subject: [PATCH 104/798] feat(profile): add initial profile for ptyxis. --- apparmor.d/groups/gnome/ptyxis | 38 +++++++++++++++++++++++ apparmor.d/groups/gnome/ptyxis-agent | 46 ++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 86 insertions(+) create mode 100644 apparmor.d/groups/gnome/ptyxis create mode 100644 apparmor.d/groups/gnome/ptyxis-agent diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis new file mode 100644 index 000000000..739681eae --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ptyxis +profile ptyxis @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{lib}/ptyxis-agent Px, + @{open_path} Px -> child-open-help, + + /etc/shells r, + + owner @{user_cache_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_cache_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_cache_dirs}/org.gnome.Ptyxis/**, + + owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + + owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, + owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + + owner @{PROC}/@{pid}/stat r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent new file mode 100644 index 000000000..239993f21 --- /dev/null +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -0,0 +1,46 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ptyxis-agent +profile ptyxis-agent @{exec_path} { + include + include + include + include + + signal send set=hup peer=unconfined, + + ptrace read, + + @{exec_path} mr, + + @{bin}/podman Px, + @{bin}/systemd-run Cx -> shell, + + /usr/share/glib-2.0/schemas/gschemas.compiled r, + + owner @{PROC}/@{pid}/cmdline r, + + /dev/ptmx rw, + + profile shell { + include + include + + signal send, + + @{bin}/systemd-run mr, + @{bin}/@{shells} Ux, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 70d484953..2cef12304 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -271,6 +271,8 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +ptyxis complain +ptyxis-agent complain qdbus complain remmina complain run-parts complain From 1fab846875cae905de7c4e194848a043793185c6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 13:47:08 +0200 Subject: [PATCH 105/798] feat(abs): add proc stat to the gnome common abs. --- apparmor.d/abstractions/common/gnome | 1 + apparmor.d/groups/apparmor/aa-notify | 1 - apparmor.d/groups/gnome/decibels | 1 - apparmor.d/groups/gnome/gnome-calculator | 2 -- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-extensions-app | 1 - apparmor.d/groups/gnome/gnome-logs | 2 -- apparmor.d/groups/gnome/gnome-maps | 1 - apparmor.d/groups/gnome/gnome-text-editor | 1 - apparmor.d/groups/gnome/gnome-weather | 1 - apparmor.d/groups/gnome/papers | 1 - apparmor.d/groups/gnome/ptyxis | 2 -- apparmor.d/profiles-a-f/file-roller | 1 - apparmor.d/profiles-a-f/foliate | 1 - apparmor.d/profiles-a-f/fractal | 1 - 15 files changed, 1 insertion(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index ccb5de8b3..056f6581b 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -32,6 +32,7 @@ owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index b64317a57..7cb64af80 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -75,7 +75,6 @@ profile aa-notify @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/decibels b/apparmor.d/groups/gnome/decibels index 88d292b07..2bb38dfd5 100644 --- a/apparmor.d/groups/gnome/decibels +++ b/apparmor.d/groups/gnome/decibels @@ -28,7 +28,6 @@ profile decibels @{exec_path} { owner @{user_videos_dirs}/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 3f2290e6a..2e553d9f4 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -23,8 +23,6 @@ profile gnome-calculator @{exec_path} { @{open_path} rPx -> child-open-help, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 890a54691..7ee0f835e 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app index f1e229b59..0a65c95f2 100644 --- a/apparmor.d/groups/gnome/gnome-extensions-app +++ b/apparmor.d/groups/gnome/gnome-extensions-app @@ -22,7 +22,6 @@ profile gnome-extensions-app @{exec_path} { /usr/share/terminfo/** r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/task/@{tid}/stat r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs index 06e66a43b..5e3ab03bd 100644 --- a/apparmor.d/groups/gnome/gnome-logs +++ b/apparmor.d/groups/gnome/gnome-logs @@ -27,8 +27,6 @@ profile gnome-logs @{exec_path} { /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal r, /{run,var}/log/journal/remote/ r, - owner @{PROC}/@{pid}/stat r, - include if exists } diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps index 294d6229a..705857391 100644 --- a/apparmor.d/groups/gnome/gnome-maps +++ b/apparmor.d/groups/gnome/gnome-maps @@ -45,7 +45,6 @@ profile gnome-maps @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 693b1618f..22823753b 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -24,7 +24,6 @@ profile gnome-text-editor @{exec_path} { owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather index c73ff0a19..fe2bf69b2 100644 --- a/apparmor.d/groups/gnome/gnome-weather +++ b/apparmor.d/groups/gnome/gnome-weather @@ -31,7 +31,6 @@ profile gnome-weather @{exec_path} { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/stat r, deny owner @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index ee829d8f3..87820376c 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -32,7 +32,6 @@ profile papers @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, profile open { include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 739681eae..2f7dee368 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,8 +28,6 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner @{PROC}/@{pid}/stat r, - /dev/ptmx rw, include if exists diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index b8eedb263..24610cd8c 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -48,7 +48,6 @@ profile file-roller @{exec_path} { @{run}/mount/utab r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, include if exists } diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index f6380d125..a07976ce9 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -51,7 +51,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/smaps r, - owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 5971764f0..40001da68 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -41,7 +41,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/stat r, /dev/ r, From 658c054c47a7a0ffc054b5ada18137e62c063354 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:46:35 +0200 Subject: [PATCH 106/798] feat(profile): update and enforce a few profiles. --- apparmor.d/groups/filesystem/mke2fs | 1 + apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-software | 14 ++-------- apparmor.d/groups/gnome/gnome-system-monitor | 8 +----- apparmor.d/groups/gnome/gnome-terminal-server | 18 ++++++------ apparmor.d/groups/gnome/gnome-tweaks | 2 +- apparmor.d/groups/gnome/kgx | 18 ++++++------ apparmor.d/groups/network/ModemManager | 3 +- apparmor.d/groups/polkit/pkttyagent | 4 +-- apparmor.d/groups/shadow/newgidmap | 2 ++ apparmor.d/groups/shadow/newuidmap | 2 ++ apparmor.d/profiles-a-f/calibre | 28 +++++++++++++------ apparmor.d/profiles-m-r/mdevctl | 1 + apparmor.d/profiles-m-r/metadata-cleaner | 14 +++------- apparmor.d/profiles-s-z/totem | 8 ++++++ apparmor.d/profiles-s-z/xsane-gimp | 18 +++++++----- dists/flags/main.flags | 22 ++------------- 17 files changed, 77 insertions(+), 87 deletions(-) diff --git a/apparmor.d/groups/filesystem/mke2fs b/apparmor.d/groups/filesystem/mke2fs index a3edbeb50..90df8ecb1 100644 --- a/apparmor.d/groups/filesystem/mke2fs +++ b/apparmor.d/groups/filesystem/mke2fs @@ -10,6 +10,7 @@ include @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4 profile mke2fs @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 1f17b35a3..027a1ab96 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { profile open flags=(attach_disconnected) { include include - include include @{bin}/env rix, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index dd872c53a..c10261c02 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include - include + include include - include - include include include include @@ -71,15 +69,11 @@ profile gnome-software @{exec_path} { /var/tmp/flatpak-cache-*/** rwkl, /var/tmp/#@{int} rw, - / r, - owner @{HOME}/.var/app/{,**} rw, owner @{user_download_dirs}/*.flatpakref r, owner @{user_cache_dirs}/flatpak/{,**} rwl, - owner @{user_cache_dirs}/gnome-software/ rw, - owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**, owner @{user_config_dirs}/flatpak/{,**} r, owner @{user_config_dirs}/pulse/*.conf r, @@ -94,7 +88,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, - owner @{user_share_dirs}/gnome-software/{,**} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, @@ -123,10 +116,7 @@ profile gnome-software @{exec_path} { @{PROC}/sys/fs/pipe-max-size r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/fuse rw, @@ -166,6 +156,8 @@ profile gnome-software @{exec_path} { include include + capability setuid, + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8df82b290..a3d039dea 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,10 +9,7 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include - include - include - include - include + include include capability sys_ptrace, @@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, - /usr/share/gnome-system-monitor/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, @@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/diskstats r, @{PROC}/vmstat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, /dev/tty rw, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 55a7f4687..837f00f68 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} { include include - signal (send) set=(hup) peer=htop, - signal (send) set=(term hup kill) peer=unconfined, + signal send set=(hup) peer=htop, + signal send set=(term hup kill) peer=unconfined, - ptrace (read) peer=htop, - ptrace (read) peer=unconfined, + ptrace read peer=htop, + ptrace read peer=unconfined, #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions @@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, # The shell is not confined on purpose. - @{bin}/@{shells} rUx, + @{bin}/@{shells} Ux, # Some CLI program can be launched directly from Gnome Shell - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, - @{open_path} rPx -> child-open, + @{open_path} Px -> child-open, /etc/shells r, diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index fa94d56e8..96e83b846 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r, owner @{user_config_dirs}/autostart/ rw, - owner @{user_config_dirs}/autostart/*.desktop r, + owner @{user_config_dirs}/autostart/*.desktop rw, owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index c9177de5c..a32a3d8c3 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -17,7 +17,7 @@ profile kgx @{exec_path} { capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @@ -25,14 +25,14 @@ profile kgx @{exec_path} { @{bin}/@{shells} rUx, # Some CLI program can be launched directly from Gnome Shell - @{bin}/btop rPUx, - @{bin}/htop rPx, - @{bin}/micro rPUx, - @{bin}/nvtop rPx, - @{bin}/nvtop rPx, - @{bin}/vim rUx, - - @{open_path} rPx -> child-open-help, + @{bin}/btop PUx, + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + @{bin}/nvtop Px, + @{bin}/vim Ux, + + @{open_path} Px -> child-open-help, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 1d8987709..59efc3201 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include include include - include + include capability net_admin, @@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/tty/ r, @{sys}/class/wwan/ r, - @{sys}/devices/@{pci}/revision r, @{sys}/devices/**/net/*/ r, @{sys}/devices/**/uevent r, @{sys}/devices/virtual/tty/*/ r, diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index de0eeef33..436447aef 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} { capability sys_nice, capability audit_write, - ptrace (read), - signal (send,receive), + ptrace read, + signal (send, receive), @{exec_path} mr, diff --git a/apparmor.d/groups/shadow/newgidmap b/apparmor.d/groups/shadow/newgidmap index 4a7196fc2..6fa555504 100644 --- a/apparmor.d/groups/shadow/newgidmap +++ b/apparmor.d/groups/shadow/newgidmap @@ -18,6 +18,8 @@ profile newgidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subgid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/groups/shadow/newuidmap b/apparmor.d/groups/shadow/newuidmap index 549eb06ef..6a53bf5c1 100644 --- a/apparmor.d/groups/shadow/newuidmap +++ b/apparmor.d/groups/shadow/newuidmap @@ -18,6 +18,8 @@ profile newuidmap @{exec_path} { @{exec_path} mr, + @{etc_ro}/login.defs r, + @{etc_ro}/login.defs.d/{,*} r, /etc/subuid r, @{PROC}/@{pids}/ r, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index e3643ab6d..bba3dfedb 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -15,9 +15,10 @@ profile calibre @{exec_path} { include include include - include include + include include + include include include include @@ -35,11 +36,13 @@ profile calibre @{exec_path} { capability sys_ptrace, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network netlink raw, - unix (send, receive) type=stream peer=(addr=none, label=xorg), + # unix (send, receive) type=stream peer=(addr=none, label=xorg), unix (bind, listen) type=stream addr="@*-calibre-gui.socket", unix (bind) type=stream addr="@calibre-*", @@ -47,9 +50,10 @@ profile calibre @{exec_path} { @{sh_path} rix, @{python_path} rix, + @{bin}/env r, @{bin}/file rix, - @{sbin}/ldconfig{,.real} rix, @{bin}/uname rix, + @{sbin}/ldconfig{,.real} rix, @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix, @{bin}/pdftoppm rPUx, # (#FIXME#) @@ -61,6 +65,7 @@ profile calibre @{exec_path} { /usr/share/calibre/{,**} r, /etc/fstab r, + /etc/httpd/conf/mime.types r, /etc/inputrc r, /etc/magic r, /etc/mime.types r, @@ -68,10 +73,15 @@ profile calibre @{exec_path} { owner @{HOME}/ r, owner "@{HOME}/Calibre Library/{,**}" rw, owner "@{HOME}/Calibre Library/metadata.db" rwk, - owner @{user_documents_dirs}/{,**} rwl, + owner @{user_books_dirs}/{,**} rwl, + owner @{user_books_dirs}/Calibre/** rwk, + owner @{user_documents_dirs}/{,**} rwl, + owner @{user_documents_dirs}/Calibre/** rwk, owner @{user_torrents_dirs}/{,**} rwl, + owner @{user_torrents_dirs}/Calibre/** rwk, owner @{user_work_dirs}/{,**} rwl, + owner @{user_work_dirs}/Calibre/** rwk, owner @{user_config_dirs}/calibre/ rw, owner @{user_config_dirs}/calibre/** rwk, @@ -82,10 +92,11 @@ profile calibre @{exec_path} { owner @{user_cache_dirs}/calibre/ rw, owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**, - owner @{tmp}/calibre_*_tmp_*/{,**} rw, - owner @{tmp}/calibre-*/{,**} rw, - owner @{tmp}/@{int}-*/ rw, - owner @{tmp}/@{int}-*/** rwl, + owner @{tmp}/@{rand8} rw, + audit owner @{tmp}/@{int}-*/ rw, + audit owner @{tmp}/@{int}-*/** rwl, + audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw, + audit owner @{tmp}/calibre-@{rand8}/{,**} rw, owner /dev/shm/#@{int} rw, @@ -108,6 +119,7 @@ profile calibre @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, + /dev/tty r, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index f1b5034e6..906dcf512 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/mdevctl profile mdevctl @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 4aa662cd0..808427d85 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/metadata-cleaner profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include include include @@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/bwrap rCx -> bwrap, - @{open_path} rPx -> child-open-help, + @{bin}/bwrap Cx -> bwrap, + @{open_path} Px -> child-open-help, - /usr/share/metadata-cleaner/{,**} r, /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w, - /usr/share/poppler/{,**} r, /etc/httpd/conf/mime.types r, @@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, deny owner @{user_share_dirs}/gvfs-metadata/* r, deny owner @{user_cache_dirs}/thumbnails/** r, @@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { include include - signal (receive) set=(kill) peer=metadata-cleaner, + signal receive set=(kill) peer=metadata-cleaner, @{bin}/bwrap mr, @{bin}/vendor_perl/exiftool rix, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 64ab228ba..fc582cae2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) { include capability dac_override, + capability sys_ptrace, + + network inet dgram, + network inet6 dgram, @{bin}/bwrap mr, @{bin}/totem-video-thumbnailer rix, @@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) { owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + owner @{tmp}/gnome-desktop-thumbnailer.png rw, @{PROC}/sys/vm/mmap_min_addr r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm w, /dev/ r, diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 41ac0b973..4273e803d 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Roman Beslik +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -10,27 +11,30 @@ include profile xsane-gimp @{exec_path} { include include - include - - signal (receive) set=(term, kill) peer=gimp, + include network inet dgram, network inet6 dgram, network netlink raw, + signal receive set=(term, kill) peer=gimp, + @{exec_path} mr, + @{system_share_dirs}/gimp/{,**} r, @{system_share_dirs}/sane/xsane/{,**} r, - @{system_share_dirs}/snmp/mibs/{,**} r, # network + @{system_share_dirs}/snmp/mibs/{,**} r, + /etc/sane.d/{,**} r, + owner @{HOME}/.sane/{,**} rw, owner @{tmp}/xsane-*-@{rand6} rw, - @{sys}/devices/@{pci}/{model,type,vendor} r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, - # SCSI @{sys}/bus/scsi/devices/ r, + @{sys}/devices/@{pci}/{model,type,vendor} r, + @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2cef12304..b710f2d94 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain -aa-notify complain akonadi_akonotes_resource complain akonadi_archivemail_agent complain akonadi_birthdays_resource complain @@ -106,7 +105,6 @@ filezilla complain finalrd complain firewall-applet attach_disconnected,complain firewall-config complain -firewalld attach_disconnected,complain flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain @@ -117,29 +115,20 @@ flatpak-system-helper complain flatpak-validate-icon complain fstrim complain fuse-overlayfs complain -fusermount complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain gdm-runtime-config complain gdm-session attach_disconnected,complain gdm-xsession complain -gimp complain gmenudbusmenuproxy complain gnome-browser-connector-host complain gnome-control-center attach_disconnected,complain gnome-control-center-goa-helper complain gnome-disk-image-mounter complain -gnome-disks complain gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain -gnome-music attach_disconnected,complain -gnome-photos-thumbnailer complain gnome-remote-desktop-daemon complain -gnome-software complain -gnome-system-monitor attach_disconnected,complain -gnome-terminal-server complain -gnome-tweaks complain grub-bios-setup complain grub-editenv complain grub-file complain @@ -173,8 +162,8 @@ gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain -hyprctl complain -hyprlock complain +hyprctl attach_disconnected,complain +hyprlock attach_disconnected,complain hyprpaper attach_disconnected,complain hyprpicker complain hyprpm complain @@ -184,7 +173,6 @@ im-launch complain install-info complain iwctl complain iwd complain -jitterentropy-rngd complain kaccess complain kactivitymanagerd complain kalendarac complain @@ -202,7 +190,6 @@ kded complain kernel-install complain keyboxd complain kglobalacceld complain -kgx complain kio_http_cache_cleaner complain kiod complain kioworker complain @@ -238,9 +225,6 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdevctl complain -metadata-cleaner attach_disconnected,complain -mke2fs complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain @@ -357,7 +341,6 @@ systemd-network-generator complain systemd-nsresourced complain systemd-nsresourcework complain systemd-portabled complain -systemd-remount-fs complain systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain @@ -408,6 +391,5 @@ xdm-xsession complain xembedsniproxy complain xfce-session attach_disconnected,complain xsettingsd complain -xwaylandvideobridge complain zpool complain From 21abf59132bc39f72fba96bad60eed1d41a1e5cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:48:33 +0200 Subject: [PATCH 107/798] feat(profile): libvirt: simplify udev access. --- apparmor.d/groups/virt/libvirtd | 31 ++----------------------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 53dcb0703..94fa568a3 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -162,35 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+input:input@{int} r, # For mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, - @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/c1:@{int} r, # For RAM disk - @{run}/udev/data/c6:@{int} r, # For parallel printer devices /dev/lp* - @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features - @{run}/udev/data/c13:@{int} r, # For /dev/input/* - @{run}/udev/data/c21:@{int} r, # Generic SCSI access - @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* - @{run}/udev/data/c81:@{int} r, # For video4linux - @{run}/udev/data/c89:@{int} r, # For I2C bus interface - @{run}/udev/data/c90:@{int} r, # For RAM, ROM, Flash - @{run}/udev/data/c99:@{int} r, # For raw parallel ports /dev/parport* - @{run}/udev/data/c108:@{int} r, # For /dev/ppp - @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c202:@{int} r, # CPU model-specific registers - @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* - @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{run}/udev/data/+*:* r, + @{run}/udev/data/c@{int}:@{int} r, @{run}/udev/data/n@{int} r, @{sys}/bus/[a-z]*/devices/ r, From 64f02ff6084d5084339211cdcd7f5a468cab5bf2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 14:50:09 +0200 Subject: [PATCH 108/798] feat(profile): snapd: add journalctl subprofile. --- apparmor.d/groups/snap/snapd | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 38d803655..c1b24176e 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -60,7 +60,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties member=Get - peer=(name=org.freedesktop.timedate1, label=unconfined), + peer=(name=org.freedesktop.timedate1), @{exec_path} mrix, @@ -72,7 +72,7 @@ profile snapd @{exec_path} { @{sbin}/groupadd rPx, @{bin}/gzip rix, @{bin}/hostnamectl rPx, - @{bin}/journalctl rPx, + @{bin}/journalctl rCx -> journalctl, @{bin}/kmod rPx, @{bin}/mount rix, @{sbin}/runuser rCx -> runuser, @@ -199,6 +199,25 @@ profile snapd @{exec_path} { include if exists } + profile journalctl { + include + include + + capability net_admin, + + network netlink raw, + + @{bin}/journalctl mr, + + /etc/machine-id r, + /var/lib/dbus/machine-id r, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/{,*} r, + + include if exists + } + profile runuser { include From b677d4a0b537ff1c22ab2260f418cbe348df80f5 Mon Sep 17 00:00:00 2001 From: tpaau-17DB Date: Sun, 18 May 2025 18:36:39 +0200 Subject: [PATCH 109/798] Fix hyprland profile. --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 68356741d..c06671b34 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -31,6 +31,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/hyprland/{,**} rw, owner @{user_config_dirs}/hypr/** r, owner @{user_share_dirs}/hyprpm/** mr, + owner @{user_share_dirs}/hyprland/** rw, owner @{run}/user/@{uid}/gamescope-* rw, owner @{run}/user/@{uid}/.hyprpaper_* rw, From 10ef829d31efe2f4f9de20ef9b52b999852d489d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:31:33 +0200 Subject: [PATCH 110/798] fix(profile): more possible id than int for i2c. --- apparmor.d/groups/kde/kde-powerdevil | 10 +++++----- apparmor.d/groups/procps/htop | 6 +++--- apparmor.d/groups/xfce/xfce-sensors | 2 +- apparmor.d/profiles-m-r/monitorix | 2 +- apparmor.d/profiles-s-z/sensors | 2 +- apparmor.d/profiles-s-z/sensors-detect | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 2 +- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f5ffa6a82..ebb150ed2 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -70,12 +70,12 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sys}/devices/@{pci}/drm/card@{int}/*/edid r, @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r, @{sys}/devices/@{pci}/drm/card@{int}/*/status r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, - @{sys}/devices/@{pci}/i2c-@{int}/**/dev r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/**/dev r, @{sys}/devices/**/ r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/**/i2c-@{int}/**/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/**/i2c-*/**/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 5e1079802..d59fde5e5 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -45,7 +45,7 @@ profile htop @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, @@ -56,8 +56,8 @@ profile htop @{exec_path} { @{sys}/devices/**/hwmon/**/{name,temp*} r, @{sys}/devices/**/power_supply/**/{uevent,type,online} r, @{sys}/devices/*/name r, - @{sys}/devices/i2c-@{int}/name r, - @{sys}/devices/platform/*/i2c-@{int}/name r, + @{sys}/devices/i2c-*/name r, + @{sys}/devices/platform/*/i2c-*/name r, @{sys}/devices/system/cpu/cpu@{int}/** r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors index e7ee1080b..c1bd98111 100644 --- a/apparmor.d/groups/xfce/xfce-sensors +++ b/apparmor.d/groups/xfce/xfce-sensors @@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, @{sys}/class/thermal/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/hwmon@{int}/{name,temp*} r, @{sys}/devices/**/hwmon@{int}/**/ r, diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index b640d90fd..c708b587c 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -95,7 +95,7 @@ profile monitorix @{exec_path} { @{PROC}/@{pids}/io r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/class/hwmon/ r, @{sys}/devices/**/thermal*/{,**} r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors index 4028680a6..ca2d43a65 100644 --- a/apparmor.d/profiles-s-z/sensors +++ b/apparmor.d/profiles-s-z/sensors @@ -21,7 +21,7 @@ profile sensors @{exec_path} { @{sys}/bus/i2c/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r, + @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-*/name r, @{sys}/devices/@{pci}/name r, @{sys}/devices/**/hwmon*/{,**} r, diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect index 96dc17042..d21cf6f56 100644 --- a/apparmor.d/profiles-s-z/sensors-detect +++ b/apparmor.d/profiles-s-z/sensors-detect @@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/class/i2c-adapter/ r, @{sys}/devices/@{pci}/{class,vendor,device} r, - @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, @{sys}/devices/@{pci}/modalias r, @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index e076f313c..9a4b5cebe 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,7 +24,7 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-@{int}/name r, + @{sys}/devices/@{pci}/i2c-*/name r, @{sys}/devices/@{pci}/net/*/duplex r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, From 86afef4920601f4e8babdfaf15d232ac5aed2979 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 19:33:58 +0200 Subject: [PATCH 111/798] build: improve `just install` --- Justfile | 13 ++++++++----- PKGBUILD | 3 ++- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Justfile b/Justfile index 1e626dc1c..825097a1b 100644 --- a/Justfile +++ b/Justfile @@ -18,7 +18,7 @@ # Build setings destdir := "/" build := ".build" -pkgdest := `pwd` / ".pkg/dist" +pkgdest := `pwd` / ".pkg" pkgname := "apparmor.d" # Admin username @@ -86,13 +86,16 @@ install: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log - for file in $(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n"); do + mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n") + for file in "${share[@]}"; do install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file" done - for file in $(find "{{build}}/apparmor.d" -type f -printf "%P\n"); do + mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n") + for file in "${aa[@]}"; do install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done - for file in $(find "{{build}}/apparmor.d" -type l -printf "%P\n"); do + mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n") + for file in "${links[@]}"; do mkdir -p "{{destdir}}/etc/apparmor.d/disable" cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" done @@ -155,7 +158,7 @@ serve: clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ - .pkg/{{pkgname}}* {{build}} coverage.out + {{pkgdest}}/{{pkgname}}* {{build}} coverage.out [doc('Build the package in a clean OCI container')] package dist: diff --git a/PKGBUILD b/PKGBUILD index 58a693d34..b48e55153 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -30,7 +30,8 @@ build() { export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" - DISTRIBUTION=arch just complain + export DISTRIBUTION=arch + just complain } package() { From 707a5e8beec085376c6bc772352289ace86633d9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 20 May 2025 21:41:52 +0200 Subject: [PATCH 112/798] feat(profile): firewalld move kmod into a subprofile. --- apparmor.d/groups/firewall/firewalld | 36 +++++++++++++++------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index ddf0291ee..01f853c26 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -9,7 +9,6 @@ include @{exec_path} = @{sbin}/firewalld profile firewalld @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,7 +20,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { capability net_admin, capability net_raw, capability setpcap, - capability sys_module, network inet raw, network inet6 raw, @@ -34,15 +32,14 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sbin}/ r, - @{bin}/alts rix, - @{sbin}/ebtables-legacy rix, - @{sbin}/ebtables-legacy-restore rix, - @{bin}/false rix, - @{sbin}/ipset rix, - @{bin}/kmod rix, - @{sbin}/modprobe rix, - @{sbin}/xtables-legacy-multi rix, - @{sbin}/xtables-nft-multi rmix, + @{bin}/alts ix, + @{bin}/false ix, + @{bin}/kmod Cx -> kmod, + @{sbin}/ebtables-legacy ix, + @{sbin}/ebtables-legacy-restore ix, + @{sbin}/ipset ix, + @{sbin}/xtables-legacy-multi ix, + @{sbin}/xtables-nft-multi mix, /usr/local/lib/@{python_name}/dist-packages/ r, @@ -58,18 +55,25 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { /var/log/firewalld rw, @{run}/firewalld/{,*} rw, - @{run}/modprobe.d/{,*.conf} r, @{run}/xtables.lock rwk, - @{sys}/module/compression r, - @{sys}/module/*/initstate r, - - @{PROC}/sys/kernel/modprobe r, @{PROC}/sys/net/ipv{4,6}/ip_forward rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pids}/net/ip_tables_names r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/nf_*/initstate r, + + include if exists + } + include if exists } From 85d35a4f86ac4a6a9479153a0aaf0b6da8063dae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:30:34 +0200 Subject: [PATCH 113/798] feat(profile): mkinitcpio ensure support for different kernel. fix #749 --- apparmor.d/groups/pacman/mkinitcpio | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 785f4f448..9eafb72a9 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -84,8 +84,9 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, - /boot/ r, - /{boot,efi}/EFI/{,**} rw, + @{efi}/ r, + @{efi}/EFI/{,**} rw, + @{efi}/@{hex32}/{,**} rw, /boot/initramfs-*.img* rw, /boot/vmlinuz-* r, From facc504ae9769f3053557665d85940027ccd9fd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:32:28 +0200 Subject: [PATCH 114/798] fix(abs): editor: use of neovim as editor. fix #749 --- apparmor.d/abstractions/app/editor | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 1c0b87e6a..f62e36339 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -10,7 +10,7 @@ include @{sh_path} rix, - @{bin}/nvim mix, + @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, @{bin}/which rix, From 58d677b5f0ba8e3ae60be71dbb0f6fcbf66ff721 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:48:54 +0200 Subject: [PATCH 115/798] fix: tweak kde related abs to ensure all common rules are allowed. fix #741 --- apparmor.d/abstractions/app/open | 4 ++++ apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 4 +++- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2b865457c..2a43affcf 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -34,9 +34,13 @@ include include + /etc/xdg/menus/ r, + owner @{run}/user//@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, + @{PROC}/sys/kernel/random/boot_id r, + # fi include if exists diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 78a98a3cf..181339a12 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 0f4410a12..7439cd9e9 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, @@ -41,6 +41,8 @@ owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/trashrc r, + owner @{user_share_dirs}/#@{int} rw, + include if exists # vim:syntax=apparmor From 222125e593d0931a38650888ef1120091c520eaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:01:21 +0200 Subject: [PATCH 116/798] fix: processing regexs --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/kde-strict | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 181339a12..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -52,7 +52,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 7439cd9e9..56aa88798 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -28,7 +28,7 @@ owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*={.@{rand6}} rwlk, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, owner @{user_config_dirs}/baloofilerc r, owner @{user_config_dirs}/dolphinrc r, From 6495061360d6d8ddbd695e27314ff3acb0cf37cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:27:44 +0200 Subject: [PATCH 117/798] feat(profile): add initial version for dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 10 +- .../{dpkg-script-udev => dpkg-script-kmod} | 11 +- apparmor.d/groups/apt/dpkg-script-linux | 45 ++++++ apparmor.d/groups/apt/dpkg-script-man | 27 ---- apparmor.d/groups/apt/dpkg-script-systemd | 64 ++++++++ apparmor.d/groups/apt/dpkg-scripts | 141 ++++++++++++++++++ dists/flags/main.flags | 6 +- 7 files changed, 263 insertions(+), 41 deletions(-) rename apparmor.d/groups/apt/{dpkg-script-udev => dpkg-script-kmod} (54%) create mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-man create mode 100644 apparmor.d/groups/apt/dpkg-script-systemd create mode 100644 apparmor.d/groups/apt/dpkg-scripts diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 088fff84a..585d9c59d 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/grep ix, - @{bin}/deb-systemd-helper rPx, - @{bin}/deb-systemd-invoke rPx, - @{bin}/dpkg-divert rix, - @{bin}/systemctl rCx -> systemctl, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-divert ix, + @{bin}/systemctl Cx -> systemctl, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-kmod similarity index 54% rename from apparmor.d/groups/apt/dpkg-script-udev rename to apparmor.d/groups/apt/dpkg-script-kmod index 58840ef39..f900bba17 100644 --- a/apparmor.d/groups/apt/dpkg-script-udev +++ b/apparmor.d/groups/apt/dpkg-script-kmod @@ -6,16 +6,13 @@ abi , include -@{exec_path} = /var/lib/dpkg/info/udev* -profile dpkg-script-udev @{exec_path} { +@{exec_path} = /var/lib/dpkg/info/kmod* +profile dpkg-script-kmod @{exec_path} { include - @{exec_path} mr, + @{exec_path} mrix, - @{bin}/systemd-hwdb rPx, - @{bin}/deb-systemd-invoke rPx, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux new file mode 100644 index 000000000..c84d6aa4b --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -0,0 +1,45 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/linux* +profile dpkg-script-linux @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/cat ix, + @{bin}/locale ix, + @{bin}/mkdir ix, + @{bin}/mkdir ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/stty ix, + + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + + /usr/share/{update,reboot}-notifier/notify-reboot-required Px, + /etc/kernel/{,header_}postinst.d/* Px, + /etc/kernel/postrm.d/* Px, + /etc/kernel/preinst.d/* Px, + /etc/kernel/prerm.d/* Px, + + /etc/kernel/*.d/ r, + + @{lib}/linux/triggers/* w, + @{lib}/modules/*/.fresh-install w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man deleted file mode 100644 index 63f5c5c78..000000000 --- a/apparmor.d/groups/apt/dpkg-script-man +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/man-db.* -profile dpkg-script-man @{exec_path} { - include - include - include - - capability setgid, - capability setuid, - - @{exec_path} mr, - - @{sh_path} rix, - @{bin}/setpriv rix, - @{bin}/mandb rPx, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd new file mode 100644 index 000000000..28f4b6e87 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -0,0 +1,64 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/info/systemd* +profile dpkg-script-systemd @{exec_path} { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Cx -> dpkg, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/journalctl Px, + @{bin}/kernel-install Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/systemd-machine-id-setup Px, + @{bin}/systemd-sysusers Px, + @{bin}/systemd-tmpfiles Px, + @{lib}/systemd/systemd-sysctl Px, + @{sbin}/pam-auth-update Px, + + /etc/systemd/system/*.wants/ rw, + /etc/systemd/system/*.wants/* rw, + + /var/lib/systemd/{,*} rw, + /var/log/journal/ rw, + + profile dpkg { + include + include + + @{bin}/dpkg mr, + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_resource, + + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts new file mode 100644 index 000000000..d644b6c3e --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -0,0 +1,141 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/** +profile dpkg-scripts @{exec_path} { + include + include + include + + capability chown, + capability dac_read_search, + capability fowner, + capability fsetid, + capability setgid, + capability setuid, + + @{exec_path} mrix, + + # Common program found in maintainer scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + + @{bin}/setpriv ix, + @{bin}/envsubst ix, + @{bin}/getent ix, + @{bin}/gzip ix, + @{bin}/helpztags ix, + @{bin}/locale ix, + @{bin}/tput ix, + @{bin}/zcat ix, + @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, + @{lib}/ubuntu-advantage/postinst-migrations.sh ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/invoke-rc.d Cx -> rc, + @{sbin}/ldconfig Cx -> ldconfig, + @{sbin}/ldconfig.real Cx -> ldconfig, + @{sbin}/update-rc.d Cx -> rc, + + # Maintainer scripts can legitimately start/restart anything + @{bin}/** Px, + @{sbin}/** Px, + @{lib}/** Px, + /usr/share/** Px, + /etc/init.d/* Px, + + /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp + + # Maintainer's scripts can update a lot of files + / r, + /*/ r, + @{bin}/ r, + @{lib}/ r, + /etc/ r, + /etc/** rw, + /usr/share/*/ r, + /usr/share/*/** rw, + /var/** rw, + @{run}/** rw, + @{efi}/grub/* rw, + + /tmp/grub.@{rand10} rw, + /tmp/sed@{rand6} rw, + /tmp/tmp.@{rand10} rw, + + profile bus { + include + include + include + + dbus send bus=system path=/ + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + @{run}/utmp rk, + + include if exists + } + + profile rc { + include + include + + @{sbin}/update-rc.d mr, + @{sbin}/invoke-rc.d mr, + + @{coreutils_path} rix, + @{sh_path} rix, + @{bin}/systemctl rPx -> dpkg-scripts//systemctl, + + /etc/ r, + /etc/init.d/* r, + /etc/rc?.d/ r, + /etc/rc@{int}.d/ r, + /etc/rc@{int}.d/* rw, + /etc/rc@{c}.d/* rw, + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + @{sbin}/ldconfig.real rix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b710f2d94..9aa61f15b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -88,8 +88,10 @@ dolphin complain downloadhelper complain dpkg-maintscript-helper complain dpkg-script-apparmor complain -dpkg-script-man complain -dpkg-script-udev complain +dpkg-script-kmod complain +dpkg-script-linux complain +dpkg-script-systemd complain +dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain From c446c44ded1f9239f065b341b85dec332d1cc157 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:32:57 +0200 Subject: [PATCH 118/798] feat(profile): add dpkg-script-tmp. --- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/dpkg-architecture | 9 ++-- apparmor.d/groups/apt/dpkg-db-backup | 42 +++++++++++++++ apparmor.d/groups/apt/dpkg-maintscript-helper | 6 +-- apparmor.d/groups/apt/dpkg-script-tmp | 53 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-vendor | 1 - dists/flags/main.flags | 2 + 7 files changed, 104 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-db-backup create mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 63dfdaf52..0994006da 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -21,7 +21,7 @@ profile deb-systemd-invoke @{exec_path} { @{sh_path} rix, @{bin}/systemctl rix, - @{bin}/systemd-tty-ask-password-agent rPx, + @{bin}/systemd-tty-ask-password-agent Px, include if exists } diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture index a58257271..b1a23f222 100644 --- a/apparmor.d/groups/apt/dpkg-architecture +++ b/apparmor.d/groups/apt/dpkg-architecture @@ -16,10 +16,9 @@ profile dpkg-architecture @{exec_path} { capability dac_read_search, @{exec_path} r, - /usr/bin/perl r, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{lib}/llvm-[0-9]*/bin/clang rix, + @{bin}/{,@{multiarch}-}gcc-[0-9]* ix, + @{lib}/llvm-[0-9]*/bin/clang ix, @{bin}/ccache rCx -> ccache, @{bin}/dpkg rPx -> child-dpkg, @@ -28,9 +27,7 @@ profile dpkg-architecture @{exec_path} { /etc/debian_version r, - # file_inherit - owner @{tmp}/* rw, - + audit owner @{tmp}/* rw, profile ccache { include diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup new file mode 100644 index 000000000..d83bdbb45 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dpkg/dpkg-db-backup +profile dpkg-db-backup @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cmp rix, + @{bin}/cp rix, + @{bin}/date rix, + @{bin}/dirname rix, + @{bin}/gzip rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/savelog rix, + @{bin}/tar rix, + @{bin}/touch rix, + + /usr/share/dpkg/{,**} r, + + /var/lib/dpkg/ r, + /var/lib/dpkg/alternatives/{,*} r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/statoverride r, + + /var/backups/{,**} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index b7d8675e8..dfb881e32 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -13,9 +13,9 @@ profile dpkg-maintscript-helper @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/basename rix, - @{bin}/dpkg rCx -> dpkg, + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/dpkg rCx -> dpkg, /usr/share/dpkg/sh/* r, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp new file mode 100644 index 000000000..e6c7fbe44 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} +profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mrix, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/run-parts rix, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/kmod Cx -> kmod, + @{bin}/systemctl Cx -> systemctl, + + /etc/kernel/preinst.d/*-microcode ix, + + @{lib}/modules/*/.fresh-install w, + + profile kmod { + include + include + + include if exists + } + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + capability sys_resource, + + @{bin}/systemd-tty-ask-password-agent Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor index aee717257..70d2199f2 100644 --- a/apparmor.d/groups/apt/dpkg-vendor +++ b/apparmor.d/groups/apt/dpkg-vendor @@ -13,7 +13,6 @@ profile dpkg-vendor @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /etc/dpkg/origins/* r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9aa61f15b..aa62f9108 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -86,11 +86,13 @@ dmsetup complain dockerd attach_disconnected,complain dolphin complain downloadhelper complain +dpkg-db-backup complain dpkg-maintscript-helper complain dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain +dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From 9eff482ebf37d218c35cdf4cb9fcd7a3e2f618a5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 20:34:05 +0200 Subject: [PATCH 119/798] feat(profile): update unattended upgrade profiles. --- apparmor.d/groups/apt/unattended-upgrade | 54 ++++++++++--------- .../groups/apt/unattended-upgrade-shutdown | 4 +- apparmor.d/groups/apt/update-apt-xapian-index | 14 +++-- 3 files changed, 38 insertions(+), 34 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 8413d9975..95b8b2760 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (send) peer=apt-methods-http, + signal send peer=apt-methods-http, unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, @@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{sh_path} rix, - @{bin}/echo rix, - @{bin}/gdbus rix, - @{bin}/ischroot rix, @{python_path} rix, - @{bin}/test rix, - @{bin}/touch rix, - @{bin}/uname rix, - - @{bin}/apt-listchanges rPx, - @{bin}/dpkg rPx, - @{bin}/dpkg-divert rPx, - @{sbin}/dpkg-preconfigure rPx, - @{bin}/etckeeper rPx, - @{bin}/lsb_release rPx -> lsb_release, - @{sbin}/on_ac_power rPx, - @{sbin}/sendmail rPUx, - @{lib}/apt/methods/http{,s} rPx, - @{lib}/needrestart/apt-pinvoke rPx, - @{lib}/update-notifier/update-motd-updates-available rPx, - @{lib}/zsys-system-autosnapshot rPx, + @{bin}/echo ix, + @{bin}/gdbus ix, + @{bin}/md5sum ix, + @{bin}/tar ix, + @{bin}/test ix, + @{bin}/touch ix, + @{bin}/uname ix, + + @{bin}/dpkg-deb px, + @{bin}/apt-listchanges Px, + @{bin}/dpkg Px, + @{bin}/dpkg-divert Px, + @{bin}/etckeeper Px, + @{bin}/ischroot Px, + @{bin}/lsb_release Px -> lsb_release, + @{sbin}/dpkg-preconfigure Px, + @{sbin}/on_ac_power Px, + @{sbin}/sendmail Px, + @{lib}/apt/methods/http{,s} Px, + @{lib}/needrestart/apt-pinvoke Px, + @{lib}/update-notifier/update-motd-updates-available Px, + @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, @@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/apt/*.list r, /etc/apt/apt.conf.d/{,**} r, /etc/debian_version r, - /etc/default/apport r, - /etc/default/grub.d/* r, + /etc/default/{,**} r, /etc/dpkg/origins/{,debian,ubuntu} r, /etc/fwupd/{,**} r, /etc/grub.d/* r, @@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd-metadata/{,**} r, /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, + /etc/ssh/moduli r, + /etc/ssh/ssh_config r, + /etc/ufw/{,**} r, /etc/update-manager/{,**} r, - /etc/update-motd.d/* r, - /etc/vmware-tools/* r, + /etc/update-motd.d/{,**} r, + /etc/vim/{,**} r, + /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash w, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index cd35bb5ae..f36505e7a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include include include + include include include @{exec_path} mr, - @{bin}/ischroot rix, + @{bin}/ischroot Px, /usr/share/unattended-upgrades/{,*} r, - /etc/apt/apt.conf.d/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index 5da82090f..f829ab3ff 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include include @@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} { @{python_path} r, @{bin}/ r, - @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg Px -> child-dpkg, /usr/share/apt-xapian-index/{,**} r, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + /var/cache/apt-xapian-index/ rw, /var/cache/apt-xapian-index/** rwk, @@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} { /var/cache/apt/ r, /var/cache/apt/** rwk, - owner @{PROC}/@{pid}/fd/ r, - /var/lib/debtags/package-tags r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # file_inherit - owner /dev/tty@{int} rw, + owner @{PROC}/@{pid}/fd/ r, include if exists } From 760eb91ac6eed4a72ddcf4a5bf2e7324e9e0591a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:06:21 +0200 Subject: [PATCH 120/798] feat(profile): add profile for t-methods-sq. --- apparmor.d/groups/apt/apt-methods-sqv | 42 +++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 43 insertions(+) create mode 100644 apparmor.d/groups/apt/apt-methods-sqv diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv new file mode 100644 index 000000000..416328cd4 --- /dev/null +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/apt/methods/sqv +profile apt-methods-sqv @{exec_path} { + include + include + include + + # To handle the _apt user + capability setgid, + capability setuid, + + signal receive set=int peer=apt, + + @{exec_path} mr, + + @{bin}/sqv ix, + + /usr/share/apt/default-sequoia.config r, + /usr/share/keyrings/debian-archive-keyring.gpg r, + /usr/share/keyrings/debian-archive-keyring.pgp r, + + owner /var/lib/apt/lists/{,**} r, + + owner /tmp/apt.data.@{rand6} rw, + owner /tmp/apt.sig.@{rand6} rw, + owner /tmp/apt.sqverr.@{rand6} rw, + owner /tmp/apt.sqvout.@{rand6} rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index aa62f9108..d2c57b682 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -27,6 +27,7 @@ akonadi_notes_agent complain akonadi_sendlater_agent complain akonadi_unifiedmailbox_agent complain anacron complain +apt-methods-sqv complain at complain atd complain auditctl attach_disconnected,complain From c64901353e095f45e34eccaea31e946168a52693 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:10:48 +0200 Subject: [PATCH 121/798] fix(profile): some fix on the dpkg-scipts profiles. --- apparmor.d/groups/apt/dpkg-script-apparmor | 5 +++-- apparmor.d/groups/apt/dpkg-script-linux | 11 ++++++----- apparmor.d/groups/apt/dpkg-script-systemd | 1 + apparmor.d/groups/apt/dpkg-script-tmp | 4 ++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++-- 5 files changed, 16 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 585d9c59d..5dba3d3cb 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,10 +9,10 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include + include include - include - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{bin}/grep ix, @@ -21,6 +21,7 @@ profile dpkg-script-apparmor @{exec_path} { @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, + @{sbin}/apparmor_parser Px, /usr/share/apparmor.d/** rw, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index c84d6aa4b..8b2470a6c 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -22,11 +22,12 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, + @{bin}/dpkg-trigger Px, + @{bin}/kmod Px, + @{bin}/linux-check-removal Px, + @{bin}/linux-update-symlinks Px, + @{bin}/whiptail Px, + @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 28f4b6e87..ccaa62a30 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,6 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp index e6c7fbe44..65e63d076 100644 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ b/apparmor.d/groups/apt/dpkg-script-tmp @@ -10,6 +10,7 @@ include profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { include include + include @{exec_path} mrix, @@ -22,6 +23,9 @@ profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-maintscript-helper Px, @{bin}/kmod Cx -> kmod, @{bin}/systemctl Cx -> systemctl, + /usr/share/debconf/frontend Px, + + /usr/share/debconf/confmodule r, /etc/kernel/preinst.d/*-microcode ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d644b6c3e..dcb6ca379 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,8 +62,8 @@ profile dpkg-scripts @{exec_path} { @{lib}/ r, /etc/ r, /etc/** rw, - /usr/share/*/ r, - /usr/share/*/** rw, + /usr/share/*/{,**} rw, + /usr/local/share/*/{,**} rw, /var/** rw, @{run}/** rw, @{efi}/grub/* rw, From 2c880ba22001f5dcfcaa84b67df211d4925c9094 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:16:35 +0200 Subject: [PATCH 122/798] feat(profile): rewrite the apt stack of profiles. --- apparmor.d/groups/apt/apt | 6 ++- apparmor.d/groups/apt/apt-listchanges | 39 ++++---------- apparmor.d/groups/apt/debsums | 16 ++---- apparmor.d/groups/apt/dpkg | 29 +++++----- apparmor.d/groups/apt/dpkg-preconfigure | 70 +++++++++++-------------- apparmor.d/groups/apt/dpkg-statoverride | 18 +++++++ 6 files changed, 80 insertions(+), 98 deletions(-) create mode 100644 apparmor.d/groups/apt/dpkg-statoverride diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 947dba149..e2e9b00f4 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -85,8 +85,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/etckeeper rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, - @{bin}/snap rPUx, - @{bin}/systemctl rCx -> systemctl, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @@ -138,6 +138,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { /var/log/apt/{,**} rw, /var/log/ubuntu-advantage-apt-hook.log w, + @{efi}/ r, + # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 559e58504..35684feb5 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -14,7 +14,7 @@ profile apt-listchanges @{exec_path} { include include - #capability sys_tty_config, + capability dac_read_search, @{exec_path} r, @{python_path} r, @@ -26,11 +26,11 @@ profile apt-listchanges @{exec_path} { # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-deb rpx, - # - @{pager_path} rCx -> pager, - # Send results using email - @{bin}/exim4 rPx, + @{bin}/dpkg-deb px, + + @{pager_path} Cx -> pager, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, @@ -50,31 +50,12 @@ profile apt-listchanges @{exec_path} { /var/cache/apt/archives/ r, - owner @{PROC}/@{pid}/fd/ r, - /tmp/ r, - owner @{tmp}/* rw, - owner @{tmp}/apt-listchanges*/ rw, - owner @{tmp}/apt-listchanges*/**/ rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/changelog.Debian*.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/NEWS.Debian.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog.gz rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/changelog_to_file rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/changelog/simple_changelog rw, - owner @{tmp}/apt-listchanges*/*/*/*/*/*/*-local/debian/changelog rw, - - # The following is needed when apt-listchanges uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, + owner @{tmp}/@{word8} rw, + owner @{tmp}/apt-listchanges@{word8}/ rw, + owner @{tmp}/apt-listchanges@{word8}/** rw, + owner @{PROC}/@{pid}/fd/ r, profile pager { include diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 01e9ac152..6f66426ec 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -12,28 +12,20 @@ profile debsums @{exec_path} { include include - # Needed to read files owned by other users than root. capability dac_read_search, @{exec_path} r, @{sh_path} rix, - @{bin}/{m,g,}awk rix, + @{bin}/{m,g,}awk ix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, - - /etc/dpkg/dpkg.cfg.d/{,*} r, - /etc/dpkg/dpkg.cfg r, - - /etc/locale.nopurge r, - - /var/lib/dpkg/info/* r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/dpkg-divert Px -> child-dpkg-divert, # For shell pwd / r, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 93f5ebca5..53bebdccf 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -22,24 +22,23 @@ profile dpkg @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cat rix, - @{bin}/deb-systemd-helper rix, - @{bin}/deb-systemd-invoke rix, - @{bin}/rm rix, - - @{bin}/dpkg-deb rpx, - @{bin}/dpkg-query rpx, - @{bin}/dpkg-split rpx, - @{bin}/systemctl rCx -> systemctl, - @{lib}/needrestart/dpkg-status rPx, - /usr/share/debian-security-support/check-support-status.hook rPx, - - @{pager_path} rPx -> child-pager, + @{bin}/cat ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/rm ix, + + @{bin}/dpkg-deb px, + @{bin}/dpkg-query px, + @{bin}/dpkg-split px, + @{bin}/systemctl Cx -> systemctl, + @{lib}/needrestart/dpkg-status Px, + @{pager_path} Px -> child-pager, + /usr/share/debian-security-support/check-support-status.hook Px, # Package maintainer's scripts - /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx, + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # For shell pwd /root/ r, diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index ef7852863..fd67f930e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -11,35 +11,36 @@ include profile dpkg-preconfigure @{exec_path} { include include - include include - - #capability sys_tty_config, + include + include @{exec_path} r, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/cat rix, - @{bin}/debconf-escape rix, - @{bin}/dialog rix, - @{bin}/expr rix, - @{bin}/locale rix, - @{bin}/readlink rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/stty rix, - @{bin}/tr rix, - @{bin}/head rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - - @{bin}/findmnt rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/apt-extracttemplates rPx, - @{bin}/whiptail rPx, - @{lib}/apt/apt-extracttemplates rPx, + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{,g,m}awk ix, + @{bin}/cat ix, + @{bin}/debconf-escape Px, + @{bin}/dialog ix, + @{bin}/expr ix, + @{bin}/find ix, + @{bin}/head ix, + @{bin}/locale ix, + @{bin}/readlink ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/sed ix, + @{bin}/sort ix, + @{bin}/stty ix, + @{bin}/tr ix, + @{bin}/uniq ix, + + @{bin}/apt-extracttemplates Px, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/findmnt Px, + @{bin}/whiptail Px, + @{lib}/apt/apt-extracttemplates Px, /usr/share/debconf/confmodule r, /usr/share/dictionaries-common/{,*} r, @@ -59,9 +60,6 @@ profile dpkg-preconfigure @{exec_path} { /var/cache/debconf/tmp.ci/ w, - owner @{tmp}/*.template.* rw, - owner @{tmp}/*.config.* rwPUx, - /var/lib/dbus/machine-id r, owner /var/cache/debconf/ rw, owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk, @@ -73,23 +71,15 @@ profile dpkg-preconfigure @{exec_path} { owner /var/cache/dictionaries-common/flag-wordlist-new w, owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + owner @{tmp}/*.template.* rw, + owner @{tmp}/*.config.* rwPUx, + @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, @{run}/user/@{uid}/pk-debconf-socket rw, owner @{PROC}/@{pid}/fd/ r, - # The following is needed when dpkg-preconfigure uses debcconf GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - @{HOME}/.Xauthority r, - owner @{PROC}/@{pid}/mounts r, - - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride new file mode 100644 index 000000000..34d6412c1 --- /dev/null +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/dpkg-statoverride +profile dpkg-statoverride @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From f033e698116aa250a14d32a442133d073b54a2d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:21:23 +0200 Subject: [PATCH 123/798] feat(abs): add the pager app abstaction. --- apparmor.d/abstractions/app/pager | 37 ++++++++++++++++++++++++++ apparmor.d/groups/apt/apt | 13 +-------- apparmor.d/groups/apt/apt-listchanges | 17 +----------- apparmor.d/groups/apt/aptitude | 9 ------- apparmor.d/groups/children/child-pager | 25 +---------------- apparmor.d/profiles-m-r/mutt | 14 +--------- 6 files changed, 41 insertions(+), 74 deletions(-) create mode 100644 apparmor.d/abstractions/app/pager diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager new file mode 100644 index 000000000..3be45b4dd --- /dev/null +++ b/apparmor.d/abstractions/app/pager @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + +# Minimal set of rules for pagers. + + abi , + + include + + capability dac_override, + capability dac_read_search, + + signal (receive) set=(stop, cont, term, kill), + + @{bin}/ r, + @{pager_path} mrix, + + @{system_share_dirs}/terminfo/{,**} r, + /usr/share/file/misc/** r, + /usr/share/nvim/{,**} r, + + @{HOME}/.lesshst r, + + owner @{HOME}/ r, + owner @{HOME}/.lesshs* rw, + owner @{HOME}/.terminfo/@{int}/* r, + owner @{user_cache_dirs}/lesshs* rw, + owner @{user_state_dirs}/ r, + owner @{user_state_dirs}/lesshs* rw, + + /dev/tty@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index e2e9b00f4..2b103270d 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -172,18 +172,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { profile pager { include - include - - capability dac_read_search, - - @{bin}/ r, - @{sh_path} rix, - @{pager_path} rmix, - @{bin}/which rix, - - /root/ r, # For shell pwd - - owner @{HOME}/.less* rw, + include owner @{tmp}/apt-changelog-*/ r, owner @{tmp}/apt-changelog-*/*.changelog r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 35684feb5..936d15d42 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -59,23 +59,8 @@ profile apt-listchanges @{exec_path} { profile pager { include - include + include - capability dac_read_search, - #capability sys_tty_config, - - @{pager_path} mrix, - - @{bin}/ r, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, - - # For shell pwd - /root/ r, - - /tmp/ r, owner @{tmp}/apt-listchanges-tmp*.txt r, include if exists diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e3a6a794b..e60630efa 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -171,17 +171,8 @@ profile aptitude @{exec_path} flags=(complain) { include include - @{bin}/ r, - @{editor_path} mrix, - @{sh_path} rix, - @{bin}/which rix, - - owner @{HOME}/.less* rw, owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, - # For shell pwd - /root/ r, - include if exists } diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager index e904f96dd..8e60bce47 100644 --- a/apparmor.d/groups/children/child-pager +++ b/apparmor.d/groups/children/child-pager @@ -15,30 +15,7 @@ include profile child-pager flags=(attach_disconnected) { include - include - - capability dac_override, - capability dac_read_search, - - signal (receive) set=(stop, cont, term, kill), - - @{bin}/ r, - @{pager_path} mr, - - @{system_share_dirs}/terminfo/{,**} r, - /usr/share/file/misc/** r, - /usr/share/nvim/{,**} r, - - @{HOME}/.lesshst r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, - - /dev/tty@{int} rw, + include include if exists } diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt index 28006f479..a91aba241 100644 --- a/apparmor.d/profiles-m-r/mutt +++ b/apparmor.d/profiles-m-r/mutt @@ -115,19 +115,7 @@ profile mutt @{exec_path} { profile pager { include - include - - @{pager_path} mr, - - /usr/share/terminfo/** r, - /usr/share/file/misc/magic.mgc r, - - owner @{HOME}/ r, - owner @{HOME}/.lesshs* rw, - owner @{HOME}/.terminfo/@{int}/* r, - owner @{user_cache_dirs}/lesshs* rw, - owner @{user_state_dirs}/ r, - owner @{user_state_dirs}/lesshs* rw, + include # This is the file that holds the message owner /{var/,}tmp/mutt* rw, From 390cc27ab85e169efccdc6764eebc91123c54cd3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:24:01 +0200 Subject: [PATCH 124/798] feat(abs): add debconf common abs. --- apparmor.d/abstractions/common/debconf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 apparmor.d/abstractions/common/debconf diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf new file mode 100644 index 000000000..c21974212 --- /dev/null +++ b/apparmor.d/abstractions/common/debconf @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + abi , + + include + include + include + + /usr/share/debconf/frontend rix, + /usr/share/debconf/confmodule r, + + /etc/debconf.conf r, + + owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + + include if exists + +# vim:syntax=apparmor From 49155625a5aaa32d5194f12405f65d48719d3d71 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:31:03 +0200 Subject: [PATCH 125/798] feat(profile): rewrite debconf & add debconf-frontend. --- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/debconf-apt-progress | 32 +---- apparmor.d/groups/apt/debconf-frontend | 75 ++++++++++ apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 +- apparmor.d/groups/apt/dpkg-script-systemd | 2 +- apparmor.d/groups/apt/dpkg-scripts | 2 +- apparmor.d/groups/grub/grub-check-signatures | 10 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/profiles-a-f/frontend | 133 ------------------ apparmor.d/profiles-s-z/tasksel | 49 +------ .../profiles-s-z/update-secureboot-policy | 5 +- 12 files changed, 92 insertions(+), 224 deletions(-) create mode 100644 apparmor.d/groups/apt/debconf-frontend delete mode 100644 apparmor.d/profiles-a-f/frontend diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index e60630efa..9254be27d 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -169,7 +169,7 @@ profile aptitude @{exec_path} flags=(complain) { profile pager { include - include + include owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw, diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress index d60668c03..1d88c829b 100644 --- a/apparmor.d/groups/apt/debconf-apt-progress +++ b/apparmor.d/groups/apt/debconf-apt-progress @@ -10,42 +10,12 @@ include @{exec_path} = @{bin}/debconf-apt-progress profile debconf-apt-progress @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{bin}/apt-get rPx, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/debconf-apt-progress rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend new file mode 100644 index 000000000..5ec13fcff --- /dev/null +++ b/apparmor.d/groups/apt/debconf-frontend @@ -0,0 +1,75 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019-2021 Mikhail Morfikov +# Copyright (C) 2022-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/debconf/frontend +profile debconf-frontend @{exec_path} flags=(complain) { + include + include + include + include + include + include + + capability dac_read_search, + + @{exec_path} r, + + @{sh_path} rix, + @{bin}/hostname ix, + @{bin}/locale ix, + @{bin}/lsb_release Px -> lsb_release, + @{bin}/stty ix, + @{sbin}/update-secureboot-policy Px, + + # debconf apps + @{bin}/adequate Px, + @{bin}/debconf-apt-progress Px, + @{bin}/linux-check-removal Px, + @{bin}/ucf Px, + @{bin}/whiptail Px, + @{sbin}/aspell-autobuildhash Px, + @{sbin}/pam-auth-update Px, + @{lib}/tasksel/tasksel-debconf Px -> tasksel, + /usr/share/debian-security-support/check-support-status.hook Px, + + # Grub + @{lib}/grub/grub-multi-install Px, + /usr/share/grub/grub-check-signatures Px, + + # Package maintainer's scripts + /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, + /var/lib/dpkg/info/*.control r, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + + # DKMS scipts + @{lib}/dkms/common.postinst rPUx, + @{lib}/dkms/dkms-* rPUx, + @{lib}/dkms/dkms_* rPUx, + + /usr/share/debconf/{,**} r, + + /etc/inputrc r, + /etc/shadow r, + + owner /var/cache/debconf/* rwk, + + owner @{tmp}/file* w, + owner @{tmp}/tmp.@{rand10} rw, + owner @{tmp}/updateppds.@{rand6} rw, + + @{HOME}/.Xauthority r, + + @{run}/user/@{uid}/pk-debconf-socket rw, + + owner @{PROC}/@{pid}/mounts r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 5dba3d3cb..9de0ce0b4 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/apparmor* profile dpkg-script-apparmor @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 8b2470a6c..52c74c192 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/linux* profile dpkg-script-linux @{exec_path} { include - include + include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index ccaa62a30..cb652108d 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/info/systemd* profile dpkg-script-systemd @{exec_path} { include - include + include include @{exec_path} mrix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index dcb6ca379..32063f5c5 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -9,7 +9,7 @@ include @{exec_path} = /var/lib/dpkg/** profile dpkg-scripts @{exec_path} { include - include + include include capability chown, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index d33b33265..310138595 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -9,18 +9,14 @@ include @{exec_path} = /usr/share/grub/grub-check-signatures profile grub-check-signatures @{exec_path} { include - include + include @{exec_path} mr, @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}//mktemp rix, - @{bin}//od rix, - - /usr/share/debconf/frontend rPx, - - /usr/share/debconf/confmodule r, + @{bin}/mktemp rix, + @{bin}/od rix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index d147b94fb..ba7956438 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -24,7 +24,7 @@ profile grub-multi-install @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/udevadm rPx, - /usr/share/debconf/frontend rPx, + /usr/share/debconf/frontend rix, /usr/lib/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend deleted file mode 100644 index 6d9502220..000000000 --- a/apparmor.d/profiles-a-f/frontend +++ /dev/null @@ -1,133 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /usr/share/debconf/frontend -profile frontend @{exec_path} flags=(complain) { - include - include - include - include - include - include - include - include - - capability dac_read_search, - - @{exec_path} r, - @{bin}/perl r, - - @{sh_path} rix, - @{bin}/hostname rix, - @{bin}/locale rix, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/stty rix, - @{sbin}/update-secureboot-policy rPx, - - # debconf apps - @{bin}/adequate rPx, - @{sbin}/aspell-autobuildhash rPx, - @{bin}/debconf-apt-progress rPx, - @{bin}/linux-check-removal rPx, - @{sbin}/pam-auth-update rPx, - @{bin}/ucf rPx, - @{bin}/whiptail rPx, - @{lib}/tasksel/tasksel-debconf rPx -> tasksel, - /usr/share/debian-security-support/check-support-status.hook rPx, - - # Grub - @{lib}/grub/grub-multi-install rPx, - /usr/share/grub/grub-check-signatures rPx, - - # Run the package maintainer's scripts - # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) - #/var/lib/dpkg/info/*.{config,templates} rPUx, - #/var/lib/dpkg/info/*.{preinst,postinst} rPUx, - #/var/lib/dpkg/info/*.{prerm,postrm} rPUx, - /var/lib/dpkg/info/*.control r, - #/var/lib/dpkg/tmp.ci/{config,templates} rPUx, - #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, - #/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, - /var/lib/dpkg/tmp.ci/control r, - /var/lib/dpkg/info/*.{config,templates} rCx -> scripts, - /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, - /var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, - - # DKMS scipts - # What to do with it? (#FIXME#) - @{lib}/dkms/common.postinst rPUx, - @{lib}/dkms/dkms-* rPUx, - @{lib}/dkms/dkms_* rPUx, - - /usr/share/debconf/{,**} r, - - /etc/debconf.conf r, - /etc/inputrc r, - /etc/shadow r, - - owner /var/cache/debconf/* rwk, - - owner @{tmp}/file* w, - owner @{tmp}/tmp.@{rand10} rw, - owner @{tmp}/updateppds.@{rand6} rw, - - @{HOME}/.Xauthority r, - - @{run}/user/@{uid}/pk-debconf-socket rw, - - owner @{PROC}/@{pid}/mounts r, - - profile scripts flags=(complain) { - include - include - - capability dac_read_search, - - /var/lib/dpkg/info/*.config r, - /var/lib/dpkg/info/*.{preinst,postinst} r, - /var/lib/dpkg/info/*.{prerm,postrm} r, - /var/lib/dpkg/tmp.ci/config r, - /var/lib/dpkg/tmp.ci/{preinst,postinst} r, - /var/lib/dpkg/tmp.ci/{prerm,postrm} r, - - / r, - - @{bin}/ r, - @{bin}/* rPUx, - - @{lib}/ r, - @{lib}/** rPUx, - - /usr/share/ r, - /usr/share/** rPUx, - - /etc/init.d/ r, - /etc/init.d/* rPUx, - - /etc/ r, - /etc/** rw, - /var/ r, - /var/** rw, - @{sys}/ r, - @{sys}/**/ r, - @{run}/ r, - @{run}/** rw, - /tmp/ r, - owner @{tmp}/** rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index 64b3ed4ad..f4900f225 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -10,32 +10,24 @@ include @{exec_path} = @{bin}/tasksel profile tasksel @{exec_path} flags=(complain) { include - include + include @{exec_path} r, @{sh_path} rix, @{bin}/tempfile rix, @{lib}/tasksel/tasksel-debconf rix, - - @{lib}/tasksel/tests/* rCx -> tasksel-tests, - - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. - @{bin}/dpkg-query rpx, + @{bin}/dpkg-query px, # - @{bin}/apt-cache rPx, - - @{bin}/debconf-apt-progress rPx, - - /usr/share/tasksel/** r, + @{bin}/apt-cache Px, + @{bin}/debconf-apt-progress Px, - /usr/share/debconf/confmodule r, + /usr/share/tasksel/{,**} r, owner @{tmp}/file* w, @@ -48,35 +40,6 @@ profile tasksel @{exec_path} flags=(complain) { include if exists } - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/tasksel rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - /etc/shadow r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index 232c92d0c..f8581f532 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -10,7 +10,7 @@ include @{exec_path} = @{sbin}/update-secureboot-policy profile update-secureboot-policy @{exec_path} { include - include + include @{exec_path} rm, @@ -23,12 +23,9 @@ profile update-secureboot-policy @{exec_path} { @{bin}/sort rix, @{bin}/touch rix, @{bin}/wc rix, - /usr/share/debconf/frontend rPx, / r, - /usr/share/debconf/confmodule r, - /var/lib/dkms/ r, /var/lib/shim-signed/dkms-list rw, From 6e0c646d14c17a9f2ce9ba6f4faa3afbf38c115d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:37:37 +0200 Subject: [PATCH 126/798] feat(profile): add profile for ischroot. --- apparmor.d/groups/apt/apt | 4 ++-- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- .../groups/ubuntu/list-oem-metapackages | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 +-- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-g-l/ischroot | 21 +++++++++++++++++++ apparmor.d/profiles-m-r/packagekitd | 4 ++-- apparmor.d/profiles-s-z/update-initramfs | 2 +- 13 files changed, 35 insertions(+), 15 deletions(-) create mode 100644 apparmor.d/profiles-g-l/ischroot diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2b103270d..2a0969156 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -67,7 +67,6 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, - @{bin}/ischroot rix, @{bin}/test rix, @{bin}/touch rix, @@ -80,14 +79,15 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/df rPx, @{bin}/dmesg rPx, @{bin}/dpkg rPx, - @{sbin}/dpkg-preconfigure rPx, @{bin}/dpkg-source rcx -> dpkg-source, @{bin}/etckeeper rPx, + @{bin}/ischroot rPx, @{bin}/localepurge rPx, @{bin}/ps rPx, @{bin}/snap rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/update-command-not-found rPx, + @{sbin}/dpkg-preconfigure rPx, @{lib}/cnf-update-db rPx, @{lib}/needrestart/apt-pinvoke rPx, @{lib}/zsys-system-autosnapshot rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 1307313d9..bb5cd329c 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -41,7 +41,7 @@ profile apport-gtk @{exec_path} { @{bin}/dpkg-query rpx, @{bin}/gdb rCx -> gdb, @{bin}/gsettings rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/journalctl rPx, @{sbin}/killall5 rix, @{bin}/kmod rPx, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 1ff6df2ae..bdd2a0f54 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -29,7 +29,7 @@ profile check-new-release-gtk @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 86c211f24..e7d6687d2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -26,7 +26,7 @@ profile do-release-upgrade @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 75e4279f2..91bc4876f 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -15,7 +15,7 @@ profile list-oem-metapackages @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{lib}/@{python_name}/dist-packages/UbuntuDrivers/__pycache__/*.cpython-@{int}.pyc.@{int} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index e2bb2dc98..d5762a84e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -32,7 +32,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/aplay rPx, @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/ubuntu-advantage rPx, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 7d797bd97..34b697732 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -29,13 +29,12 @@ profile ubuntu-advantage @{exec_path} { @{exec_path} mr, - @{bin}/ischroot rix, - @{bin}/apt rPx, @{bin}/apt-cache rPx, @{bin}/apt-config rPx, @{bin}/apt-get rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/ps rPx, @{bin}/snap rPUx, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 44e0cc403..e1636c6d5 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -44,7 +44,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 776cc9bf8..e6a3e7152 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -26,7 +26,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dirname rix, @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, - @{bin}/ischroot rix, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/mktemp rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8d1571c1e..ea6318156 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -31,10 +31,10 @@ profile update-notifier @{exec_path} { @{sh_path} rix, @{bin}/ionice rix, - @{bin}/ischroot rix, @{bin}/nice rix, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/ischroot rPx, @{bin}/lsb_release rPx -> lsb_release, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot new file mode 100644 index 000000000..c5b848bab --- /dev/null +++ b/apparmor.d/profiles-g-l/ischroot @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ischroot +profile ischroot @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index ca93ade6b..873b4ef7d 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,7 +51,6 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, - @{bin}/ischroot rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -63,7 +62,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, @{bin}/glib-compile-schemas rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, + @{bin}/ischroot rPx, @{bin}/rpm rPUx, #aa:only opensuse @{bin}/rpmdb2solv rPUx, #aa:only opensuse @{bin}/systemd-inhibit rPx, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 51961efb3..f9e47cb52 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -22,7 +22,6 @@ profile update-initramfs @{exec_path} { @{bin}/cat rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, - @{bin}/ischroot rix, @{bin}/ln rix, @{bin}/mv rix, @{bin}/rm rix, @@ -31,6 +30,7 @@ profile update-initramfs @{exec_path} { @{bin}/uname rix, @{bin}/dpkg-trigger rPx, + @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, From 7a3016724a6a2a97e337d57187416cabb6dcdfb0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:42:34 +0200 Subject: [PATCH 127/798] feat(profile): update linux check scripts. --- apparmor.d/profiles-g-l/linux-check-removal | 40 ++++--------------- apparmor.d/profiles-g-l/linux-update-symlinks | 25 ++++++++++++ dists/flags/main.flags | 2 + 3 files changed, 34 insertions(+), 33 deletions(-) create mode 100644 apparmor.d/profiles-g-l/linux-update-symlinks diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 1c6ff2f03..2c2a8ba21 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -10,42 +10,16 @@ include @{exec_path} = @{bin}/linux-check-removal profile linux-check-removal @{exec_path} flags=(complain) { include - include - include + include - @{exec_path} r, + @{exec_path} rmix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, + @{sh_path} rix, + @{bin}/stty rix, + @{bin}/locale rix, + @{bin}/whiptail rPx, - - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{bin}/linux-check-removal rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - # The following is needed when debconf uses dialog/whiptail frontend. - @{bin}/whiptail rPx, - owner @{tmp}/file* w, - - /usr/share/debconf/confmodule r, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - include if exists - } + audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks new file mode 100644 index 000000000..b97a0305b --- /dev/null +++ b/apparmor.d/profiles-g-l/linux-update-symlinks @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/linux-update-symlinks +profile linux-update-symlinks @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/kernel-img.conf r, + + @{efi}/ r, + @{efi}/* rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d2c57b682..edf6789c7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -216,6 +216,8 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain +linux-check-removal complain +linux-update-symlinks complain locale-gen complain localectl complain localsearch complain From 8755c4a1b7c036ecc0b905bf57a75b42f7c614b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:51:12 +0200 Subject: [PATCH 128/798] fix(profile): remove sbin on some program path Debian and opensuse do not install the same programs under /usr/sbin. This will have to be tracked by distribution. For now, sbin.list follows debian install. --- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/kde/systemsettings | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/utils/lspci | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/install-info | 2 +- apparmor.d/profiles-g-l/inxi | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 3 --- 10 files changed, 9 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index cf7dc2506..4063fc473 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index 0d7156502..e68d248b6 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -29,7 +29,7 @@ profile systemsettings @{exec_path} { @{bin}/cat rix, @{bin}/eglinfo rPUx, @{bin}/kcminit rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/openssl rix, @{bin}/pactl rPx, @{bin}/plasma-discover rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 9cf9d6a36..6af9bae96 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -74,7 +74,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, - @{sbin}/install-info rPx, + @{bin}/install-info rPx, @{sbin}/iscsi-iname rix, @{bin}/journalctl rPx, @{bin}/killall rix, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 7fc88e41a..b390346bb 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/lspci +@{exec_path} = @{bin}/lspci profile lspci @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..6999f5baf 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 459efa23e..97fad1f13 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -53,7 +53,7 @@ profile hardinfo @{exec_path} { @{bin}/glxinfo rPx, @{bin}/xdpyinfo rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/netstat rPx, @{bin}/qtchooser rPx, diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info index e7fdfd95a..f155339b1 100644 --- a/apparmor.d/profiles-g-l/install-info +++ b/apparmor.d/profiles-g-l/install-info @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/install-info +@{exec_path} = @{bin}/install-info profile install-info @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 01d358fbf..38b2a17a2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -51,7 +51,7 @@ profile inxi @{exec_path} { @{bin}/glxinfo rPx, @{bin}/hddtemp rPx, @{bin}/lsblk rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/openbox rPx, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 869729543..82596a62a 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -341,7 +341,6 @@ inputattach insmod install_acx100_firmware install_intersil_firmware -install-info install-sgmlcatalog installkernel integritysetup @@ -447,7 +446,6 @@ lpc lpinfo lpmove lsmod -lspci lspcmcia luksformat lvchange @@ -920,7 +918,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-bootloader update-ca-certificates update-catalog From a9303e82bb0310336b995210da042bbb21fdc99c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:53:04 +0200 Subject: [PATCH 129/798] fix: linter --- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index fd67f930e..8a9ea568e 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -79,7 +79,7 @@ profile dpkg-preconfigure @{exec_path} { owner @{PROC}/@{pid}/fd/ r, - include if exists + include if exists } # vim:syntax=apparmor From 6650f45ee0c25967f5e85cb95c79f7b332d135f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 18 May 2025 23:54:33 +0200 Subject: [PATCH 130/798] feat(profile): add pycompile. --- apparmor.d/profiles-m-r/pycompile | 54 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pycompile diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile new file mode 100644 index 000000000..b441d84cd --- /dev/null +++ b/apparmor.d/profiles-m-r/pycompile @@ -0,0 +1,54 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean +profile pycompile @{exec_path} flags=(attach_disconnected,complain) { + include + include + include + # include + + capability dac_override, + capability dac_read_search, + + @{exec_path} mr, + @{python_path} rix, + + @{bin}/dpkg rCx -> dpkg, + + @{lib}/@{python_name}/dist-packages/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + + /usr/share/python3/{,**} r, + + / r, + + profile dpkg { + include + include + include + + capability dac_read_search, + + @{bin}/dpkg mr, + @{bin}/dpkg-query rpx, + + /etc/dpkg/dpkg.cfg.d/{,*} r, + /etc/dpkg/dpkg.cfg r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index edf6789c7..4332c78d9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -264,6 +264,7 @@ plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted ptyxis complain ptyxis-agent complain +pycompile complain qdbus complain remmina complain run-parts complain From 31e90e6c58574d45aac59a91ebd094d6a05f6919 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 19 May 2025 00:00:44 +0200 Subject: [PATCH 131/798] feat(profile): add kernel update/install profiles. --- apparmor.d/profiles-g-l/kdump-config | 60 ++++++++++++++++ apparmor.d/profiles-g-l/kernel | 71 +++++++++++++++++++ apparmor.d/profiles-g-l/kernel-postinst-kdump | 34 +++++++++ dists/flags/main.flags | 3 + 4 files changed, 168 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdump-config create mode 100644 apparmor.d/profiles-g-l/kernel create mode 100644 apparmor.d/profiles-g-l/kernel-postinst-kdump diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config new file mode 100644 index 000000000..e6ec78f67 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-config @@ -0,0 +1,60 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/kdump-config +profile kdump-config @{exec_path} { + include + + ptrace readby peer=systemd-journald, + + @{exec_path} mr, + + @{sh_path} ix, + @{bin}/basename ix, + @{bin}/cut ix, + @{bin}/file ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/hexdump ix, + @{bin}/ln ix, + @{bin}/logger ix, + @{bin}/rev ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{sbin}/kexec Cx -> kexec, + @{sbin}/sysctl Cx -> sysctl, + + /etc/kernel/postinst.d/kdump-tools rPx, + + owner /var/lib/kdump/{,**} rw, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/panic_on_oops rw, + + include if exists + } + + profile kexec { + include + + capability sys_admin, + capability sys_boot, + + @{sbin}/kexec mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel new file mode 100644 index 000000000..2382ea062 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/{,header_}postinst.d/* /etc/kernel/postrm.d/* +@{exec_path} += /etc/kernel/preinst.d/* /etc/kernel/prerm.d/* +profile kernel @{exec_path} { + include + include + include + + capability sys_module, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{,e}grep rix, + @{bin}/{,m,g}awk rix, + @{bin}/cat rix, + @{bin}/chmod rix, + @{bin}/cut rix, + @{bin}/dirname rix, + @{bin}/kmod rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/rmdir rix, + @{bin}/sed rix, + @{bin}/sort rix, + @{bin}/touch rix, + @{bin}/tr rix, + @{bin}/uname rix, + @{bin}/which rix, + + @{bin}/apt-config rPx, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, + @{sbin}/dkms rPx, + @{sbin}/update-grub rPx, + @{sbin}/update-initramfs rPx, + @{lib}/dkms/dkms_autoinstaller rPx, + + @{lib}/modules/*/updates/ w, + @{lib}/modules/*/updates/dkms/ w, + + /etc/kernel/header_postinst.d/* r, + /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, + + # For shell pwd + / r, + /boot/ r, + + /etc/apt/apt.conf.d/ r, + /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /etc/modprobe.d/ r, + /etc/modprobe.d/*.conf r, + + @{run}/reboot-required w, + @{run}/reboot-required.pkgs rw, + + @{PROC}/devices r, + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump new file mode 100644 index 000000000..91af3a842 --- /dev/null +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/kernel/postinst.d/kdump-tools +profile kernel-postinst-kdump @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/du rix, + @{bin}/find rix, + @{bin}/gawk rix, + @{bin}/mv rix, + @{bin}/rm rix, + @{bin}/sync rix, + @{sbin}/mkinitramfs rPx, + + owner /var/lib/kdump/* w, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 4332c78d9..5f5d8dc5f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -192,7 +192,10 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump-config complain +kernel complain kernel-install complain +kernel-postinst-kdump complain keyboxd complain kglobalacceld complain kio_http_cache_cleaner complain From b90c4073c94f06e83a16677398d338c05f5df395 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 23 May 2025 23:55:01 +0200 Subject: [PATCH 132/798] ci: show full journalctl log on failure. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f04ac1381..4593fe78c 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -55,7 +55,7 @@ jobs: - name: Reload AppArmor run: | sudo systemctl restart apparmor.service || true - sudo systemctl status apparmor.service + sudo journalctl -xeu apparmor.service - name: Ensure compatibility with some AppArmor userspace tools if: matrix.os != 'ubuntu-24.04' From f3ed1a30065065300a0b5dca307f9081f9501025 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 00:08:57 +0200 Subject: [PATCH 133/798] fix: profile compilation. --- apparmor.d/profiles-g-l/linux-check-removal | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 2c2a8ba21..40eb26b93 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/linux-check-removal -profile linux-check-removal @{exec_path} flags=(complain) { +profile linux-check-removal @{exec_path} { include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5f5d8dc5f..d139c7622 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -219,7 +219,7 @@ libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain lightdm-session complain -linux-check-removal complain +linux-check-removal complain linux-update-symlinks complain locale-gen complain localectl complain From 3848838e53a5824417590f97c43ad0135a50e6a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:35:16 +0200 Subject: [PATCH 134/798] feat(profile): merge dpkg-scripts and dpkg-script-tmp. --- apparmor.d/groups/apt/dpkg-preconfigure | 2 + apparmor.d/groups/apt/dpkg-script-systemd | 2 + apparmor.d/groups/apt/dpkg-script-tmp | 57 ----------------------- apparmor.d/groups/apt/dpkg-scripts | 17 +++++-- dists/flags/main.flags | 1 - 5 files changed, 16 insertions(+), 63 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-tmp diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 8a9ea568e..4dbfae0a8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -15,6 +15,8 @@ profile dpkg-preconfigure @{exec_path} { include include + capability dac_read_search, + @{exec_path} r, @{sh_path} rix, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index cb652108d..713f2981f 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -16,6 +16,8 @@ profile dpkg-script-systemd @{exec_path} { @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg Cx -> dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp deleted file mode 100644 index 65e63d076..000000000 --- a/apparmor.d/groups/apt/dpkg-script-tmp +++ /dev/null @@ -1,57 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} -profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) { - include - include - include - - @{exec_path} mrix, - - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/run-parts rix, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Px, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/kmod Cx -> kmod, - @{bin}/systemctl Cx -> systemctl, - /usr/share/debconf/frontend Px, - - /usr/share/debconf/confmodule r, - - /etc/kernel/preinst.d/*-microcode ix, - - @{lib}/modules/*/.fresh-install w, - - profile kmod { - include - include - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_ptrace, - capability sys_resource, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 32063f5c5..e765b334c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -38,6 +38,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/ubuntu-advantage/postinst-migrations.sh ix, @{bin}/dbus-send Cx -> bus, + @{bin}/kmod Cx -> kmod, @{bin}/dpkg Px -> child-dpkg, @{bin}/systemctl Cx -> systemctl, @{sbin}/invoke-rc.d Cx -> rc, @@ -52,9 +53,6 @@ profile dpkg-scripts @{exec_path} { /usr/share/** Px, /etc/init.d/* Px, - /var/lib/dpkg/info/*.@{dpkg_script_ext} ix, # dpkg-scripts-* - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, # dpkg-script-tmp - # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -85,12 +83,20 @@ profile dpkg-scripts @{exec_path} { include if exists } + profile kmod { + include + include + + include if exists + } + profile systemctl { include include capability net_admin, capability sys_ptrace, + capability sys_resource, @{run}/utmp rk, @@ -99,6 +105,7 @@ profile dpkg-scripts @{exec_path} { profile rc { include + include include @{sbin}/update-rc.d mr, @@ -110,10 +117,10 @@ profile dpkg-scripts @{exec_path} { /etc/ r, /etc/init.d/* r, - /etc/rc?.d/ r, + /etc/rc@{c}.d/ r, + /etc/rc@{c}.d/* rw, /etc/rc@{int}.d/ r, /etc/rc@{int}.d/* rw, - /etc/rc@{c}.d/* rw, include if exists } diff --git a/dists/flags/main.flags b/dists/flags/main.flags index d139c7622..b1bd2fa0e 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -93,7 +93,6 @@ dpkg-script-apparmor complain dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain -dpkg-script-tmp complain dpkg-scripts complain drkonqi complain drkonqi-coredump-cleanup complain From d5926e9411f224cf094506c9cae221b84d740b20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 24 May 2025 17:48:15 +0200 Subject: [PATCH 135/798] feat(abs): update debconf abs. --- apparmor.d/abstractions/common/debconf | 7 +++ apparmor.d/groups/apt/debconf-frontend | 5 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 - apparmor.d/groups/apt/dpkg-script-linux | 4 -- apparmor.d/groups/apt/dpkg-script-systemd | 3 -- apparmor.d/groups/apt/dpkg-scripts | 1 - apparmor.d/groups/grub/grub-check-signatures | 7 ++- apparmor.d/profiles-g-l/linux-check-removal | 5 -- apparmor.d/profiles-m-r/needrestart | 9 +++- apparmor.d/profiles-m-r/pam-auth-update | 48 ++----------------- apparmor.d/profiles-s-z/tasksel | 9 ++-- .../profiles-s-z/update-secureboot-policy | 17 ++++--- 12 files changed, 35 insertions(+), 82 deletions(-) diff --git a/apparmor.d/abstractions/common/debconf b/apparmor.d/abstractions/common/debconf index c21974212..1d9a6d145 100644 --- a/apparmor.d/abstractions/common/debconf +++ b/apparmor.d/abstractions/common/debconf @@ -9,11 +9,18 @@ include include + @{sh_path} rix, + @{bin}/locale ix, + @{bin}/whiptail Px, + /usr/share/debconf/frontend rix, /usr/share/debconf/confmodule r, /etc/debconf.conf r, + /var/ r, + /var/cache/ r, + /var/cache/debconf/ r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, include if exists diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 5ec13fcff..a8f7057e7 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -20,9 +20,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, @{bin}/hostname ix, - @{bin}/locale ix, @{bin}/lsb_release Px -> lsb_release, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, @@ -32,7 +30,6 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @{bin}/ucf Px, - @{bin}/whiptail Px, @{sbin}/aspell-autobuildhash Px, @{sbin}/pam-auth-update Px, @{lib}/tasksel/tasksel-debconf Px -> tasksel, @@ -45,7 +42,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { # Package maintainer's scripts /var/lib/dpkg/info/*.@{dpkg_script_ext} Px, /var/lib/dpkg/info/*.control r, - /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px, + /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} Px -> dpkg-scripts, # DKMS scipts @{lib}/dkms/common.postinst rPUx, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 9de0ce0b4..73b14390a 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -10,11 +10,9 @@ include profile dpkg-script-apparmor @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, @{bin}/grep ix, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 52c74c192..d6a8db473 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -13,10 +13,7 @@ profile dpkg-script-linux @{exec_path} { @{exec_path} mrix, - @{sh_path} rix, @{bin}/cat ix, - @{bin}/locale ix, - @{bin}/mkdir ix, @{bin}/mkdir ix, @{bin}/rm ix, @{bin}/run-parts ix, @@ -26,7 +23,6 @@ profile dpkg-script-linux @{exec_path} { @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/whiptail Px, @{bin}/dpkg-maintscript-helper Px, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 713f2981f..4acafd139 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -10,12 +10,9 @@ include profile dpkg-script-systemd @{exec_path} { include include - include @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, @{bin}/bootctl Px, @{bin}/deb-systemd-helper Px, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e765b334c..f1c56bd49 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -31,7 +31,6 @@ profile dpkg-scripts @{exec_path} { @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, - @{bin}/locale ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures index 310138595..f09ba540d 100644 --- a/apparmor.d/groups/grub/grub-check-signatures +++ b/apparmor.d/groups/grub/grub-check-signatures @@ -13,10 +13,9 @@ profile grub-check-signatures @{exec_path} { @{exec_path} mr, - @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/mktemp rix, - @{bin}/od rix, + @{bin}/{m,g,}awk ix, + @{bin}/mktemp ix, + @{bin}/od ix, owner @{tmp}/tmp.@{rand10}/ rw, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 40eb26b93..04d2f0330 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -14,12 +14,7 @@ profile linux-check-removal @{exec_path} { @{exec_path} rmix, - @{sh_path} rix, @{bin}/stty rix, - @{bin}/locale rix, - @{bin}/whiptail rPx, - - audit owner @{tmp}/file* w, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c2bc8b2b6..5d5e76ed5 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -40,7 +40,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, - /usr/share/debconf/frontend rix, + /usr/share/debconf/frontend rCx -> debconf, /etc/debconf.conf r, /etc/init.d/* r, @@ -97,6 +97,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 655ed9d40..aff011389 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -10,56 +10,18 @@ include @{exec_path} = @{sbin}/pam-auth-update profile pam-auth-update @{exec_path} flags=(complain) { include - include - include + include @{exec_path} mr, - @{bin}/md5sum rix, - @{bin}/cp rix, + @{bin}/md5sum ix, + @{bin}/cp ix, - # Think what to do about this (#FIXME#) - /usr/share/debconf/frontend rPx, - #/usr/share/debconf/frontend rCx -> frontend, - - /etc/pam.d/* rw, - /var/lib/pam/* rw, /usr/share/pam{,-configs}/{,*} r, + /etc/pam.d/* rw, - profile frontend flags=(complain) { - include - include - include - include - - /usr/share/debconf/frontend r, - - @{sbin}/pam-auth-update rPx, - - @{sh_path} rix, - @{bin}/stty rix, - @{bin}/locale rix, - - /etc/debconf.conf r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, - /usr/share/debconf/templates/adequate.templates r, - - # The following is needed when debconf uses GUI frontends. - include - include - include - include - capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, - @{bin}/hostname rix, - owner @{PROC}/@{pid}/mounts r, - @{HOME}/.Xauthority r, - - /etc/shadow r, - - include if exists - } + /var/lib/pam/* rw, include if exists } diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel index f4900f225..8a33649a0 100644 --- a/apparmor.d/profiles-s-z/tasksel +++ b/apparmor.d/profiles-s-z/tasksel @@ -14,9 +14,8 @@ profile tasksel @{exec_path} flags=(complain) { @{exec_path} r, - @{sh_path} rix, - @{bin}/tempfile rix, - @{lib}/tasksel/tasksel-debconf rix, + @{bin}/tempfile ix, + @{lib}/tasksel/tasksel-debconf ix, @{lib}/tasksel/tests/* Cx -> tasksel-tests, # Do not strip env to avoid errors like the following: @@ -29,13 +28,11 @@ profile tasksel @{exec_path} flags=(complain) { /usr/share/tasksel/{,**} r, - owner @{tmp}/file* w, - profile tasksel-tests flags=(complain) { include - @{lib}/tasksel/tests/* r, @{sh_path} rix, + @{lib}/tasksel/tests/* r, include if exists } diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy index f8581f532..31a03ef7b 100644 --- a/apparmor.d/profiles-s-z/update-secureboot-policy +++ b/apparmor.d/profiles-s-z/update-secureboot-policy @@ -14,15 +14,14 @@ profile update-secureboot-policy @{exec_path} { @{exec_path} rm, - @{sh_path} rix, - @{bin}/{,m,g}awk rix, - @{bin}/dpkg-trigger rPx, - @{bin}/find rix, - @{bin}/id rix, - @{bin}/od rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/wc rix, + @{bin}/{,m,g}awk ix, + @{bin}/dpkg-trigger Px, + @{bin}/find ix, + @{bin}/id ix, + @{bin}/od ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/wc ix, / r, From 3e098b715205074cc2eab4b3518658f50b65d464 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:47:02 +0200 Subject: [PATCH 136/798] feat(profile): initramfs: add hooks and scripts. --- apparmor.d/profiles-m-r/initramfs-hooks | 86 +++++++++++++++++++++++ apparmor.d/profiles-m-r/initramfs-scripts | 55 +++++++++++++++ apparmor.d/profiles-m-r/mkinitramfs | 10 +-- 3 files changed, 146 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/profiles-m-r/initramfs-hooks create mode 100644 apparmor.d/profiles-m-r/initramfs-scripts diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks new file mode 100644 index 000000000..b4f3ac2f4 --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -0,0 +1,86 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** +profile initramfs-hooks @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{sbin}/blkid Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox ix, + @{lib}/klibc/bin/fstype ix, + /usr/share/mdadm/mkconf Px, + + @{bin}/* r, + @{sbin}/* r, + @{lib}/ r, + @{lib}/** r, + + /usr/share/initramfs-tools/{,**} r, + /usr/share/plymouth/{,**} r, + /usr/share/cryptsetup/initramfs/{,**} r, + + /etc/console-setup/{,**} r, + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/* r, + /etc/fstab r, + /etc/iscsi/*.iscsi r, + /etc/lvm/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/systemd/network/{,**} r, + /etc/udev/{,**} r, + + / r, + @{efi}/config-* r, + + /var/tmp/ r, + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/ rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /var/tmp/mkinitramfs-@{rand6} rw, + owner /var/tmp/mkinitramfs-*_@{rand6} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + + @{sys}/firmware/efi/efivars/ r, + + @{PROC}/@{pid}/mounts r, + @{PROC}/cmdline r, + @{PROC}/swaps r, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{bin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts new file mode 100644 index 000000000..85437017b --- /dev/null +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -0,0 +1,55 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** +profile initramfs-scripts @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{sbin}/blkid Px, + @{bin}/dd ix, + @{bin}/debconf-escape Px, + @{bin}/ischroot Px, + @{bin}/ldd Cx -> ldd, + @{bin}/plymouth Px, + @{bin}/update-alternatives Px, + @{lib}/dracut/dracut-install Px, + @{lib}/initramfs-tools/bin/busybox Px, + /usr/share/mdadm/mkconf Px, + + /usr/share/initramfs-tools/{,**} r, + + /etc/cryptsetup-initramfs/{,**} r, + /etc/crypttab r, + /etc/default/console-setup r, + /etc/fstab r, + /etc/initramfs-tools/{,**} r, + /etc/mdadm/mdadm.conf r, + /etc/udev/rules.d/{,**} r, + + /var/tmp/modules_@{rand6} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + + profile ldd { + include + include + + @{bin}/ldd mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, + @{lib}/ld-linux.so* mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index eaf5645f3..f37029627 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -66,11 +66,10 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - # What to do with it? (#FIXME#) - /usr/share/initramfs-tools/hooks/* rPUx, - /usr/share/initramfs-tools/scripts/*/* rPUx, - /etc/initramfs-tools/hooks/* rPUx, - /etc/initramfs-tools/scripts/*/* rPUx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, + /etc/initramfs-tools/hooks/** rPx, + /etc/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, @@ -106,6 +105,7 @@ profile mkinitramfs @{exec_path} { @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, + @{sys}/module/firmware_class/parameters/path r, @{PROC}/cmdline r, @{PROC}/modules r, From c70f9b22fcdfe7ebc718f1144ec8ff5a713ffcb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:50:10 +0200 Subject: [PATCH 137/798] feat(tunable): add more variables for profile name. --- apparmor.d/tunables/multiarch.d/profiles | 40 ++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 92ab19fc9..ec1eff79c 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -23,14 +23,50 @@ @{p_dbus_system}=dbus-system @{p_dbus_session}=dbus-session +@{p_accounts_daemon}=accounts-daemon +@{p_apt_news}=apt_news @{p_at_spi2_registryd}=at-spi2-registryd +@{p_avahi_daemon}=avahi-daemon +@{p_bluetoothd}=bluetoothd @{p_colord}=colord +@{p_e2scrub_all}=e2scrub_all +@{p_e2scrub}=e2scrub +@{p_file_roller}=file-roller +@{p_fprintd}=fprintd +@{p_fwupd}=fwupd +@{p_fwupdmgr}=fwupdmgr +@{p_geoclue}=geoclue @{p_gnome_shell}=gnome-shell +@{p_gsd_media_keys}=gsd-media-keys +@{p_irqbalance}=irqbalance +@{p_logrotate}=logrotate +@{p_ModemManager}=ModemManager +@{p_nm_priv_helper}=nm-priv-helper @{p_packagekitd}=packagekitd +@{p_pcscd}=pcscd +@{p_polkitd}=polkitd +@{p_power_profiles_daemon}=power-profiles-daemon +@{p_rsyslogd}=rsyslogd +@{p_rtkit_daemon}=rtkit-daemon @{p_snap}=snap +@{p_systemd_coredump}=systemd-coredump +@{p_systemd_homed}=systemd-homed +@{p_systemd_hostnamed}=systemd-hostnamed +@{p_systemd_importd}=systemd-importd +@{p_systemd_initctl}=systemd-initctl +@{p_systemd_journal_remote}=systemd-journal-remote +@{p_systemd_journald}=systemd-journald +@{p_systemd_localed}=systemd-localed @{p_systemd_logind}=systemd-logind +@{p_systemd_networkd}=systemd-networkd +@{p_systemd_oomd}=systemd-oomd +@{p_systemd_resolved}=systemd-resolved +@{p_systemd_rfkill}=systemd-rfkill +@{p_systemd_timedated}=systemd-timedated +@{p_systemd_timesyncd}=systemd-timesyncd +@{p_systemd_userdbd}=systemd-userdbd +@{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal -@{p_gsd_media_keys}=gsd-media-keys -@{p_rtkit_daemon}=rtkit-daemon + # vim:syntax=apparmor From 8b542434bdb1435ca67169bee6fa8911b3d802a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 00:52:38 +0200 Subject: [PATCH 138/798] feat(profile): update kdump profiles. --- apparmor.d/profiles-g-l/kdump-config | 49 +++++++++++++++++++-- apparmor.d/profiles-g-l/kdump-tools-init | 38 ++++++++++++++++ apparmor.d/profiles-g-l/kdump_mem_estimator | 36 +++++++++++++++ dists/flags/main.flags | 2 + 4 files changed, 122 insertions(+), 3 deletions(-) create mode 100644 apparmor.d/profiles-g-l/kdump-tools-init create mode 100644 apparmor.d/profiles-g-l/kdump_mem_estimator diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index e6ec78f67..2b3516202 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -7,32 +7,69 @@ abi , include @{exec_path} = @{sbin}/kdump-config -profile kdump-config @{exec_path} { +profile kdump-config @{exec_path} flags=(attach_disconnected) { include - ptrace readby peer=systemd-journald, + capability sys_admin, + + ptrace readby peer=@{p_systemd_journald}, @{exec_path} mr, - @{sh_path} ix, + @{sh_path} rix, @{bin}/basename ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/cp ix, @{bin}/cut ix, @{bin}/file ix, @{bin}/find ix, + @{bin}/flock ix, @{bin}/grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, + @{bin}/plymouth Px, + @{bin}/readlink ix, @{bin}/rev ix, @{bin}/run-parts ix, @{bin}/sed ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, @{sbin}/kexec Cx -> kexec, @{sbin}/sysctl Cx -> sysctl, /etc/kernel/postinst.d/kdump-tools rPx, + /etc/kdump/{,**} r, + /etc/default/kdump-tools r, + /etc/magic r, + + / r, + @{efi}/ r, + + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, owner /var/lib/kdump/{,**} rw, + @{sys}/firmware/efi/efivars/ r, + @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, + @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, + @{sys}/kernel/kexec_crash_loaded r, + + @{PROC}/cmdline r, + @{PROC}/iomem r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + profile sysctl { include @@ -51,6 +88,12 @@ profile kdump-config @{exec_path} { @{sbin}/kexec mr, + @{efi}/* r, + + owner /var/lib/kdump/* r, + + @{PROC}/iomem r, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init new file mode 100644 index 000000000..b5af4dcc9 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/init.d/kdump-tools +profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + @{sh_path} mr, + + @{bin}/cat ix, + @{bin}/plymouth Px, + @{bin}/run-parts ix, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/kdump-config Px, + + /etc/default/kdump-tools r, + + @{PROC}/cmdline r, + + profile systemctl flags=(attach_disconnected) { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator new file mode 100644 index 000000000..b80a89343 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/kdump-tools/kdump_mem_estimator +profile kdump_mem_estimator @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/cat ix, + @{bin}/mkdir ix, + @{bin}/uname ix, + @{bin}/systemctl Cx -> systemctl, + @{bin}/uname ix, + + owner /var/lib/kdump/mem* w, + + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index b1bd2fa0e..9faad80f9 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -191,7 +191,9 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdump_mem_estimator complain kdump-config complain +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From c03bcbef7a800d3d4523d4d21b41563d598358d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:00:08 +0200 Subject: [PATCH 139/798] feat(profile): rewrite the needrestart profiles. --- apparmor.d/profiles-m-r/needrestart | 37 ++++++++++--------- apparmor.d/profiles-m-r/needrestart-hook | 25 +++++++++++++ .../needrestart-iucode-scan-versions | 4 +- apparmor.d/profiles-m-r/needrestart-notify | 32 ++++++++++++++++ apparmor.d/profiles-m-r/needrestart-restart | 32 ++++++++++++++++ .../needrestart-vmlinuz-get-version | 2 +- dists/flags/main.flags | 3 ++ 7 files changed, 115 insertions(+), 20 deletions(-) create mode 100644 apparmor.d/profiles-m-r/needrestart-hook create mode 100644 apparmor.d/profiles-m-r/needrestart-notify create mode 100644 apparmor.d/profiles-m-r/needrestart-restart diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5d5e76ed5..13838902e 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -22,35 +22,34 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { ptrace read, - mqueue (r,getattr) type=posix /, - @{exec_path} mrix, @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/locale rix, - @{python_path} rix, @{bin}/sed rix, @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{sbin}/unix_chkpwd rPx, - @{bin}/whiptail rPx, @{bin}/who rix, @{lib}/needrestart/* rPx, + @{python_path} rix, + @{sbin}/unix_chkpwd rPx, + /usr/share/debconf/frontend rCx -> debconf, - /etc/debconf.conf r, + /etc/needrestart/hook.d/* rPx, + /etc/needrestart/notify.d/* rPx, + /etc/needrestart/restart.d/* rPx, + /etc/init.d/* r, /etc/needrestart/{,**} r, - /etc/needrestart/*.d/* rix, /etc/shadow r, / r, - /boot/ r, - /boot/* r, + @{efi}/ r, + @{efi}/* r, /opt/*/** r, @{bin}/* r, @{lib}/** r, @@ -59,23 +58,23 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /usr/share/** r, /var/lib/*/** r, - owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, + @{run}/systemd/sessions/* r, /tmp/@{word10}/ rw, - owner @{run}/sshd.pid r, - @{PROC}/ r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/environ r, - @{PROC}/@{pids}/maps r, - @{PROC}/@{pids}/stat r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, /dev/**/ r, + deny mqueue type=posix /, + profile systemctl { include include @@ -101,6 +100,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include include + @{sbin}/needrestart Px, + include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook new file mode 100644 index 000000000..fa77834e8 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/hook.d/* +profile needrestart-hook @{exec_path} { + include + include + include + + @{exec_path} mr, + @{sh_path} rix, + + @{bin}/dpkg-query px, + + /tmp/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3484ea298..d75301fc6 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -12,19 +12,21 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{exec_path} mr, - @{sbin}/iucode_tool rix, @{sh_path} rix, @{bin}/{,e}grep rix, @{bin}/bsdtar rix, @{bin}/cat rix, + @{sbin}/iucode_tool rix, /usr/share/misc/ r, + /usr/share/misc/amd64-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd64-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, + /boot/amd64-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify new file mode 100644 index 000000000..dc4a30c69 --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/notify.d/* +profile needrestart-notify @{exec_path} { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read peer=unconfined, + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/gettext.sh r, + @{bin}/sed ix, + + /etc/needrestart/notify.conf r, + + @{PROC}/@{pid}/environ r, + @{PROC}/filesystems r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart new file mode 100644 index 000000000..2fc79b70c --- /dev/null +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/needrestart/restart.d/* +profile needrestart-restart @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, + + profile systemctl { + include + include + + capability net_admin, + capability sys_ptrace, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 655566c74..e5ee2fd8f 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -23,7 +23,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/rm rix, @{bin}/tail rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, /boot/intel-ucode.img r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9faad80f9..592b681e5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,6 +240,9 @@ ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain multipathd complain +needrestart-hook complain +needrestart-notify complain +needrestart-restart complain netplan.script attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain From 21b31a06a755026a30620afb740668cbf85c80ee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:03:23 +0200 Subject: [PATCH 140/798] feat(profile): rewrite the run-parts profile. --- apparmor.d/profiles-m-r/run-parts | 143 +++--------------------------- 1 file changed, 10 insertions(+), 133 deletions(-) diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts index 8adb0f748..e5d44e13a 100644 --- a/apparmor.d/profiles-m-r/run-parts +++ b/apparmor.d/profiles-m-r/run-parts @@ -4,12 +4,6 @@ # Copyright (C) 2022 Jeroen Rijken # SPDX-License-Identifier: GPL-2.0-only -# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile -# Possible confinement depending of profile architecture: -# - As rix, -# - As rCx -> run-parts, -# - As rPx -> foo-run-parts, - abi , include @@ -116,33 +110,21 @@ profile run-parts @{exec_path} { /etc/update-motd.d/* rPx, # Kernel - /etc/kernel/header_postinst.d/ r, - /etc/kernel/header_postinst.d/dkms rCx -> kernel, - - /etc/kernel/postinst.d/ r, - /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel, - /etc/kernel/postinst.d/dkms rCx -> kernel, - /etc/kernel/postinst.d/initramfs-tools rCx -> kernel, - /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel, - /etc/kernel/postinst.d/zz-update-grub rCx -> kernel, - /etc/kernel/postinst.d/zz-shim rCx -> kernel, - /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel, - + /etc/kernel/{,header_}postinst.d/ r, + /etc/kernel/{,header_}postinst.d/* rPx, /etc/kernel/postrm.d/ r, - /etc/kernel/postrm.d/initramfs-tools rCx -> kernel, - /etc/kernel/postrm.d/zz-update-grub rCx -> kernel, - + /etc/kernel/postrm.d/* rPx, /etc/kernel/preinst.d/ r, - /etc/kernel/preinst.d/intel-microcode rCx -> kernel, - + /etc/kernel/preinst.d/* rPx, /etc/kernel/prerm.d/ r, - /etc/kernel/prerm.d/dkms rCx -> kernel, + /etc/kernel/prerm.d/* rPx, + # Finalrd /usr/share/finalrd/ r, - /usr/share/finalrd/mdadm.finalrd rPUx, - /usr/share/finalrd/open-iscsi.finalrd rPUx, + /usr/share/finalrd/mdadm.finalrd rPUx, + /usr/share/finalrd/open-iscsi.finalrd rPUx, - /usr/share/landscape/landscape-sysinfo.wrapper rPUx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, /root/ r, @@ -152,117 +134,12 @@ profile run-parts @{exec_path} { owner @{tmp}/$anacron@{rand6} rw, owner @{tmp}/file@{rand6} rw, - owner @{sys}/class/power_supply/ r, + owner @{sys}/class/power_supply/ r, @{run}/motd.dynamic.new w, /dev/tty@{int} rw, - profile motd { - include - include - - network inet dgram, - network inet6 dgram, - network netlink raw, - - @{sh_path} rix, - @{bin}/{e,}grep rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/find rix, - @{bin}/head rix, - @{bin}/id rix, - @{bin}/sort rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/hostname rPx, - - @{bin}/snap rPUx, - @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, - @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, - @{lib}/update-notifier/update-motd-reboot-required rix, - /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix, - /usr/share/update-notifier/notify-updates-outdated rPx, - - / r, - /etc/default/motd-news r, - /etc/lsb-release r, - /etc/update-motd.d/* r, - - /var/cache/motd-news rw, - /var/lib/update-notifier/updates-available r, - /var/lib/ubuntu-advantage/messages/motd-esm-announce r, - - @{run}/motd.d/{,*} r, - - @{PROC}/@{pids}/mounts r, - - /dev/tty@{int} rw, - - include if exists - } - - profile kernel { - include - include - include - - capability sys_module, - - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,m,g}awk rix, - @{bin}/cat rix, - @{bin}/chmod rix, - @{bin}/cut rix, - @{bin}/dirname rix, - @{bin}/kmod rix, - @{bin}/mv rix, - @{bin}/rm rix, - @{bin}/rmdir rix, - @{bin}/sed rix, - @{bin}/sort rix, - @{bin}/touch rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/which{,.debianutils} rix, - - @{bin}/apt-config rPx, - @{sbin}/dkms rPx, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, - @{sbin}/update-grub rPUx, - @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, - - @{lib}/modules/*/updates/ w, - @{lib}/modules/*/updates/dkms/ w, - - /etc/kernel/header_postinst.d/* r, - /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r, - - # For shell pwd - / r, - /boot/ r, - - /etc/apt/apt.conf.d/ r, - /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, - - @{run}/reboot-required w, - @{run}/reboot-required.pkgs rw, - - @{sys}/module/compression r, - - @{PROC}/devices r, - @{PROC}/cmdline r, - - include if exists - } - include if exists } From 649d2da8d2b33744ca892fcea4b19a304d4f2d7b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:04:07 +0200 Subject: [PATCH 141/798] feat(profile): expand and restrict motd. --- apparmor.d/profiles-m-r/motd | 40 ++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index fe684f671..67f216212 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,16 +9,11 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include - include - include - network inet dgram, - network inet stream, - network inet6 dgram, - network inet6 stream, - network netlink raw, + capability net_admin, @{exec_path} mr, + @{bin}/ r, @{sh_path} rix, @{coreutils_path} rix, @@ -28,7 +23,7 @@ profile motd @{exec_path} { @{bin}/snap rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/wget rix, + @{bin}/wget rCx -> wget, @{lib}/ubuntu-release-upgrader/release-upgrade-motd rPx, @{lib}/update-notifier/update-motd-fsck-at-reboot rPx, @@ -37,26 +32,49 @@ profile motd @{exec_path} { /usr/share/update-notifier/notify-updates-outdated rPx, / r, + /etc/cloud/cloud.cfg r, + /etc/cloud/cloud.cfg.d/{,*} r, /etc/default/motd-news r, /etc/lsb-release r, /etc/update-motd.d/* r, - /etc/cloud/cloud.cfg r, - /etc/cloud/cloud.cfg.d/{,*} r, + /etc/wgetrc r, /var/cache/motd-news rw, /var/lib/update-notifier/updates-available r, /var/lib/ubuntu-advantage/messages/motd-esm-announce r, + /var/lib/cloud/instances/nocloud/cloud-config.txt r, - /tmp/tmp.@{rand10} rw, + # /tmp/tmp.@{rand10} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic.new rw, @{run}/reboot-required r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, /dev/tty@{int} rw, + profile wget { + include + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{bin}/wget mr, + + /tmp/tmp.@{rand10} rw, + + include if exists + } + profile systemctl { include include From 8c526b32c615bc30e4400836368f13dfb8eff87a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:09:08 +0200 Subject: [PATCH 142/798] feat(profile): small update on core upgrade profiles. --- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-methods-cdrom | 8 ++-- apparmor.d/groups/apt/apt-methods-copy | 8 ++-- apparmor.d/groups/apt/apt-methods-file | 10 ++--- apparmor.d/groups/apt/apt-methods-ftp | 8 ++-- apparmor.d/groups/apt/apt-methods-gpgv | 12 +++--- apparmor.d/groups/apt/apt-methods-http | 18 ++++---- apparmor.d/groups/apt/apt-methods-mirror | 10 ++--- apparmor.d/groups/apt/apt-methods-rred | 10 ++--- apparmor.d/groups/apt/apt-methods-rsh | 8 ++-- apparmor.d/groups/apt/apt-methods-store | 12 +++--- apparmor.d/groups/apt/deb-systemd-helper | 4 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkdevicemap | 7 ++++ apparmor.d/profiles-a-f/e2scrub_all | 4 +- apparmor.d/profiles-a-f/finalrd | 43 ++++++++++---------- apparmor.d/profiles-g-l/glib-compile-schemas | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 1 + apparmor.d/profiles-g-l/logrotate | 4 +- apparmor.d/profiles-m-r/multipathd | 3 +- apparmor.d/profiles-m-r/pycompile | 1 + apparmor.d/profiles-m-r/qemu-ga | 2 +- 22 files changed, 95 insertions(+), 84 deletions(-) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 2a0969156..5be4284f9 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -36,7 +36,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/apt-get/system, unix bind type=stream addr=@@{udbus}/bus/apt/system, - unix type=stream peer=(label=snap), + unix type=stream peer=(label=@{p_snap}), unix (send, receive) type=stream peer=(label=apt-esm-json-hook), unix (send, receive) type=stream peer=(label=snapd), diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom index 9cf47e758..96ce36a72 100644 --- a/apparmor.d/groups/apt/apt-methods-cdrom +++ b/apparmor.d/groups/apt/apt-methods-cdrom @@ -19,10 +19,10 @@ profile apt-methods-cdrom @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index 6d906bf80..e2878e108 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -20,10 +20,10 @@ profile apt-methods-copy @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 3c2489a32..781f9714e 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -20,11 +20,11 @@ profile apt-methods-file @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp index 47c679ea1..e753b4cf8 100644 --- a/apparmor.d/groups/apt/apt-methods-ftp +++ b/apparmor.d/groups/apt/apt-methods-ftp @@ -19,10 +19,10 @@ profile apt-methods-ftp @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv index db5d50f43..5f3654f6e 100644 --- a/apparmor.d/groups/apt/apt-methods-gpgv +++ b/apparmor.d/groups/apt/apt-methods-gpgv @@ -20,12 +20,12 @@ profile apt-methods-gpgv @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index b6976e9af..0b375c8f8 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -23,15 +23,15 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, - signal (receive) peer=ubuntu-advantage, - signal (receive) peer=unattended-upgrade, - signal (receive) peer=update-manager, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, + signal receive peer=ubuntu-advantage, + signal receive peer=unattended-upgrade, + signal receive peer=update-manager, ptrace (read), diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror index d8e3adce3..025a1c01b 100644 --- a/apparmor.d/groups/apt/apt-methods-mirror +++ b/apparmor.d/groups/apt/apt-methods-mirror @@ -20,11 +20,11 @@ profile apt-methods-mirror @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred index 85da35efc..1aadac2ec 100644 --- a/apparmor.d/groups/apt/apt-methods-rred +++ b/apparmor.d/groups/apt/apt-methods-rred @@ -20,11 +20,11 @@ profile apt-methods-rred @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, - signal (receive) set=(int) peer=packagekitd, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, + signal receive set=(int) peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh index 95d70b31f..1b76551b9 100644 --- a/apparmor.d/groups/apt/apt-methods-rsh +++ b/apparmor.d/groups/apt/apt-methods-rsh @@ -19,10 +19,10 @@ profile apt-methods-rsh @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt, - signal (receive) peer=apt-get, - signal (receive) peer=aptitude, - signal (receive) peer=synaptic, + signal receive peer=apt, + signal receive peer=apt-get, + signal receive peer=aptitude, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store index 5492fdd5e..a6875a432 100644 --- a/apparmor.d/groups/apt/apt-methods-store +++ b/apparmor.d/groups/apt/apt-methods-store @@ -20,12 +20,12 @@ profile apt-methods-store @{exec_path} { capability setgid, capability setuid, - signal (receive) peer=apt-get, - signal (receive) peer=apt, - signal (receive) peer=aptitude, - signal (receive) peer=packagekitd, - signal (receive) peer=role_*, - signal (receive) peer=synaptic, + signal receive peer=apt-get, + signal receive peer=apt, + signal receive peer=aptitude, + signal receive peer=@{p_packagekitd}, + signal receive peer=role_*, + signal receive peer=synaptic, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/deb-systemd-helper b/apparmor.d/groups/apt/deb-systemd-helper index 77fe1f455..d6e89f9a0 100644 --- a/apparmor.d/groups/apt/deb-systemd-helper +++ b/apparmor.d/groups/apt/deb-systemd-helper @@ -16,8 +16,8 @@ profile deb-systemd-helper @{exec_path} { @{bin}/systemctl rCx -> systemctl, - /etc/systemd/system/* w, - /etc/systemd/user/* w, + /etc/systemd/system/{,**} rw, + /etc/systemd/user/{,**} rw, /var/lib/systemd/deb-systemd-helper-enabled/{,**} rw, /var/lib/systemd/deb-systemd-helper-masked/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 3274a5e6d..f044b0f44 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -44,7 +44,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootCurrent-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/Timeout-@{uuid} r, @{sys}/firmware/efi/fw_platform_size r, @{sys}/firmware/efi/w_platform_size r, diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap index 2a7082c64..ca9f3ad3c 100644 --- a/apparmor.d/groups/grub/grub-mkdevicemap +++ b/apparmor.d/groups/grub/grub-mkdevicemap @@ -10,9 +10,16 @@ include profile grub-mkdevicemap @{exec_path} { include include + include + + capability sys_admin, @{exec_path} mr, + @{PROC}/devices r, + + /dev/mapper/control rw, + include if exists } diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index af10dddcd..0079053e0 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -17,8 +17,8 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{bin}/readlink rix, + @{sh_path} mr, + @{bin}/readlink ix, /etc/e2scrub.conf r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index bc6c4cf62..d8f2f819e 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -20,27 +20,27 @@ profile finalrd @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/cp rix, - @{bin}/dirname rix, - @{bin}/env rix, - @{bin}/find rix, - @{bin}/grep rix, - @{sbin}/ldconfig{,.real} rix, - @{bin}/ln rix, - @{bin}/mkdir rix, - @{bin}/mount rix, - @{bin}/readlink rix, - @{bin}/realpath rix, - @{bin}/rm rix, - @{bin}/run-parts rix, - @{bin}/sed rix, - @{bin}/touch rix, - - @{bin}/ldd rCx -> ldd, - @{bin}/systemd-tmpfiles rPx, - @{lib}/@{multiarch}/ld-linux-*so* rCx -> ldd, - @{lib}/systemd/systemd-shutdown rPx, - /usr/share/finalrd/*.finalrd rix, + @{bin}/cp ix, + @{bin}/dirname ix, + @{bin}/env ix, + @{bin}/find ix, + @{bin}/grep ix, + @{bin}/ln ix, + @{bin}/mkdir ix, + @{bin}/mount ix, + @{bin}/readlink ix, + @{bin}/realpath ix, + @{bin}/rm ix, + @{bin}/run-parts ix, + @{bin}/sed ix, + @{bin}/touch ix, + @{sbin}/ldconfig{,.real} ix, + + @{bin}/ldd Cx -> ldd, + @{bin}/systemd-tmpfiles Px, + @{lib}/@{multiarch}/ld-linux-*so* Cx -> ldd, + @{lib}/systemd/systemd-shutdown Px, + /usr/share/finalrd/*.finalrd ix, @{bin}/{,*} r, @{lib}/{,*} r, @@ -65,6 +65,7 @@ profile finalrd @{exec_path} { profile ldd { include + include include @{bin}/* mr, diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas index fcabd84c3..59c56bb12 100644 --- a/apparmor.d/profiles-g-l/glib-compile-schemas +++ b/apparmor.d/profiles-g-l/glib-compile-schemas @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/glib-compile-schemas +@{exec_path} = @{bin}/glib-compile-schemas @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas profile glib-compile-schemas @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 3b140b2bf..1c3c98d52 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -33,6 +33,7 @@ profile landscape-sysinfo @{exec_path} { /var/log/landscape/{,**} rw, + @{run}/systemd/sessions/{,*} r, @{run}/utmp rwk, @{sys}/class/hwmon/ r, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index f74f309fe..8d3dc2171 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -21,8 +21,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability setgid, capability setuid, - signal (send) set=(hup), - signal (send) set=(term cont) peer=systemd-tty-ask-password-agent, + signal send set=hup, + signal send set=(term cont) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd index a07691a5c..bbb6a87a6 100644 --- a/apparmor.d/profiles-m-r/multipathd +++ b/apparmor.d/profiles-m-r/multipathd @@ -20,7 +20,8 @@ profile multipathd @{exec_path} { network netlink raw, - unix (send, receive, connect) type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream peer=(addr="@/org/kernel/linux/storage/multipathd"), + unix type=stream addr=@/org/kernel/linux/storage/multipathd, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b441d84cd..984fcf03c 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -31,6 +31,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { /usr/share/python3/{,**} r, / r, + @{bin}/ r, profile dpkg { include diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index c6e6ca54e..7fa668a71 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -12,7 +12,7 @@ profile qemu-ga @{exec_path} { @{exec_path} mr, - audit @{bin}/systemctl Cx -> systemctl, + @{bin}/systemctl Cx -> systemctl, /etc/qemu/qemu-ga.conf r, From 4e4f8d8a0e65e356971b0cddf86748196ef3a14c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:15:53 +0200 Subject: [PATCH 143/798] build: update sbin.list --- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 2 +- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 5 +++++ 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index eb299345c..8f5952d9b 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,7 +15,7 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/fanctl rix, + @{sbin}/fanctl rix, @{bin}/flock rix, @{bin}/grep rix, @{bin}/id rix, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 5a963beac..61898a3e4 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -30,7 +30,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/runc rPUx, + @{sbin}/runc rPx, /tmp/runc-process@{int} rw, /tmp/pty@{int}/ rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 6b1e3537a..c4b39ff8c 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -72,7 +72,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/git rCx -> git, @{bin}/kmod rPx, @{bin}/ps rPx, - @{bin}/runc rUx, + @{sbin}/runc rUx, @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rix, diff --git a/tests/sbin.list b/tests/sbin.list index 82596a62a..805ab8bf1 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -46,6 +46,7 @@ arptables-nft-restore arptables-nft-save arptables-restore arptables-save +arptables-translate aspell-autobuildhash atd audisp-af_unix @@ -92,6 +93,7 @@ blogger bluetoothd bpflist-bpfcc bpftool +brctl bridge brltty brltty-setup @@ -241,7 +243,9 @@ f2fscrypt f2fslabel f2fsslower-bpfcc faillock +fanatic fancontrol +fanctl fatlabel fatresize fbtest @@ -767,6 +771,7 @@ rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc +runc runlevel runqlat-bpfcc runqlat.bt From e7fb1860939f0c83882c7592e2f356594790fa89 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:19:32 +0200 Subject: [PATCH 144/798] feat(profile): update kernerl-install. --- apparmor.d/profiles-g-l/kernel-install | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 07c058124..614b81aeb 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -11,22 +11,19 @@ include profile kernel-install @{exec_path} { include include + include include + capability sys_resource, + + ptrace read peer=@{p_systemd}, + @{exec_path} r, @{sh_path} rix, - + @{coreutils_path} rix, + @{bin}/kmod rCx -> kmod, @{bin}/mountpoint rix, - @{bin}/sort rix, - @{bin}/rm rix, - @{bin}/mkdir rix, - @{bin}/cp rix, - @{bin}/chown rix, - @{bin}/chmod rix, - @{bin}/basename rix, - @{pager_path} rPx -> child-pager, - @{bin}/kmod rCx -> kmod, @{lib}/kernel/install.d/ r, @{lib}/kernel/install.d/@{int2}-*.install rix, @@ -37,6 +34,7 @@ profile kernel-install @{exec_path} { @{lib}/os-release r, /etc/kernel/cmdline r, /etc/kernel/tries r, + /etc/kernel/entry-token r, /etc/machine-id r, /etc/os-release r, /var/lib/dbus/machine-id r, @@ -50,14 +48,22 @@ profile kernel-install @{exec_path} { owner /boot/loader/entries/ rw, owner /boot/loader/entries/*.conf w, + owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, + owner @{tmp}/sh-thd.* rw, + @{PROC}/1/environ r, @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, profile kmod { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } From 17624b95d8b193a823c1f75a0cffd0a559740b5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:21:12 +0200 Subject: [PATCH 145/798] feat(profile): update ucf profiles. --- apparmor.d/profiles-s-z/ucf | 11 ++++++++++- apparmor.d/profiles-s-z/ucfq | 26 +++++++++++++++++++++++++ apparmor.d/profiles-s-z/ucfr | 37 ++++++++++++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 4 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-s-z/ucfq create mode 100644 apparmor.d/profiles-s-z/ucfr diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 86d94c7a1..0a7b992b6 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -39,7 +39,7 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend rPx, # TODO: rCx -> debonc-frontend, + /usr/share/debconf/frontend Cx -> debconf, # For md5sum /usr/share/** r, @@ -55,6 +55,15 @@ profile ucf @{exec_path} { owner /tmp/tmp.@{rand10} r, + deny capability sys_admin, # optional: no audit + + profile debconf { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq new file mode 100644 index 000000000..b6ca3e7b1 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfq @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfq +profile ucfq @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/md5sum rix, + + /etc/ r, + /etc/default/ r, + /etc/default/grub r, + + /var/lib/ucf/* r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr new file mode 100644 index 000000000..b38f8aae4 --- /dev/null +++ b/apparmor.d/profiles-s-z/ucfr @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ucfr +profile ucfr @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/{m,g,}awk ix, + @{bin}/getopt ix, + @{bin}/grep ix, + @{bin}/id ix, + @{bin}/readlink ix, + @{bin}/sed ix, + @{bin}/dirname ix, + + /usr/share/ucf/{,**} r, + + /etc/ucf.conf r, + + / r, + + /var/lib/ucf/ r, + /var/lib/ucf/registry r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 592b681e5..e88409583 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -368,6 +368,8 @@ telegram-desktop complain totem attach_disconnected,complain tracker-writeback complain ucf complain +ucfq complain +ucfr complain udev-ata_id complain udev-bcache-export-cached complain udev-cdrom_id complain From 0a5743fa46cb62d35a1ff622d50a1fa2eaa6666c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:23:26 +0200 Subject: [PATCH 146/798] feat(profile): add profile for more update-* tools. --- apparmor.d/profiles-s-z/update-catalog | 26 ++++++++++++++++++ apparmor.d/profiles-s-z/update-info-dir | 24 +++++++++++++++++ apparmor.d/profiles-s-z/update-shells | 36 +++++++++++++++++++++++++ dists/flags/main.flags | 3 +++ 4 files changed, 89 insertions(+) create mode 100644 apparmor.d/profiles-s-z/update-catalog create mode 100644 apparmor.d/profiles-s-z/update-info-dir create mode 100644 apparmor.d/profiles-s-z/update-shells diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog new file mode 100644 index 000000000..feac2d3c5 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-catalog @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-catalog +profile update-catalog @{exec_path} { + include + include + + @{exec_path} mr, + + /etc/sgml/ r, + /etc/sgml/* r, + + /var/lib/sgml-base/*catalog rw, + /var/lib/sgml-base/*catalog.new rw, + /var/lib/sgml-base/*catalog.old w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir new file mode 100644 index 000000000..7c835023f --- /dev/null +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-info-dir +profile update-info-dir @{exec_path} { + include + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/install-info Px, + @{bin}/find ix, + @{bin}/rm ix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells new file mode 100644 index 000000000..46b6699c8 --- /dev/null +++ b/apparmor.d/profiles-s-z/update-shells @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/update-shells +profile update-shells @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chmod ix, + @{bin}/chown ix, + @{bin}/dirname ix, + @{bin}/dpkg-realpath ix, + @{bin}/mv ix, + @{bin}/sync ix, + + /usr/share/debianutils/shells r, + /usr/share/debianutils/shells.d/{,**} r, + + /etc/shells r, + /etc/shells.tmp w, + + /var/lib/shells.state r, + /var/lib/shells.state.tmp w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e88409583..9d0857ad3 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -380,8 +380,11 @@ udev-probe-bcache complain udisksctl complain udisksd attach_disconnected,complain ufw complain +update-catalog complain update-grub complain +update-info-dir complain update-secureboot-policy complain +update-shells complain userdbctl complain utempter attach_disconnected,complain veracrypt complain From a7807408b616c6b7fb51e064887415e83d18ffd7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:25:46 +0200 Subject: [PATCH 147/798] feat(profile): update some update-* profiles. --- apparmor.d/groups/freedesktop/update-mime-database | 2 +- apparmor.d/profiles-s-z/update-ca-certificates | 1 + apparmor.d/profiles-s-z/update-dlocatedb | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database index 6f6b39700..9efd9cccc 100644 --- a/apparmor.d/groups/freedesktop/update-mime-database +++ b/apparmor.d/groups/freedesktop/update-mime-database @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-mime-database +@{exec_path} = @{bin}/update-mime-database profile update-mime-database @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates index 4bc88faae..df9c08fe4 100644 --- a/apparmor.d/profiles-s-z/update-ca-certificates +++ b/apparmor.d/profiles-s-z/update-ca-certificates @@ -33,6 +33,7 @@ profile update-ca-certificates @{exec_path} { @{bin}/test rix, @{bin}/trust rix, @{bin}/wc rix, + @{bin}/run-parts rix, @{lib}/ca-certificates/update.d/ r, @{lib}/ca-certificates/update.d/* rix, diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb index 2afe8a22f..e9d92e421 100644 --- a/apparmor.d/profiles-s-z/update-dlocatedb +++ b/apparmor.d/profiles-s-z/update-dlocatedb @@ -26,7 +26,7 @@ profile update-dlocatedb @{exec_path} { /usr/share/dlocate/updatedb rCx -> updatedb, @{bin}/dpkg rPx -> child-dpkg, - owner @{PROC}/@{pid}/fd/2 w, + owner @{PROC}/@{pid}/fd/@{int} w, /var/lib/dlocate/dpkg-list w, From 774106b7e5cd7952850a6a63c49375997c9d4a79 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:28:08 +0200 Subject: [PATCH 148/798] feat(profile): update some systemd profiles. --- apparmor.d/groups/systemd/bootctl | 22 +++++++++---------- .../groups/systemd/systemd-generator-sysv | 3 ++- apparmor.d/groups/systemd/systemd-localed | 2 +- apparmor.d/groups/systemd/systemd-logind | 7 ++---- .../groups/systemd/systemd-network-generator | 2 +- apparmor.d/groups/systemd/systemd-networkd | 9 +++++++- apparmor.d/groups/systemd/systemd-remount-fs | 3 +-- apparmor.d/groups/systemd/systemd-timedated | 2 +- 8 files changed, 27 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 12fcceaea..9508cfcf2 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -25,17 +25,17 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, - /{boot,efi}/ r, - /{boot,efi}/EFI/{,**} r, - /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - /{boot,efi}/EFI/BOOT/BOOTX64.EFI w, - /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - /{boot,efi}/EFI/systemd/systemd-boot*.efi w, - /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw, - /{boot,efi}/loader/.#entries.srel* w, - /{boot,efi}/loader/{,**} r, - /{boot,efi}/loader/entries.srel w, - /{boot,efi}/loader/random-seed w, + @{efi}/ r, + @{efi}/EFI/{,**} r, + @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, + @{efi}/EFI/BOOT/BOOTX64.EFI w, + @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, + @{efi}/EFI/systemd/systemd-boot*.efi w, + @{efi}/loader/.#bootctlrandom-seed@{hex} rw, + @{efi}/loader/.#entries.srel* w, + @{efi}/loader/{,**} r, + @{efi}/loader/entries.srel w, + @{efi}/loader/random-seed w, /etc/kernel/entry-token r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv index 4feb65d51..fc290fca4 100644 --- a/apparmor.d/groups/systemd/systemd-generator-sysv +++ b/apparmor.d/groups/systemd/systemd-generator-sysv @@ -17,9 +17,10 @@ profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) { /etc/init.d/{,**} r, /etc/rc@{int}.d/{,**} r, - @{run}/systemd/generator.late/* w, + @{run}/systemd/generator.late/** w, @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 205d8a55f..3befcd92a 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { include include - unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index a56e16298..39192e7e1 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { include include include + include include include include include - include capability chown, capability dac_override, @@ -50,8 +50,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /etc/systemd/sleep.conf.d/{,**} r, / r, - /boot/{,**} r, - /efi/{,**} r, + @{efi}/{,**} r, /swap.img r, /swap/swapfile r, /swapfile r, @@ -140,8 +139,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, - /dev/tty@{int} rw, - owner @{att}/dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator index e22d89629..ceebbc5c2 100644 --- a/apparmor.d/groups/systemd/systemd-network-generator +++ b/apparmor.d/groups/systemd/systemd-network-generator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-network-generator -profile systemd-network-generator @{exec_path} { +profile systemd-network-generator @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ca5450826..3d6c3a4b7 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -31,6 +31,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network, + signal receive set=usr2 peer=@{p_systemd}, + #aa:dbus own bus=system name=org.freedesktop.network1 dbus send bus=system path=/org/freedesktop/hostname1 @@ -47,14 +49,18 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { /var/lib/dbus/machine-id r, /etc/machine-id r, - /etc/systemd/networkd.conf r, + /etc/systemd/network.conf r, /etc/systemd/network/{,**} r, + /etc/systemd/networkd.conf r, + /etc/systemd/networkd.conf.d/{,**} r, /etc/networkd-dispatcher/carrier.d/{,*} r, @{att}/ r, @{att}/@{run}/systemd/notify rw, + @{run}/mount/utab r, + owner @{att}/var/lib/systemd/network/ r, @{run}/systemd/network/ r, @@ -75,6 +81,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/* r, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 750f7e18b..96b182e5f 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -28,8 +28,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{run}/host/container-manager r, @{run}/mount/utab rw, - @{run}/mount/utab.@{rand6} rw, - @{run}/mount/utab.lock rwk, + @{run}/mount/utab.* rwk, @{sys}/devices/virtual/block/dm-@{int}/dm/name r, diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index e070afe4e..ffed031b5 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { capability sys_time, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system, #aa:dbus own bus=system name=org.freedesktop.timedate1 From 30bbd6d56a7d673b25212727a05e52d818e9a7e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 01:39:00 +0200 Subject: [PATCH 149/798] feat(profile): cron: cleanup direct exec. --- apparmor.d/groups/cron/cron | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index c92441568..778dd2be8 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -38,9 +38,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not # using the run-parts profile we are good - @{lib}/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx, - @{lib}/sysstat/debian-sa1 rPUx, - /usr/share/rsync/scripts/rrsync rPUx, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, From 8546533ad1ec34df6e709f0ed1ff510af24e5c62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 14:28:35 +0200 Subject: [PATCH 150/798] fix(build): flag generation. --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 9d0857ad3..c0af4fc77 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -193,7 +193,7 @@ kde-systemd-start-condition complain kded complain kdump_mem_estimator complain kdump-config complain -kdump-tools-init complain,attach_disconnected +kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain kernel-postinst-kdump complain From 813758a1e0e58035ba568837623ba4c289db9bec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:07:27 +0200 Subject: [PATCH 151/798] feat(profile): add debconf-escape, update dpkg-scripts. --- apparmor.d/groups/apt/debconf-escape | 19 +++++++++++++++++++ apparmor.d/groups/apt/dpkg-scripts | 15 ++++++++++++++- dists/flags/main.flags | 1 + 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/apt/debconf-escape diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape new file mode 100644 index 000000000..c64401bb0 --- /dev/null +++ b/apparmor.d/groups/apt/debconf-escape @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/debconf-escape +profile debconf-escape @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f1c56bd49..e18ab78de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} { @{coreutils_path} rix, @{bin}/run-parts rix, - @{bin}/setpriv ix, @{bin}/envsubst ix, + @{bin}/file ix, @{bin}/getent ix, @{bin}/gzip ix, @{bin}/helpztags ix, + @{bin}/setpriv ix, @{bin}/tput ix, @{bin}/zcat ix, @{lib}/ubuntu-advantage/cloud-id-shim.sh ix, @@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + @{bin}/systemd-tty-ask-password-agent Px, + @{pager_path} Px -> child-pager, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/utmp rk, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index c0af4fc77..6c29eba15 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -77,6 +77,7 @@ cupsd attach_disconnected,complain ddcutil complain deb-systemd-helper complain deb-systemd-invoke complain +debconf-escape complain decibels complain dino attach_disconnected,complain discord complain From 7361c21c401bfa0cf0c3eb3cb0bbcb9b534b7501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:14:56 +0200 Subject: [PATCH 152/798] feat(profile): add mdadm-mkconf. --- apparmor.d/profiles-m-r/mdadm-mkconf | 30 ++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 31 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mdadm-mkconf diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf new file mode 100644 index 000000000..8139ac68e --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/share/mdadm/mkconf +profile mdadm-mkconf @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/date ix, + @{bin}/cat ix, + @{bin}/sed ix, + @{sbin}/mdadm Px, + + /etc/default/mdadm r, + + / r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6c29eba15..e27c76bc2 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -237,6 +237,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain multipath attach_disconnected,complain From b1435dd4914e3828de737e5ba5817ca2ddef8add Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 15:17:38 +0200 Subject: [PATCH 153/798] feat(profile): ubuntu: update upgrade process. --- .../groups/ubuntu/package-data-downloader | 2 ++ apparmor.d/groups/ubuntu/ubuntu-report | 2 +- .../groups/ubuntu/update-notifier-crash | 20 +++++++++++++++++++ 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ubuntu/update-notifier-crash diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index c193bbe0c..37f7f72a5 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -14,6 +14,8 @@ profile package-data-downloader @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, /var/lib/update-notifier/package-data-downloads/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report index 19273f449..65fa3eaa0 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-report +++ b/apparmor.d/groups/ubuntu/ubuntu-report @@ -21,7 +21,7 @@ profile ubuntu-report @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, - owner @{user_cache_dirs}/ubuntu-report/{,*} r, + owner @{user_cache_dirs}/ubuntu-report/{,*} rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash new file mode 100644 index 000000000..b3cbf7f07 --- /dev/null +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/update-notifier/update-notifier-crash +profile update-notifier-crash @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/apport/apport-checkreports Px, + + include if exists +} + +# vim:syntax=apparmor From ca5b4c99bac08f2cf53aa5433d086228dfa40ed2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 16:40:29 +0200 Subject: [PATCH 154/798] ci: disable compatibility check with userspace tools. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4593fe78c..229aad415 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -57,11 +57,6 @@ jobs: sudo systemctl restart apparmor.service || true sudo journalctl -xeu apparmor.service - - name: Ensure compatibility with some AppArmor userspace tools - if: matrix.os != 'ubuntu-24.04' - run: | - sudo aa-enforce /etc/apparmor.d/aa-notify - - name: Show AppArmor log and rules run: | sudo aa-log From 931c20708905fd5b48f07aa492749fe178e152eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:24:34 +0200 Subject: [PATCH 155/798] feat(profile): simplify needrestart & fix pam-auth-update. --- apparmor.d/profiles-m-r/needrestart | 19 +------------------ apparmor.d/profiles-m-r/pam-auth-update | 2 +- 2 files changed, 2 insertions(+), 19 deletions(-) diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 13838902e..9b731fd64 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -9,11 +9,8 @@ include @{exec_path} = @{sbin}/needrestart profile needrestart @{exec_path} flags=(attach_disconnected) { include - include - include - include + include include - include capability checkpoint_restore, capability dac_read_search, @@ -27,18 +24,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/sed rix, - @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, - @{bin}/who rix, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /usr/share/debconf/frontend rCx -> debconf, - /etc/needrestart/hook.d/* rPx, /etc/needrestart/notify.d/* rPx, /etc/needrestart/restart.d/* rPx, @@ -96,15 +88,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { include if exists } - profile debconf { - include - include - - @{sbin}/needrestart Px, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index aff011389..5e0cbaaf4 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -12,7 +12,7 @@ profile pam-auth-update @{exec_path} flags=(complain) { include include - @{exec_path} mr, + @{exec_path} mrix, @{bin}/md5sum ix, @{bin}/cp ix, From d575812e2906331f77dfcb7e41da44d2afa273c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:27:30 +0200 Subject: [PATCH 156/798] fix(profile): snapd journalctl subprofile. --- apparmor.d/groups/snap/snapd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index c1b24176e..b65283987 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -204,6 +204,7 @@ profile snapd @{exec_path} { include capability net_admin, + capability sys_resource, network netlink raw, @@ -215,6 +216,8 @@ profile snapd @{exec_path} { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/{,*} r, + @{run}/systemd/notify w, + include if exists } From acc35c3bd7f2dc31a0de043a660156c1f3aa9e8e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 18:28:56 +0200 Subject: [PATCH 157/798] ci: show files installed in sbin. --- .github/workflows/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 229aad415..8d738eac7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -128,6 +128,7 @@ jobs: - name: Install integration dependencies run: | bash tests/requirements.sh + find /usr/sbin/ -type f - name: Run the integration tests run: | From ead321e07e09b381313f0beeba67403f57b9827d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:47:44 +0200 Subject: [PATCH 158/798] feat(profile): improve the upgrade stack. --- apparmor.d/groups/cron/cron | 18 ++++++------------ apparmor.d/groups/snap/snapd | 2 +- apparmor.d/profiles-m-r/needrestart | 8 ++++---- apparmor.d/profiles-m-r/needrestart-hook | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 9 ++++++--- apparmor.d/profiles-m-r/needrestart-restart | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 2 ++ 7 files changed, 21 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index 778dd2be8..eba78ac82 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) { network netlink raw, - ptrace (read) peer=unconfined, - - unix bind type=stream addr=@@{udbus}/bus/cron/system, - @{exec_path} mr, - @{sh_path} rix, - @{bin}/nice rix, - @{bin}/ionice rix, - @{bin}/exim4 rPx, - @{bin}/run-parts rCx -> run-parts, # could even be rix, as long as we are not - # using the run-parts profile we are good - - @{lib}/sysstat/debian-sa1 rPx, + @{sh_path} rix, + @{bin}/exim4 rPx, + @{bin}/ionice rix, + @{bin}/nice rix, + @{bin}/run-parts rCx -> run-parts, + @{lib}/sysstat/debian-sa1 rPx, /etc/cron.d/{,*} r, /etc/crontab r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index b65283987..0eb3adb8c 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -50,7 +50,7 @@ profile snapd @{exec_path} { ptrace read peer=@{p_systemd}, ptrace read peer=snap{,.*}, - signal send set=kill peer=journalctl, + signal send set=kill peer=snapd//journalctl, dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 9b731fd64..f9e2c6ebc 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { capability checkpoint_restore, capability dac_read_search, - capability kill, capability sys_ptrace, ptrace read, @@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, + @{bin}/who rPx, @{lib}/needrestart/* rPx, @{python_path} rix, @{sbin}/unix_chkpwd rPx, - /etc/needrestart/hook.d/* rPx, - /etc/needrestart/notify.d/* rPx, - /etc/needrestart/restart.d/* rPx, + @{etc_ro}/needrestart/hook.d/* rPx, + @{etc_ro}/needrestart/notify.d/* rPx, + @{etc_ro}/needrestart/restart.d/* rPx, /etc/init.d/* r, /etc/needrestart/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook index fa77834e8..c8c9a12c4 100644 --- a/apparmor.d/profiles-m-r/needrestart-hook +++ b/apparmor.d/profiles-m-r/needrestart-hook @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/hook.d/* +@{exec_path} = @{etc_ro}/needrestart/hook.d/* profile needrestart-hook @{exec_path} { include include diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index dc4a30c69..41fa96c4c 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/notify.d/* +@{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include @@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/gettext.sh r, - @{bin}/sed ix, + @{bin}/fold ix, + @{bin}/gettext.sh r, + @{bin}/mail Px, + @{bin}/notify-send Px, + @{bin}/sed ix, /etc/needrestart/notify.conf r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index 2fc79b70c..b9e648602 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /etc/needrestart/restart.d/* +@{exec_path} = @{etc_ro}/needrestart/restart.d/* profile needrestart-restart @{exec_path} { include diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 5e0cbaaf4..90cc6a4ba 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { /usr/share/pam{,-configs}/{,*} r, /etc/pam.d/* rw, + /etc/shadow r, + /var/lib/dpkg/info/libpam-runtime.templates r, /var/lib/pam/* rw, include if exists From a8ab6da6f38f659d338c2eb6dee812d45b8cc41b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 25 May 2025 23:53:40 +0200 Subject: [PATCH 159/798] feat(profile): add runit-helper. --- apparmor.d/profiles-m-r/runit-helper | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 apparmor.d/profiles-m-r/runit-helper diff --git a/apparmor.d/profiles-m-r/runit-helper b/apparmor.d/profiles-m-r/runit-helper new file mode 100644 index 000000000..94b3816c9 --- /dev/null +++ b/apparmor.d/profiles-m-r/runit-helper @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/runit-helper/runit-helper +profile runit-helper @{exec_path} { + include + + @{exec_path} mr, + + @{bin}/mkdir rix, + + @{run}/runit/ rw, + @{run}/runit/supervise/ w, + + include if exists +} + +# vim:syntax=apparmor From e83a9a60dc146dd78c92e6d7b10e88beeaf1ab0b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:18:01 +0200 Subject: [PATCH 160/798] feat(profile): finalize upgrade process. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 - apparmor.d/groups/apt/dpkg-scripts | 16 ++++++++-------- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/snap/snap | 5 +++-- apparmor.d/groups/snap/snapd | 2 ++ apparmor.d/profiles-s-z/which | 2 +- apparmor.d/profiles-s-z/whiptail | 6 ++---- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 4dbfae0a8..716cd1dc8 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -30,7 +30,6 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/head ix, @{bin}/locale ix, @{bin}/readlink ix, - @{bin}/readlink ix, @{bin}/realpath ix, @{bin}/sed ix, @{bin}/sort ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e18ab78de..4fb4d04c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,11 +47,11 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /usr/share/** Px, - /etc/init.d/* Px, + @{bin}/** PUx, + @{sbin}/** PUx, + @{lib}/** PUx, + /usr/share/** PUx, + /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, @@ -76,9 +76,9 @@ profile dpkg-scripts @{exec_path} { include dbus send bus=system path=/ - interface=org.freedesktop.DBus - member=ReloadConfig - peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), include if exists } diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 7d1be8442..a561954a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{bin}/plasma-browser-integration-host rPx, @{bin}/speech-dispatcher rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{lib}/gvfsd-metadata rPx, @{lib}/mozilla/kmozillahelper rPUx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 8549d8315..562f49dca 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -85,8 +85,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/kernel/security/apparmor/features/{,**} r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, @{PROC}/sys/kernel/random/uuid r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0eb3adb8c..0481af5de 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -208,6 +208,8 @@ profile snapd @{exec_path} { network netlink raw, + signal receive set=kill peer=snapd, + @{bin}/journalctl mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index cc95a17f9..df049741f 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/which{.debianutils,} +@{exec_path} = @{bin}/which{,.debianutils} profile which @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index a7b98ebee..f0efad77b 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/whiptail -profile whiptail @{exec_path} flags=(complain) { +profile whiptail @{exec_path} { include include @@ -16,9 +16,7 @@ profile whiptail @{exec_path} flags=(complain) { @{exec_path} mr, - /etc/newt/palette.* r, - - owner @{tmp}/gpm* w, + /usr/share/terminfo/** r, include if exists } From d9430c68c190f26cca9a2291c74b4f9bba4617c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:55:48 +0200 Subject: [PATCH 161/798] build: improve error message in the stack direcive. --- pkg/prebuild/directive/stack.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go index f80689827..a43849228 100644 --- a/pkg/prebuild/directive/stack.go +++ b/pkg/prebuild/directive/stack.go @@ -55,7 +55,10 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) { res := "" for name := range opt.ArgMap { - stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString() + stackedProfile, err := prebuild.RootApparmord.Join(name).ReadFileAsString() + if err != nil { + return "", fmt.Errorf("%s need to stack: %w", name, err) + } m := regRules.FindStringSubmatch(stackedProfile) if len(m) < 2 { return "", fmt.Errorf("no profile found in %s", name) From 780ca65953a726133f412e61020e749ca99d0850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 00:57:37 +0200 Subject: [PATCH 162/798] build(fsp): set stacked variables. --- pkg/prebuild/prepare/fsp.go | 77 ++++++++++++++++++++++++++++--------- 1 file changed, 59 insertions(+), 18 deletions(-) diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go index 0d4c23076..f8d3cb17f 100644 --- a/pkg/prebuild/prepare/fsp.go +++ b/pkg/prebuild/prepare/fsp.go @@ -5,11 +5,60 @@ package prepare import ( - "strings" + "regexp" "github.com/roddhjav/apparmor.d/pkg/paths" "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/util" +) + +var ( + tunables = map[string]string{ + // Set systemd profiles name + "sd": "sd", + "sdu": "sdu", + "systemd_user": "systemd-user", + "systemd": "systemd", + + // With FSP on apparmor 4.1+, the dbus profiles don't get stacked as they + "dbus_system": "dbus-system", + "dbus_session": "dbus-session", + + // Update name of stacked profiles + "apt_news": "", + "colord": "", + "e2scrub_all": "", + "e2scrub": "", + "fprintd": "", + "fwupd": "", + "fwupdmgr": "", + "geoclue": "", + "irqbalance": "", + "logrotate": "", + "ModemManager": "", + "nm_priv_helper": "", + "pcscd": "", + "polkitd": "", + "power_profiles_daemon": "", + "rsyslogd": "", + "systemd_coredump": "", + "systemd_homed": "", + "systemd_hostnamed": "", + "systemd_importd": "", + "systemd_initctl": "", + "systemd_journal_remote": "", + "systemd_journald": "", + "systemd_localed": "", + "systemd_logind": "", + "systemd_machined": "", + "systemd_networkd": "", + "systemd_oomd": "", + "systemd_resolved": "", + "systemd_rfkill": "", + "systemd_timedated": "", + "systemd_timesyncd": "", + "systemd_userdbd": "", + "upowerd": "", + } ) type FullSystemPolicy struct { @@ -33,28 +82,20 @@ func (p FullSystemPolicy) Apply() ([]string, error) { return res, err } - // Set systemd profile name + // Set profile name for FSP path := prebuild.RootApparmord.Join("tunables/multiarch.d/profiles") out, err := path.ReadFileAsString() if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{p_systemd}=unconfined", "@{p_systemd}=systemd") - out = strings.ReplaceAll(out, "@{p_systemd_executor}=unconfined", "@{p_systemd_executor}=systemd-executor") - out = strings.ReplaceAll(out, "@{p_systemd_user}=unconfined", "@{p_systemd_user}=systemd-user") - out = strings.ReplaceAll(out, "@{p_systemd_user_executor}=unconfined", "@{p_systemd_user_executor}=systemd-user-executor") - if err := path.WriteFile([]byte(out)); err != nil { - return res, err - } - - // Fix conflicting x modifiers in abstractions - FIXME: Temporary solution - path = prebuild.RootApparmord.Join("abstractions/gstreamer") - out, err = path.ReadFileAsString() - if err != nil { - return res, err + for varname, profile := range tunables { + pattern := regexp.MustCompile(`(@\{p_` + varname + `}=)([^\s]+)`) + if profile == "" { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}={$2,sd//&$2,$2//&sd}`) + } else { + out = pattern.ReplaceAllString(out, `@{p_`+varname+`}=`+profile) + } } - regFixConflictX := util.ToRegexRepl([]string{`.*gst-plugin-scanner.*`, ``}) - out = regFixConflictX.Replace(out) if err := path.WriteFile([]byte(out)); err != nil { return res, err } From c07c5838e4855d97bf98f65496c302bbd305e71c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:00:08 +0200 Subject: [PATCH 163/798] build: add RBAC filter to the only/exclude directive. --- pkg/prebuild/cli/cli.go | 1 + pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 3 files changed, 8 insertions(+) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 779cd5c0c..51636f848 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -80,6 +80,7 @@ func Configure() { if full && paths.New("apparmor.d/groups/_full").Exist() { prepare.Register("fsp") builder.Register("fsp") + prebuild.RBAC = true } else if prebuild.SystemdDir.Exist() { prepare.Register("systemd-early") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index a6513f37e..b6ec56816 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -39,6 +39,10 @@ func init() { } func filterRuleForUs(opt *Option) bool { + if prebuild.RBAC && slices.Contains(opt.ArgList, "RBAC") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index d5d5a7266..37cbc69bc 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Either or not RBAC is enabled + RBAC = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From f717ea7383ea32abde752af3a88dd1bf87709a25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:01:08 +0200 Subject: [PATCH 164/798] feat(aa): add a mount flag. --- pkg/aa/mount.go | 2 +- pkg/aa/util.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go index bbf66b577..72719414d 100644 --- a/pkg/aa/mount.go +++ b/pkg/aa/mount.go @@ -29,7 +29,7 @@ func init() { "ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime", "dirsync", "exec", "iversion", "loud", "mand", "move", "noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand", - "norelatime", "nosuid", "nouser", "private", "rbind", "relatime", + "norelatime", "nosuid", "nosymfollow", "nouser", "private", "rbind", "relatime", "remount", "rprivate", "rshared", "rslave", "runbindable", "shared", "silent", "slave", "strictatime", "suid", "sync", "unbindable", "user", "verbose", diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 485478fef..5a7049d69 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -182,7 +182,7 @@ func toValues(kind Kind, key string, input string) ([]string, error) { continue } if !slices.Contains(req, res[idx]) { - return nil, fmt.Errorf("unrecognized %s: %s", key, res[idx]) + return nil, fmt.Errorf("unrecognized %s for rule %s: %s", key, kind, res[idx]) } } slices.SortFunc(res, func(i, j string) int { From 04b6cade644c0adfdb4b0a9bdc4f71bff78bc8ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:17:14 +0200 Subject: [PATCH 165/798] feat(profile): use profile variable in rules such as in dbus, ptrace, unix... --- apparmor.d/abstractions/app/sudo | 4 ++-- apparmor.d/abstractions/base.d/complete | 2 +- .../abstractions/bus/net.hadess.PowerProfiles | 2 +- .../abstractions/bus/net.reactivated.Fprint | 6 +++--- apparmor.d/abstractions/bus/org.a11y | 10 +++++----- apparmor.d/abstractions/bus/org.bluez | 14 +++++++------- .../abstractions/bus/org.freedesktop.Accounts | 10 +++++----- .../abstractions/bus/org.freedesktop.Avahi | 10 +++++----- .../bus/org.freedesktop.ColorManager | 8 ++++---- .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++++----- .../bus/org.freedesktop.ModemManager1 | 6 +++--- .../abstractions/bus/org.freedesktop.PolicyKit1 | 8 ++++---- .../bus/org.freedesktop.RealtimeKit1 | 6 +++--- .../abstractions/bus/org.freedesktop.UPower | 8 ++++---- .../bus/org.freedesktop.UPower.PowerProfiles | 2 +- .../abstractions/bus/org.freedesktop.hostname1 | 2 +- .../abstractions/bus/org.freedesktop.locale1 | 2 +- .../abstractions/bus/org.freedesktop.login1 | 8 ++++---- .../bus/org.freedesktop.login1.Session | 8 ++++---- .../abstractions/bus/org.freedesktop.network1 | 2 +- .../abstractions/bus/org.freedesktop.resolve1 | 4 ++-- .../abstractions/bus/org.freedesktop.timedate1 | 2 +- .../abstractions/bus/org.gnome.ArchiveManager1 | 4 ++-- apparmor.d/abstractions/mapping/login | 2 +- apparmor.d/abstractions/mapping/sshd | 4 ++-- apparmor.d/groups/avahi/avahi-browse | 2 +- apparmor.d/groups/avahi/avahi-resolve | 4 ++-- apparmor.d/groups/bluetooth/bluetoothctl | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/bus/ibus-dconf | 1 + apparmor.d/groups/cups/cups-browsed | 2 +- apparmor.d/groups/filesystem/udisksd | 4 ++-- apparmor.d/groups/flatpak/flatpak | 4 ++-- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/xorg | 2 +- apparmor.d/groups/gnome/gdm | 4 ++-- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-control-center | 16 ++++++++-------- apparmor.d/groups/gnome/gnome-firmware | 4 ++-- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++++------ apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 8 ++++---- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 7 +------ apparmor.d/groups/gnome/loupe | 5 +++++ apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/NetworkManager | 6 +++--- apparmor.d/groups/network/networkd-dispatcher | 2 +- apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/snap/snapd | 2 +- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/systemd/homectl | 2 +- apparmor.d/groups/systemd/hostnamectl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/loginctl | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/groups/systemd/systemd-inhibit | 2 +- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-timesyncd | 2 +- .../systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/utils/chsh | 2 +- apparmor.d/groups/utils/login | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/fwupdmgr | 2 +- apparmor.d/profiles-m-r/qemu-ga | 2 +- apparmor.d/tunables/multiarch.d/profiles | 6 +++--- 72 files changed, 152 insertions(+), 151 deletions(-) diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 333cbddbd..1286b1571 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -24,8 +24,8 @@ network netlink raw, # PAM - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus (send receive) bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd.Manager diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 230e0c9d5..06b413342 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -18,7 +18,7 @@ signal (receive) set=(term,kill) peer=openbox, signal (receive) set=(term,kill) peer=su, - ptrace (readby) peer=systemd-coredump, + ptrace (readby) peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles index 63f224c42..7e7560992 100644 --- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles +++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}" include if exists diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint index 2f3660082..0241fc889 100644 --- a/apparmor.d/abstractions/bus/net.reactivated.Fprint +++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd + #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}" dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name="@{busname}", label=fprintd), + peer=(name="@{busname}", label="@{p_fprintd}"), dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager @@ -19,7 +19,7 @@ dbus send bus=system path=/net/reactivated/Fprint/Manager interface=net.reactivated.Fprint.Manager member={GetDevices,GetDefaultDevice} - peer=(name=net.reactivated.Fprint, label=fprintd), + peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 018109a62..ef0e15707 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -9,27 +9,27 @@ dbus receive bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=EventListenerDeregistered - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry interface=org.a11y.atspi.Registry member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller interface=org.a11y.atspi.DeviceEventController member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.freedesktop.DBus.Properties member=Set - peer=(name="@{busname}", label=at-spi2-registryd), + peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), dbus send bus=accessibility path=/org/a11y/atspi/accessible/root interface=org.a11y.atspi.Socket member=Embed - peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd), + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), # Session bus diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 296965691..201d3998c 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -4,37 +4,37 @@ abi , - #aa:dbus common bus=system name=org.bluez label=bluetoothd + #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}" dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="{@{busname},org.bluez}", label=bluetoothd), + peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.AgentManager@{int} member={RegisterAgent,RequestDefaultAgent,UnregisterAgent} - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez interface=org.bluez.ProfileManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.BatteryProviderManager@{int} member=RegisterProfile - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), dbus send bus=system path=/org/bluez/hci@{int} interface=org.bluez.Media@{int} member=RegisterApplication - peer=(name=org.bluez, label=bluetoothd), + peer=(name=org.bluez, label="@{p_bluetoothd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index 2ad151c45..d15288d46 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts member=UserAdded - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.DBus.Properties member=*Changed - peer=(name="@{busname}", label=accounts-daemon), + peer=(name="@{busname}", label="@{p_accounts_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index e3128f984..38e05f48c 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -4,27 +4,27 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon + #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name="@{busname}", label=avahi-daemon), + peer=(name="@{busname}", label="@{p_avahi_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 27776b776..3a63d95dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=GetDevices - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label=colord), + peer=(name="@{busname}", label="@{p_colord}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 index feaced7c3..9957c7b67 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 @@ -4,26 +4,26 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label=geoclue), + peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), dbus send bus=system path=/org/freedesktop/GeoClue2/Manager interface=org.freedesktop.GeoClue2.Manager member=AddAgent - peer=(name="@{busname}", label=geoclue), + peer=(name="@{busname}", label="@{p_geoclue}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 index 41e03f325..4f53ba497 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 @@ -4,17 +4,17 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=org.freedesktop.ModemManager1, label=ModemManager), + peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"), dbus send bus=system path=/org/freedesktop/ModemManager1 interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=ModemManager), + peer=(name="@{busname}", label="@{p_ModemManager}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index b770cdbb1..9dfab7481 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=Changed - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label=polkitd), + peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization - peer=(name="@{busname}", label=polkitd), + peer=(name="@{busname}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=CheckAuthorization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 index 0c6abbdbe..f66fdb20a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 @@ -6,7 +6,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon + #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}" dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.DBus.Properties member=Get @@ -15,12 +15,12 @@ dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriority,MakeThreadRealtime} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), dbus send bus=system path=/org/freedesktop/RealtimeKit1 interface=org.freedesktop.RealtimeKit1 member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID} - peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon), + peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index ec0a2b15b..69218b619 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties member=GetDisplayDevice - peer=(name=org.freedesktop.UPower, label=upowerd), + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=DeviceAdded - peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd), + peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles index 3d3980f81..45e88b103 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index e6182bead..0a8d86be1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1 index 511a44dd6..1348c8a39 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1 index 7f9fc5fb7..ad368ed98 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1 @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=PauseDeviceComplete - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session index 23ec52c8e..f60c69301 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session +++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session @@ -4,22 +4,22 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name="@{busname}", label=systemd-logind), + peer=(name="@{busname}", label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), dbus receive bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member={PauseDevice,Unlock} - peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind), + peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1 index be11a7ceb..7583a3e9d 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.network1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.network1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index 8c7670382..e2c4b3886 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved), + peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 index 83f85c678..8f6118355 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1 @@ -4,7 +4,7 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated + #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}" include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 index ce572e9cd..6bfa6114b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller + #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}" dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label=file-roller), + peer=(name="@{busname}", label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/mapping/login b/apparmor.d/abstractions/mapping/login index 54a8c1c7f..7ccc2d678 100644 --- a/apparmor.d/abstractions/mapping/login +++ b/apparmor.d/abstractions/mapping/login @@ -25,7 +25,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=ReleaseSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{etc_ro}/security/group.conf r, @{etc_ro}/security/limits.conf r, diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index bb0064956..97f0b077e 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -28,7 +28,7 @@ network inet6 stream, network netlink raw, - signal receive set=exists peer=systemd-journald, + signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, unix bind type=stream addr=@@{udbus}/bus/sshd/system, @@ -36,7 +36,7 @@ dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), /etc/motd r, /etc/locale.conf r, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 47c22d72d..3ac729baa 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} interface=org.freedesktop.Avahi.ServiceTypeBrowser member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index ff2cae183..1a66b4726 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} { dbus send bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Free,HostNameResolverNew} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/AddressResolver@{int} interface=org.freedesktop.Avahi.AddressResolver member={Failure,Found} - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/bluetoothctl b/apparmor.d/groups/bluetooth/bluetoothctl index e408b94b9..0b075581b 100644 --- a/apparmor.d/groups/bluetooth/bluetoothctl +++ b/apparmor.d/groups/bluetooth/bluetoothctl @@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} { network bluetooth raw, - #aa:dbus talk bus=system name=org.bluez label=bluetoothd + #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}" @{exec_path} mr, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3da9b4f5d..5c1a7633e 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -22,7 +22,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 6f66ec9b2..817d63175 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include + signal receive set=kill peer=@{p_systemd_user}, signal receive set=term peer=ibus-daemon, dbus receive bus=session diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index f671ce6e9..78e7883cb 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/ interface=org.freedesktop.Avahi.Server member=StateChanged - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 7d4febb1f..1ff219bbe 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { signal receive set=int peer=@{p_systemd}, #aa:dbus own bus=system name=org.freedesktop.UDisks2 - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @{exec_path} mr, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c958bd2cd..52e9e32ef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" dbus send bus=session path=/org/freedesktop/portal/documents interface=org.freedesktop.portal.Documents diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 804020b7b..fab642571 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} { dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member=Found - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser member=ItemRemove - peer=(name=:*, label=avahi-daemon), + peer=(name=:*, label="@{p_avahi_daemon}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager @@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} { dbus send bus=system path=/Client@{int}/ServiceResolver@{int} interface=org.freedesktop.Avahi.ServiceResolver member={Found,Free} - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 931b47509..0f6f9abeb 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd + #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 00e277f1f..12c82aea3 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1/session/* interface=org.freedesktop.login1.Session member=ReleaseControl - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index e35d165a2..435d055fa 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.gnome.DisplayManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 1a05892b6..a5dac16fa 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system, - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon - #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={*Session,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index c81e591cf..235c0ce9e 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1f0b6239e..1007d55e2 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -45,18 +45,18 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control - #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager - #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd - #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware index af44afbec..706c16e87 100644 --- a/apparmor.d/groups/gnome/gnome-firmware +++ b/apparmor.d/groups/gnome/gnome-firmware @@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index c62175c85..37b3b7892 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=GetSession - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 027a1ab96..dc9b6812e 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index bfd695959..6c781e204 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { # Talk with gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding @@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=RegisterAuthenticationAgent - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent interface=org.freedesktop.PolicyKit1.AuthenticationAgent member=BeginAuthentication - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager interface=org.freedesktop.NetworkManager.AgentManager diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 92cf3fa0a..2fe22305b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color - #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 9dec92df4..b8da39a4d 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Subscribe + peer=(name=org.freedesktop.systemd1), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 1ae8e2ada..2a2ea034f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0d09a0e9c..a330b76ce 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label=upowerd), + peer=(name=:*, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index e5489c2b4..4fece3366 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,12 +36,7 @@ profile gsd-xsettings @{exec_path} { dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label=accounts-daemon), - - dbus send bus=session path=/org/freedesktop/DBus - interface=org.freedesktop.DBus - member=GetId - peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4ee0d9268..6f783627e 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,6 +21,11 @@ profile loupe @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=@{p_systemd_hostnamed}), + @{exec_path} mr, @{bin}/bwrap rCx -> bwrap, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b4111d6d0..396f256cc 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -58,7 +58,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-logind), + peer=(name=:*, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 008b6bd31..85257c89d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -46,7 +46,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher @@ -60,12 +60,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=InterfacesRemoved - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=bluetoothd), + peer=(name=:*, label="@{p_bluetoothd}"), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher index f593db162..8b4d53b1c 100644 --- a/apparmor.d/groups/network/networkd-dispatcher +++ b/apparmor.d/groups/network/networkd-dispatcher @@ -16,7 +16,7 @@ profile networkd-dispatcher @{exec_path} { dbus receive bus=system path=/org/freedesktop/network1{,/link/*} interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=systemd-networkd), + peer=(name=:*, label="@{p_systemd_networkd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index e663c299e..5799ced5b 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label=polkitd), + peer=(name=:*, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0481af5de..1add6c1c4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -55,7 +55,7 @@ profile snapd @{exec_path} { dbus send bus=system path=/org/freedesktop/ interface=org.freedesktop.login1.Manager member={SetWallMessage,ScheduleShutdown} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), dbus send bus=system path=/org/freedesktop/timedate1 interface=org.freedesktop.DBus.Properties diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index fe5a6f1cd..4b99aafd6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -56,7 +56,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} - peer=(name=org.freedesktop.login1, label=systemd-logind), + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index aaae97d64..3a78c531e 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -19,7 +19,7 @@ profile homectl @{exec_path} { signal send peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl index dcbe9a46f..6b29e260d 100644 --- a/apparmor.d/groups/systemd/hostnamectl +++ b/apparmor.d/groups/systemd/hostnamectl @@ -15,7 +15,7 @@ profile hostnamectl @{exec_path} { capability net_admin, - #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed + #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=GetAll diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index b49065fd7..f9a3625ef 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -16,7 +16,7 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.locale1 label=systemd-localed + #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl index c65bb4edd..f516d16db 100644 --- a/apparmor.d/groups/systemd/loginctl +++ b/apparmor.d/groups/systemd/loginctl @@ -20,7 +20,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0163f2258..5b4b3e6b5 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -26,7 +26,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system, - #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" dbus send bus=system path=/org/freedesktop/network1{,/**} interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 5c436f6c1..1ef3404d9 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -15,7 +15,7 @@ profile resolvectl @{exec_path} { signal send set=cont peer=child-pager, - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit index 2be38e6ba..ae475ff48 100644 --- a/apparmor.d/groups/systemd/systemd-inhibit +++ b/apparmor.d/groups/systemd/systemd-inhibit @@ -14,7 +14,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal receive set=term peer=packagekitd, + signal receive set=term peer=@{p_packagekitd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 3d6c3a4b7..df1e74048 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -42,7 +42,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.hostname1 member=SetHostname - peer=(name=org.freedesktop.hostname1, label=systemd-hostnamed), + peer=(name=org.freedesktop.hostname1, label="@{p_systemd_hostnamed}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd index b603b2411..2ac7f09fb 100644 --- a/apparmor.d/groups/systemd/systemd-timesyncd +++ b/apparmor.d/groups/systemd/systemd-timesyncd @@ -22,7 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) { network inet6 stream, unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync, - unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none), + unix (send, receive) type=dgram addr=none peer=(label=@{p_sd}, addr=none), #aa:dbus own bus=system name=org.freedesktop.timesync1 diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index bbd4b7438..30d30b295 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -20,7 +20,7 @@ profile systemd-tty-ask-password-agent @{exec_path} { signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=logrotate, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index 73f097a94..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -24,7 +24,7 @@ profile chsh @{exec_path} { network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6968be40e..6227f4fc5 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -34,7 +34,7 @@ profile login @{exec_path} flags=(attach_disconnected) { ptrace read, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index b7b087309..e07c91f3d 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -30,7 +30,7 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..3c9b0a3a9 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -27,7 +27,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/ + #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/ @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 7fa668a71..5173c50d8 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -34,7 +34,7 @@ profile qemu-ga @{exec_path} { unix type=stream addr=@@{udbus}/bus/shutdown/system, - #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" include if exists } diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index ec1eff79c..6868ae87a 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -8,10 +8,10 @@ # All variables that refer to a profile name should be prefixed with `p_` # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user` -@{p_systemd}=unconfined -@{p_systemd_executor}=unconfined +@{p_sd}=unconfined +@{p_sdu}=unconfined @{p_systemd_user}=unconfined -@{p_systemd_user_executor}=unconfined +@{p_systemd}=unconfined # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility From 217448d09a5259492a143f99808bc79213d75eaf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 01:18:11 +0200 Subject: [PATCH 166/798] doc: improve documentation on the use of some special abstraction. --- apparmor.d/abstractions/attached/base | 3 ++- apparmor.d/abstractions/attached/consoles | 3 ++- apparmor.d/abstractions/bus/own-accessibility | 3 ++- apparmor.d/abstractions/bus/own-session | 3 ++- apparmor.d/abstractions/bus/own-system | 3 ++- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 6a7486cf8..4c35d915d 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the base abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles index dd2275a03..f306c2273 100644 --- a/apparmor.d/abstractions/attached/consoles +++ b/apparmor.d/abstractions/attached/consoles @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no - # Do not use it manually, it is automatically included in profiles when it is required. + # Do not use it manually, It automatically replaces the consoles abstraction in a + # profile with the attach_disconnected flag set and the re-attached path enabled. abi , diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/own-accessibility index 94968258c..cd8e42e52 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/own-accessibility @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/own-session index 8186f34cb..91515adb0 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/own-session @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/own-system index f2ee3219c..d48931f4f 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/own-system @@ -3,7 +3,8 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Do not use it manually, it is automatically included in a profile when it is required. +# Do not use it manually, It is automatically included in a profile by the +# `aa:dbus own` directive. # Allow owning a name on DBus public bus From 4ffbf84a0094e6c51933070b27a5c58628ec2ea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:20:37 +0200 Subject: [PATCH 167/798] feat(fsp): remove the default profiles. --- apparmor.d/groups/_full/bwrap | 56 ------------ apparmor.d/groups/_full/bwrap-app | 36 -------- apparmor.d/groups/_full/default | 122 --------------------------- apparmor.d/groups/_full/default-sudo | 42 --------- dists/flags/main.flags | 4 - 5 files changed, 260 deletions(-) delete mode 100644 apparmor.d/groups/_full/bwrap delete mode 100644 apparmor.d/groups/_full/bwrap-app delete mode 100644 apparmor.d/groups/_full/default delete mode 100644 apparmor.d/groups/_full/default-sudo diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap deleted file mode 100644 index 0a4b9efdf..000000000 --- a/apparmor.d/groups/_full/bwrap +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for bwrap. - -abi , - -include - -@{exec_path} = @{bin}/bwrap -profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - capability sys_resource, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - signal (receive) set=(kill), - - @{bin}/** rm, - @{lib}/** rm, - /opt/*/** rm, - /usr/share/*/* rm, - - @{bin}/** Px -> bwrap//&bwrap-app, - @{bin}/xdg-dbus-proxy Px -> bwrap//&xdg-dbus-proxy, - # @{lib}/** Px -> bwrap//&bwrap-app, - /opt/*/** Px -> bwrap//&bwrap-app, - /usr/share/*/* Px -> bwrap//&bwrap-app, - - /usr/.ref rk, - - /bindfile@{rand6} rw, - - owner /var/cache/ w, - - owner @{run}/ld-so-cache-dir/* rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app deleted file mode 100644 index b6d45478a..000000000 --- a/apparmor.d/groups/_full/bwrap-app +++ /dev/null @@ -1,36 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for user sandboxed application - -abi , - -include - -profile bwrap-app flags=(attach_disconnected,mediate_deleted) { - include - include - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - ptrace peer=bwrap//&bwrap-app, - - signal peer=bwrap//&bwrap-app, - - @{bin}/** rmix, - @{lib}/** rmix, - /opt/*/** rmix, - /usr/share/*/* rmix, - - owner /var/cache/ w, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default deleted file mode 100644 index acdfc0bff..000000000 --- a/apparmor.d/groups/_full/default +++ /dev/null @@ -1,122 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Default profile for unconfined programs - -abi , - -include - -@{exec_path} = /** -profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) { - include - include - include - include - include - include - include - include - include - include - include - include - include - - capability dac_override, - capability dac_read_search, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink dgram, - network netlink raw, - - signal receive set=hup, - - @{bin}/bwrap rPx -> bwrap, - @{bin}/pipewire-pulse rPx -> systemd//&pipewire-pulse, - @{bin}/pulseaudio rPx -> systemd//&pulseaudio, - @{bin}/su rPx -> default-sudo, - @{bin}/sudo rPx -> default-sudo, - @{bin}/systemctl rix, - @{coreutils_path} rix, - @{shells_path} rix, - - @{pager_path} rPx -> child-pager, - -# @{open_path} rPx -> child-open, - - audit @{bin}/** Pix, - audit @{lib}/** Pix, - audit /opt/*/** Pix, - audit /usr/share/*/* Pix, - - @{bin}/{,**} r, - @{lib}/{,**} r, - /usr/share/** r, - - /etc/xdg/** r, - - # Full access to user's data - / r, - /*/ r, - @{MOUNTDIRS}/ r, - @{MOUNTS}/ r, - @{MOUNTS}/** rwl, - owner @{HOME}/{,**} rwlk, - owner @{run}/user/@{uid}/{,**} rw, - owner @{tmp}/{,**} rwk, - owner @{run}/user/@{uid}/{,**} rwlk, - - @{run}/motd.dynamic.new rw, - - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/bus/pci/devices/ r, - @{sys}/class/ r, - @{sys}/class/drm/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/input/ r, - @{sys}/class/power_supply/ r, - @{sys}/devices/**/input@{int}/ r, - @{sys}/devices/**/input@{int}/capabilities/* r, - @{sys}/devices/**/input/input@{int}/ r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/seccomp/actions_avail r, - @{PROC}/zoneinfo r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/gid_map w, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/loginuid r, - owner @{PROC}/@{pid}/mem r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pids}/cmdline r, - owner @{PROC}/@{pids}/environ r, - owner @{PROC}/@{pids}/task/ r, - - /dev/ r, - /dev/ptmx rwk, - /dev/tty rwk, - owner /dev/tty@{int} rw, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo deleted file mode 100644 index 609191970..000000000 --- a/apparmor.d/groups/_full/default-sudo +++ /dev/null @@ -1,42 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -profile default-sudo { - include - include - - capability chown, - capability mknod, - capability sys_ptrace, - - network inet dgram, - network inet6 dgram, - - ptrace (read), - - @{bin}/su mr, - - @{bin}/** Px, - @{lib}/** Px, - /opt/*/** Px, - - /var/db/sudo/lectured/ r, - /var/lib/extrausers/shadow r, - /var/lib/sudo/lectured/ r, - owner /var/db/sudo/lectured/@{uid} rw, - owner /var/lib/sudo/lectured/* rw, - - owner @{HOME}/.sudo_as_admin_successful rw, - - @{run}/ r, - @{run}/systemd/sessions/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e27c76bc2..a73fee129 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -1,10 +1,6 @@ # Common profile flags definition for all distributions # File format: one profile by line using the format: ' ' -bwrap attach_disconnected,mediate_deleted,complain -bwrap-app attach_disconnected,mediate_deleted,complain -default attach_disconnected,mediate_deleted,complain -default-sudo attach_disconnected,complain systemd attach_disconnected,mediate_deleted,complain systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain From 8f3f3816edd40839b0832cc67546b08eae09314e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:31:35 +0200 Subject: [PATCH 168/798] feat(fsp): systemd drop in files: configure stacked profile It comes as a replacement of old and unsecure config that was disabling the nnp flag. The new solution is: 1. Safe 2. Scalable as hundred of profile could be configured this way --- systemd/full/system/ModemManager.service | 2 +- systemd/full/system/archlinux-keyring-wkd-sync.service | 2 +- systemd/full/system/dbus-org.freedesktop.hostname1.service | 2 +- systemd/full/system/dbus-org.freedesktop.import1.service | 2 +- systemd/full/system/dbus-org.freedesktop.locale1.service | 2 +- systemd/full/system/dbus-org.freedesktop.login1.service | 2 +- systemd/full/system/dbus-org.freedesktop.machine1.service | 2 +- systemd/full/system/dbus-org.freedesktop.timedate1.service | 2 +- systemd/full/system/e2scrub@.service | 2 +- systemd/full/system/e2scrub_reap.service | 2 +- systemd/full/system/fprintd.service | 2 +- systemd/full/system/fwupd-refresh.service | 4 +--- systemd/full/system/geoclue.service | 6 +----- systemd/full/system/irqbalance.service | 2 +- systemd/full/system/nm-priv-helper.service | 2 +- systemd/full/system/polkit.service | 2 +- systemd/full/system/rngd.service | 2 +- systemd/full/system/systemd-homed.service | 2 +- systemd/full/system/systemd-hostnamed.service | 2 +- systemd/full/system/systemd-journald.service | 3 +-- systemd/full/system/systemd-journald@.service | 3 +-- systemd/full/system/systemd-localed.service | 2 +- systemd/full/system/systemd-logind.service | 3 +-- systemd/full/system/systemd-machined.service | 2 +- systemd/full/system/systemd-networkd.service | 2 +- systemd/full/system/systemd-resolved.service | 2 +- systemd/full/system/systemd-timedated.service | 2 +- systemd/full/system/systemd-userdbd.service | 2 +- systemd/full/system/upower.service | 2 +- 29 files changed, 29 insertions(+), 38 deletions(-) diff --git a/systemd/full/system/ModemManager.service b/systemd/full/system/ModemManager.service index 03d352890..2d1593f19 100644 --- a/systemd/full/system/ModemManager.service +++ b/systemd/full/system/ModemManager.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&ModemManager diff --git a/systemd/full/system/archlinux-keyring-wkd-sync.service b/systemd/full/system/archlinux-keyring-wkd-sync.service index 03d352890..b88768556 100644 --- a/systemd/full/system/archlinux-keyring-wkd-sync.service +++ b/systemd/full/system/archlinux-keyring-wkd-sync.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&archlinux-keyring-wkd-sync diff --git a/systemd/full/system/dbus-org.freedesktop.hostname1.service b/systemd/full/system/dbus-org.freedesktop.hostname1.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/dbus-org.freedesktop.hostname1.service +++ b/systemd/full/system/dbus-org.freedesktop.hostname1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.import1.service b/systemd/full/system/dbus-org.freedesktop.import1.service index 03d352890..0ab519541 100644 --- a/systemd/full/system/dbus-org.freedesktop.import1.service +++ b/systemd/full/system/dbus-org.freedesktop.import1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-importd \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.locale1.service b/systemd/full/system/dbus-org.freedesktop.locale1.service index 03d352890..276595080 100644 --- a/systemd/full/system/dbus-org.freedesktop.locale1.service +++ b/systemd/full/system/dbus-org.freedesktop.locale1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.login1.service b/systemd/full/system/dbus-org.freedesktop.login1.service index 03d352890..c5728915c 100644 --- a/systemd/full/system/dbus-org.freedesktop.login1.service +++ b/systemd/full/system/dbus-org.freedesktop.login1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.machine1.service b/systemd/full/system/dbus-org.freedesktop.machine1.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/dbus-org.freedesktop.machine1.service +++ b/systemd/full/system/dbus-org.freedesktop.machine1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/dbus-org.freedesktop.timedate1.service b/systemd/full/system/dbus-org.freedesktop.timedate1.service index 03d352890..ab04c5a45 100644 --- a/systemd/full/system/dbus-org.freedesktop.timedate1.service +++ b/systemd/full/system/dbus-org.freedesktop.timedate1.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated \ No newline at end of file diff --git a/systemd/full/system/e2scrub@.service b/systemd/full/system/e2scrub@.service index 03d352890..7340b7610 100644 --- a/systemd/full/system/e2scrub@.service +++ b/systemd/full/system/e2scrub@.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub \ No newline at end of file diff --git a/systemd/full/system/e2scrub_reap.service b/systemd/full/system/e2scrub_reap.service index 03d352890..b903d2f0a 100644 --- a/systemd/full/system/e2scrub_reap.service +++ b/systemd/full/system/e2scrub_reap.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&e2scrub_all \ No newline at end of file diff --git a/systemd/full/system/fprintd.service b/systemd/full/system/fprintd.service index 03d352890..5f1f063fa 100644 --- a/systemd/full/system/fprintd.service +++ b/systemd/full/system/fprintd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&fprintd \ No newline at end of file diff --git a/systemd/full/system/fwupd-refresh.service b/systemd/full/system/fwupd-refresh.service index fa215b3f0..acd28a5a4 100644 --- a/systemd/full/system/fwupd-refresh.service +++ b/systemd/full/system/fwupd-refresh.service @@ -1,4 +1,2 @@ [Service] -ProtectKernelModules=no -RestrictRealtime=no -ProtectKernelModules=no +AppArmorProfile=&fwupdmgr \ No newline at end of file diff --git a/systemd/full/system/geoclue.service b/systemd/full/system/geoclue.service index 4ba897659..2c10e32f5 100644 --- a/systemd/full/system/geoclue.service +++ b/systemd/full/system/geoclue.service @@ -1,6 +1,2 @@ [Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -ProtectKernelTunables=no -ProtectKernelModules=no -RestrictRealtime=no +AppArmorProfile=&geoclue \ No newline at end of file diff --git a/systemd/full/system/irqbalance.service b/systemd/full/system/irqbalance.service index 03d352890..eab67fa44 100644 --- a/systemd/full/system/irqbalance.service +++ b/systemd/full/system/irqbalance.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&irqbalance \ No newline at end of file diff --git a/systemd/full/system/nm-priv-helper.service b/systemd/full/system/nm-priv-helper.service index 03d352890..53f99edd0 100644 --- a/systemd/full/system/nm-priv-helper.service +++ b/systemd/full/system/nm-priv-helper.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&nm-priv-helper diff --git a/systemd/full/system/polkit.service b/systemd/full/system/polkit.service index 03d352890..b21a28baa 100644 --- a/systemd/full/system/polkit.service +++ b/systemd/full/system/polkit.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&polkitd diff --git a/systemd/full/system/rngd.service b/systemd/full/system/rngd.service index 03d352890..c52a85d0c 100644 --- a/systemd/full/system/rngd.service +++ b/systemd/full/system/rngd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&rngd diff --git a/systemd/full/system/systemd-homed.service b/systemd/full/system/systemd-homed.service index 03d352890..65d4ae62e 100644 --- a/systemd/full/system/systemd-homed.service +++ b/systemd/full/system/systemd-homed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-homed diff --git a/systemd/full/system/systemd-hostnamed.service b/systemd/full/system/systemd-hostnamed.service index 03d352890..6d078aea9 100644 --- a/systemd/full/system/systemd-hostnamed.service +++ b/systemd/full/system/systemd-hostnamed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-hostnamed \ No newline at end of file diff --git a/systemd/full/system/systemd-journald.service b/systemd/full/system/systemd-journald.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald.service +++ b/systemd/full/system/systemd-journald.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-journald@.service b/systemd/full/system/systemd-journald@.service index 0316a67c8..48f5a0156 100644 --- a/systemd/full/system/systemd-journald@.service +++ b/systemd/full/system/systemd-journald@.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-journald \ No newline at end of file diff --git a/systemd/full/system/systemd-localed.service b/systemd/full/system/systemd-localed.service index 03d352890..276595080 100644 --- a/systemd/full/system/systemd-localed.service +++ b/systemd/full/system/systemd-localed.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-localed \ No newline at end of file diff --git a/systemd/full/system/systemd-logind.service b/systemd/full/system/systemd-logind.service index 0316a67c8..c5728915c 100644 --- a/systemd/full/system/systemd-logind.service +++ b/systemd/full/system/systemd-logind.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no -ProtectClock=no \ No newline at end of file +AppArmorProfile=&systemd-logind \ No newline at end of file diff --git a/systemd/full/system/systemd-machined.service b/systemd/full/system/systemd-machined.service index 03d352890..315b1b230 100644 --- a/systemd/full/system/systemd-machined.service +++ b/systemd/full/system/systemd-machined.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-machined \ No newline at end of file diff --git a/systemd/full/system/systemd-networkd.service b/systemd/full/system/systemd-networkd.service index 03d352890..3f4b60849 100644 --- a/systemd/full/system/systemd-networkd.service +++ b/systemd/full/system/systemd-networkd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-networkd diff --git a/systemd/full/system/systemd-resolved.service b/systemd/full/system/systemd-resolved.service index 03d352890..fd36871e4 100644 --- a/systemd/full/system/systemd-resolved.service +++ b/systemd/full/system/systemd-resolved.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-resolved diff --git a/systemd/full/system/systemd-timedated.service b/systemd/full/system/systemd-timedated.service index 03d352890..78dd0193d 100644 --- a/systemd/full/system/systemd-timedated.service +++ b/systemd/full/system/systemd-timedated.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-timedated diff --git a/systemd/full/system/systemd-userdbd.service b/systemd/full/system/systemd-userdbd.service index 03d352890..d3771658d 100644 --- a/systemd/full/system/systemd-userdbd.service +++ b/systemd/full/system/systemd-userdbd.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&systemd-userdbd diff --git a/systemd/full/system/upower.service b/systemd/full/system/upower.service index 03d352890..082e8f0fa 100644 --- a/systemd/full/system/upower.service +++ b/systemd/full/system/upower.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&upowerd From 77d2f923b0d5a33dad1d190ea6e04836d3df3577 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:45:10 +0200 Subject: [PATCH 169/798] feat(profile): pacman: allow landlock to restrict itself See https://docs.kernel.org/userspace-api/landlock.html#c.sys_landlock_restrict_self fix #750 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..def1f2a28 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -27,6 +27,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability setfcap, capability setgid, capability setuid, + capability sys_admin, capability sys_chroot, capability sys_ptrace, capability sys_resource, From a08c99dcb77b2df4fdee96de3b4fc6c6ab63b9fb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:47:49 +0200 Subject: [PATCH 170/798] feat(abs): console: add non owner access to /dev/tty@{u8}. Follow recent addition in attached/consoles fix #751 --- apparmor.d/abstractions/consoles.d/complete | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..b8b7ad90f --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,8 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # There are the common ways to refer to consoles + /dev/tty@{u8} rw, + +# vim:syntax=apparmor From d5002a67740e10096cb3a126b2c467e55459e895 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:52:39 +0200 Subject: [PATCH 171/798] fix(profile): fwupd fix #752 --- apparmor.d/profiles-a-f/fwupd | 4 +++- apparmor.d/profiles-a-f/fwupdmgr | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 71addde64..a07bb4dba 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,6 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, + /usr/share/libdrm/*.ids /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, @@ -80,6 +81,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/**/ r, @{sys}/devices/** r, + @{sys}/**/uevent r, @{sys}/firmware/acpi/** r, @{sys}/firmware/dmi/tables/DMI r, @{sys}/firmware/dmi/tables/smbios_entry_point r, @@ -87,9 +89,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r, - @{sys}/**/uevent r, @{sys}/power/mem_sleep r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 6dffac5a6..b0a651315 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -34,6 +34,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { @{bin}/dbus-launch Cx -> bus, @{bin}/pkttyagent Px, + /usr/share/terminfo/** r, + + /etc/inputrc r, /etc/machine-id r, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, From 7243c18ce2ffd4de6b66c2c390752f079b6e718d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 26 May 2025 23:54:56 +0200 Subject: [PATCH 172/798] fix(build): conversion from abi4 to abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..2e2911f4b 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` deny mqueue`, ` # deny mqueue`, }) ) From 0886c7bc853de38724ebbbccad21832f2bbd4600 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:21 +0200 Subject: [PATCH 173/798] fix: rule compilation. --- apparmor.d/profiles-a-f/fwupd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index a07bb4dba..5fb948234 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -50,7 +50,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, - /usr/share/libdrm/*.ids + /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, /etc/fwupd/{,**} rw, From 11f3529530aa1710de623c8bb3214637a0047985 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 27 May 2025 00:29:35 +0200 Subject: [PATCH 174/798] ci: ensure failing compiling the profile fail the job. --- .github/workflows/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 8d738eac7..4baa4a776 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -54,8 +54,10 @@ jobs: - name: Reload AppArmor run: | - sudo systemctl restart apparmor.service || true - sudo journalctl -xeu apparmor.service + if ! sudo systemctl restart apparmor.service; then + sudo journalctl -xeu apparmor.service + exit 1 + fi - name: Show AppArmor log and rules run: | From bf22a7786c39d3b56b87095bfd4479769b88ec1a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Tue, 27 May 2025 11:44:26 +0000 Subject: [PATCH 175/798] Broken login: Update systemd-logind Today I was not able to log into my Arch Linux system. After chrooting into the system, performing aa-log and adding the rule to systemd-logind the problem was fixed. --- apparmor.d/groups/systemd/systemd-logind | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..64081f326 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -139,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { /dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, + /dev/tty@{int} rw, owner /dev/shm/{,**/} rw, include if exists From 47bafeb67bacc6abb89eb74f9a7044cfdfae0cd4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:06:52 +0200 Subject: [PATCH 176/798] feat(fsp): rewrite the systemd profile. --- apparmor.d/groups/_full/systemd | 259 ++++++++++++-------------------- 1 file changed, 92 insertions(+), 167 deletions(-) diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index e1a9918e1..eec9b33d9 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -11,24 +11,47 @@ # Distributions and other programs can add rules in the usr/systemd.d directory -# TODO: rework this to get a controlled environment: (cf security model) +# Overall architecture of the systemd profiles: +# systemd # PID 1, entrypoint, requires "Early policy" +# ├── systemd # To restart itself +# ├── systemd-generators-* # Systemd system and environment generators +# └── sd # Internal service starter and config handler, handles all services +# ├── Px or px, # Any service with profile +# ├── Px -> # Any service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked service as defined in the unit file (see systemd/full/systemd) +# ├── sd-mount # Handles all mounts from services +# ├── sd//systemctl # Internal system systemctl +# └── systemd-user # Profile for 'systemd --user' +# ├── systemd-user # To restart itself +# ├── systemd-user-generators-* # Systemd user and environment generators +# └── sdu # Handles all user services +# ├── Px or px, # Any user service with profile +# ├── Px -> # Any user service without profile defined in the unit file (see systemd/full/systemd) +# ├── &* # Stacked user service as defined in the unit file (see systemd/full/systemd) +# └── sdu//systemctl # Internal user systemctl + +# Advantages: +# - Differentiate systemd (PID 1) and `system --user` +# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles. +# - Allow the executor profiles to handled stacked profiles. +# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`. +# - Dedicated `sd-mount` profile for most mount from the unit services. + + +# TODO: rework this to get a controlled environment: # - No global allow anymore: in high security environments, we must manage the list # of program/service that can be started by systemd and ensure that they are all # listed and confined. Programs not listed will not be able to start. # - Outside common systemd service, the list may have to be automatically # generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec` -# - Stop disabling nnp flags in systemd dropin files. -# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo) -# need they own profile, profile name configured as a dropin unit file. -# - When this is done: the fallback profile as root will not be needed. abi , include +@{exec_path} = @{lib}/systemd/systemd profile systemd flags=(attach_disconnected,mediate_deleted) { include - include include include include @@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { capability dac_read_search, capability fowner, capability fsetid, - capability mknod, + capability kill, capability net_admin, + capability net_bind_service, capability perfmon, - capability setfcap, - capability setgid, capability setpcap, - capability setuid, capability sys_admin, - capability sys_chroot, - capability sys_nice, + capability sys_boot, capability sys_ptrace, capability sys_resource, capability sys_tty_config, @@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { network inet6 dgram, network inet6 stream, network netlink raw, + network vsock stream, mount fstype=autofs systemd-1 -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=autofs systemd-1 -> /efi/, - mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, - mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, - mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, - mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, - mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, - mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, - mount fstype=proc options=(rw nosuid nodev noexec) proc -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=sysfs options=(rw nosuid nodev noexec) sysfs -> @{run}/systemd/namespace-@{rand6}/, - mount fstype=tmpfs tmpfs -> /dev/shm/, + mount fstype=autofs systemd-1 -> @{efi}/, mount fstype=tmpfs tmpfs -> /tmp/, - mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime) tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/, - mount fstype=tmpfs options=(rw nosuid nodev noexec) tmpfs -> /dev/shm/, - mount fstype=tmpfs options=(rw nosuid noexec strictatime) tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/, - mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, - - mount /dev/** -> /boot/{,efi/}, - mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - mount options=(rw bind) /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**, - mount options=(rw bind) @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/, - mount options=(rw move) -> @{sys}/fs/fuse/connections/, - mount options=(rw move) -> @{sys}/kernel/config/, - mount options=(rw move) -> @{sys}/kernel/debug/, - mount options=(rw move) -> @{sys}/kernel/tracing/, - mount options=(rw move) -> /dev/hugepages/, - mount options=(rw move) -> /dev/mqueue/, - mount options=(rw move) -> /efi/, - mount options=(rw move) -> /tmp/, - mount options=(rw move) @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/mount-rootfs/{,**}, - mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, - mount options=(rw rslave) -> /dev/, - mount options=(rw slave) -> @{run}/systemd/incoming/, remount @{HOME}/{,**}, remount @{HOMEDIRS}/, remount @{MOUNTDIRS}/, remount @{MOUNTS}/{,**}, - remount @{run}/systemd/mount-rootfs/{,**}, - remount @{run}/systemd/unit-root/{,**}, - remount /, remount /snap/{,**}, - remount options=(ro bind) /boot/{,efi/}, - remount options=(ro noexec noatime bind) /var/snap/{,**}, - remount options=(ro nosuid bind) /dev/, - remount options=(ro nosuid nodev bind) /dev/hugepages/, - remount options=(ro nosuid nodev bind) /var/, - remount options=(ro nosuid nodev noexec bind) /boot/, - remount options=(ro nosuid nodev noexec bind) /dev/mqueue/, - remount options=(ro nosuid nodev noexec bind) /efi/, - remount options=(ro nosuid noexec bind) /dev/pts/, - - umount /, - umount /dev/shm/, - umount @{PROC}/sys/fs/binfmt_misc/, - umount @{run}/systemd/mount-rootfs/{,**}, - umount @{run}/systemd/namespace-@{rand6}/{,**}, - umount @{run}/systemd/unit-root/{,**}, + remount options=(ro bind nodev noexec nosuid) /dev/mqueue/, + remount options=(ro bind nodev nosuid) /dev/hugepages/, + remount options=(ro bind noexec nosuid) /dev/pts/, + remount options=(ro bind nosuid) /dev/, + remount options=(ro bind) @{efi}/, + remount options=(ro bind) /, - pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, - pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/, + umount @{PROC}/sys/fs/binfmt_misc/, + umount @{run}/credentials/*/, mqueue (read getattr) type=posix /, - change_profile, - - signal receive set=(rtmin+23) peer=plymouthd, - signal receive set=(term hup cont), signal send, ptrace (read, readby), - unix send type=dgram, - - unix receive type=dgram peer=(label=systemd-timesyncd), - unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd), + unix type=dgram, + unix type=stream, #aa:dbus own bus=system name=org.freedesktop.systemd1 - # For stacked profiles - #aa:dbus own bus=system name=org.freedesktop.network1 - #aa:dbus own bus=system name=org.freedesktop.oom1 - #aa:dbus own bus=system name=org.freedesktop.resolve1 - #aa:dbus own bus=system name=org.freedesktop.timesync1 - - @{bin}/** Px, - @{sbin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /etc/init.d/* Px, - /etc/update-motd.d/* Px, - /usr/share/*/** Px, - - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Systemd user: systemd --user - @{lib}/systemd/systemd px -> systemd-user, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Unit services - @{bin}/mount ix, - @{bin}/kill ix, - - # Shell based systemd unit services - # TODO: create unit profile for all of them - @{sbin}/ldconfig Px -> systemd-service, - @{bin}/mandb Px -> systemd-service, - @{bin}/savelog Px -> systemd-service, - @{coreutils_path} Px -> systemd-service, - @{sh_path} Px -> systemd-service, - - # Systemd profiles that need be stacked - #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd - @{lib}/systemd/systemd-networkd px -> systemd//&systemd-networkd, - @{lib}/systemd/systemd-oomd px -> systemd//&systemd-oomd, - @{lib}/systemd/systemd-resolved px -> systemd//&systemd-resolved, - @{lib}/systemd/systemd-timesyncd px -> systemd//&systemd-timesyncd, - - @{lib}/ r, - / r, - /*/ r, - /boot/efi/ r, - /snap/*/@{int}/ r, - /var/cache/*/ r, - /var/lib/*/ r, - /var/tmp/ r, + @{exec_path} mrix, + @{sh_path} mr, + + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sd, + + # Systemd system generators. Profiles must exist + @{lib}/netplan/generate mPx, + @{lib}/systemd/system-environment-generators/* mPx, + @{lib}/systemd/system-generators/* mPx, @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, - /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, - /etc/credstore.encrypted/{,**} r, - /etc/credstore/{,**} r, /etc/default/{,**} r, - /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, + /etc/systemd/system/** w, /etc/udev/hwdb.d/{,**} r, - /etc/systemd/system/multi-user.target.wants/{,*} w, - /var/log/dmesg rw, - /var/lib/systemd/{,**} rw, - owner /var/tmp/systemd-private-*/{,**} rw, + #aa:only pacman + # It is unclear why this is needed here and not in sd + /etc/pacman.d/gnupg/S.dirmngr w, + /etc/pacman.d/gnupg/S.gpg-agent w, + /etc/pacman.d/gnupg/S.gpg-agent.browser w, + /etc/pacman.d/gnupg/S.gpg-agent.extra w, + /etc/pacman.d/gnupg/S.gpg-agent.ssh w, + /etc/pacman.d/gnupg/S.keyboxd w, - /tmp/namespace-dev-@{rand6}/{,**} rw, - /tmp/systemd-private-*/{,**} rw, + @{efi}/ r, + /snap/*/@{int}/ r, + + /tmp/ r, + /var/tmp/ r, + owner /tmp/systemd-private-*/{,**} rw, + owner /var/tmp/systemd-private-*/{,**} rw, - @{att}/@{run}/systemd/journal/socket r, @{att}/@{run}/systemd/journal/dev-log r, + @{att}/@{run}/systemd/journal/socket r, + @{att}/@{run}/systemd/notify r, @{run}/ rw, @{run}/* rw, @@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, - @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, @{run}/udev/data/c4:@{int} r, # For TTY devices @@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, + @{sys}/**/uevent r, @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/power_supply/ r, - @{sys}/class/sound/ r, - @{sys}/devices/@{pci}/** r, - @{sys}/devices/**/net/** r, - @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, @{sys}/kernel/**/ r, - @{sys}/module/**/uevent r, @{sys}/module/apparmor/parameters/enabled r, + @{sys}/module/vt/parameters/default_utf8 r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/coredump_filter r, - @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map rw, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/setgroups rw, @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map rw, @{PROC}/cmdline r, @{PROC}/devices r, @{PROC}/pressure/* r, @@ -280,32 +205,32 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/fs/binfmt_misc/ r, @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/* r, - @{PROC}/sysvipc/{shm,sem,msg} r, - owner @{PROC}/@{pid}/limits r, - owner @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/sys/kernel/random/boot_id r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/1/coredump_filter r, + owner @{PROC}/1/fdinfo/@{int} r, + owner @{PROC}/1/gid_map r, + owner @{PROC}/1/oom_score_adj rw, + owner @{PROC}/1/setgroups r, + owner @{PROC}/1/uid_map r, /dev/autofs r, + /dev/dri/card@{int} rw, /dev/input/ r, /dev/kmsg w, + /dev/tty rw, /dev/tty@{int} rw, owner /dev/console rwk, - owner /dev/dri/card@{int} rw, owner /dev/hugepages/ rw, - owner /dev/initctl rw, owner /dev/input/event@{int} rw, owner /dev/mqueue/ rw, owner /dev/rfkill rw, - owner /dev/shm/ rw, + owner /dev/shm/ r, owner /dev/ttyS@{int} rwk, - profile systemctl { - include - include - - include if exists - include if exists - } - include if exists include if exists } From 3dc8a74ec09ceb8f18c6a69e7d6b61f8b40f81f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 15:16:26 +0200 Subject: [PATCH 177/798] feat(fsp): rewrite the systemd-user profile. --- apparmor.d/groups/_full/systemd-user | 85 ++++++---------------------- 1 file changed, 17 insertions(+), 68 deletions(-) diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b0b3272a1..3b0d01709 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -11,8 +11,6 @@ # Distributions and other programs can add rules in the usr/systemd-user.d directory -# TODO: rework this to get a controlled environment. cf comments in systemd profile. - abi , include @@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { network netlink raw, - signal send set=(term, cont, kill), - signal receive set=hup peer=@{p_systemd}, + signal send, + + ptrace read, - ptrace read peer=@{p_systemd}, + unix type=dgram peer=(label=@{p_sdu}), unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system, unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus own bus=session name=org.freedesktop.systemd1 - @{exec_path} mr, - - @{bin}/** Px, - @{lib}/** Px, - /etc/cron.*/* Px, - /opt/*/** Px, - /usr/share/*/** Px, - - # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.) - @{lib}/systemd/systemd-executor ix, - - # Unit services using systemctl - @{bin}/systemctl Cx -> systemctl, - - # Shell based ystemd unit services - @{coreutils_path} Px -> systemd-user-service, - @{sh_path} Px -> systemd-user-service, - - # Dbus needs to be started without environment scrubbing - @{bin}/dbus-broker px -> dbus-session, - @{bin}/dbus-broker-launch px -> dbus-session, - @{bin}/dbus-daemon px -> dbus-session, - @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + @{exec_path} mrix, - # Audio profiles need to be stacked - #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber - @{bin}/pipewire Px -> systemd-user//&pipewire, - @{bin}/pipewire-media-session Px -> systemd-user//&pipewire-media-session, - @{bin}/pipewire-pulse Px -> systemd-user//&pipewire-pulse, - @{bin}/pulseaudio Px -> systemd-user//&pulseaudio, - @{bin}/wireplumber Px -> systemd-user//&wireplumber, + # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) + @{lib}/systemd/systemd-executor mPx -> sdu, - /usr/ r, - /usr/share/defaults/**.conf r, + # Systemd user generators. Profiles must exist + @{lib}/systemd/user-environment-generators/* Px, + @{lib}/systemd/user-generators/* Px, + @{etc_ro}/environment r, /etc/systemd/user.conf r, /etc/systemd/user.conf.d/{,**} r, /etc/systemd/user/{,**} r, - / r, - - owner @{HOME}/.local/ w, - owner @{user_config_dirs}/systemd/user/{,**} rw, - @{run}/systemd/users/@{uid} r, owner @{run}/user/@{uid}/ rw, owner @{run}/user/@{uid}/** rwkl, @{run}/mount/utab r, @{run}/systemd/notify w, + @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, @{run}/udev/data/+module:configfs r, @{run}/udev/data/+module:fuse r, - @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features + @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, @{run}/udev/tags/systemd/ r, @@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r, - @{sys}/module/apparmor/parameters/enabled r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pids}/cgroup r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/stat r, - @{PROC}/1/environ r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/stat r, @{PROC}/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, @@ -124,20 +89,14 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, - owner @{PROC}/@{pid}/coredump_filter r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/uid_map r, owner @{PROC}/@{pids}/fd/ r, - owner @{PROC}/@{pids}/oom_score_adj rw, - - /dev/kmsg w, - /dev/tty rw, deny capability bpf, deny capability dac_override, @@ -149,16 +108,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { deny capability sys_boot, deny capability sys_resource, - profile systemctl { - include - include - - deny capability net_admin, - - include if exists - include if exists - } - include if exists include if exists } From dd2187552bf671f0075ae269e14d52bd0f75718e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:35:28 +0200 Subject: [PATCH 178/798] feat(fsp): remove the now deprecated generic system service profiles. --- apparmor.d/groups/_full/systemd-service | 77 -------------------- apparmor.d/groups/_full/systemd-user-service | 23 ------ dists/flags/main.flags | 1 - 3 files changed, 101 deletions(-) delete mode 100644 apparmor.d/groups/_full/systemd-service delete mode 100644 apparmor.d/groups/_full/systemd-user-service diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service deleted file mode 100644 index a53193cc5..000000000 --- a/apparmor.d/groups/_full/systemd-service +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-service" exec transitions from the systemd profile. - -abi , - -include - -profile systemd-service flags=(attach_disconnected) { - include - include - include - - capability dac_read_search, - capability chown, - capability fsetid, - - @{sbin}/ldconfig rix, - @{bin}/savelog rix, - @{bin}/systemctl rix, - @{bin}/gzip rix, - @{coreutils_path} rix, - @{sh_path} rmix, - - # ifup@.service - @{bin}/ifup rPx, - - # shadow.service - @{sbin}/pwck rPx, - @{sbin}/grpck rPx, - - @{bin}/grub-editenv rPx, - @{bin}/ibus-daemon rPx, - - @{bin}/* r, - @{lib}/ r, - - /var/cache/ldconfig/{,**} rw, - - / r, - - /boot/grub/grubenv rw, - /boot/grub/ w, - - /var/spool/cron/atjobs/ r, - - /var/log/ r, - /var/log/dmesg rw, - /var/log/dmesg.* rwl -> /var/log/dmesg, - - # man-db.service - /usr/{,local/}share/man/{,**} r, - /etc/manpath.config r, - /var/cache/man/{,**} rwk, - - # snapd.system-shutdown.service - @{run}/initramfs/shutdown rw, - @{run}/initramfs/ rw, - - # cockpit.socket - @{run}/cockpit/@{rand8} rw, - @{run}/cockpit/motd w, - - @{PROC}/cmdline r, - @{PROC}/sys/kernel/osrelease r, - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service deleted file mode 100644 index 0cb9efa49..000000000 --- a/apparmor.d/groups/_full/systemd-user-service +++ /dev/null @@ -1,23 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Profile for generic systemd unit services. Only used by tiny systemd services -# that start a shell or use context specific programs. - -# It does not specify an attachment path because it is intended to be used only -# via "Px -> systemd-user-service" exec transitions from the systemd-user profile. - -abi , - -include - -profile systemd-user-service flags=(attach_disconnected) { - include - include - - include if exists - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a73fee129..5a6c7c526 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -2,7 +2,6 @@ # File format: one profile by line using the format: ' ' systemd attach_disconnected,mediate_deleted,complain -systemd-service attach_disconnected,complain systemd-user attach_disconnected,mediate_deleted,complain akonadi_akonotes_resource complain From 5940f0117b85538f3f91840a58a7583dbcc579bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:37:56 +0200 Subject: [PATCH 179/798] feat(fsp): add the new sdu profile as service and stacked profile manager for user. --- apparmor.d/groups/_full/sdu | 124 ++++++++++++++++++++++++++++++++++++ 1 file changed, 124 insertions(+) create mode 100644 apparmor.d/groups/_full/sdu diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu new file mode 100644 index 000000000..5ceb669f0 --- /dev/null +++ b/apparmor.d/groups/_full/sdu @@ -0,0 +1,124 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd-user profile. + +# sdu is a profile for SystemD-executor run as User, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd-user profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sdu.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sdu flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + + network netlink raw, + + change_profile, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd_user}), + + dbus bus=session, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /opt/*/** Px, + /usr/share/*/** Px, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Shell based user unit services + @{sh_path} Cx -> shell, + + # Dbus needs to be started without environment scrubbing + @{bin}/dbus-broker px -> dbus-session, + @{bin}/dbus-broker-launch px -> dbus-session, + @{bin}/dbus-daemon px -> dbus-session, + @{lib}/dbus-1.0/dbus-daemon-launch-helper px -> dbus-session, + + / r, + @{bin}/* r, + @{sbin}/* r, + /usr/share/** r, + + owner @{desktop_local_dirs}/ w, + owner @{desktop_local_dirs}/state/ w, + owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + + owner @{run}/user/@{uid}/pipewire-@{int} rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, + owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, + owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, + owner @{run}/user/@{uid}/pulse/pid rw, + + owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/stream-properties rw, + owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/users/@{int} r, + + @{run}/udev/data/c116:@{int} r, # for ALSA + + @{sys}/bus/ r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/sound/seq/uevent r, + @{sys}/devices/virtual/sound/timer/uevent r, + + @{sys}/module/apparmor/parameters/enabled r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw, + + @{PROC}/pressure/* r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/attr/apparmor/exec w, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_score_adj rw, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + profile shell flags=(attach_disconnected,mediate_deleted,complain) { + include + + @{sh_path} mr, + @{bin}/systemctl Px -> sdu//systemctl, + + include if exists + } + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + audit capability net_admin, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From 9125686973a11c2a297d16621ec2859a061bf8bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:44:00 +0200 Subject: [PATCH 180/798] feat(fsp): add the new sdu profile as service and stacked profile manager for system. --- apparmor.d/groups/_full/sd | 246 +++++++++++++++++++++++++++++++++++++ 1 file changed, 246 insertions(+) create mode 100644 apparmor.d/groups/_full/sd diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd new file mode 100644 index 000000000..974bc3544 --- /dev/null +++ b/apparmor.d/groups/_full/sd @@ -0,0 +1,246 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd is a profile for SystemD-executor run as root, it is used to run all services +# files and to encapsulate stacked services profiles (hence the short name). +# It aims at reducing the size of the systemd profile. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd.d directory + +abi , + +include + +@{exec_path} = @{bin}/systemd-executor +profile sd flags=(attach_disconnected,mediate_deleted) { + include + include + include + include + include + include + include + include + + userns, + + capability audit_control, + capability audit_write, + capability bpf, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability linux_immutable, + capability mknod, + capability net_admin, + capability net_raw, + capability perfmon, + capability setfcap, + capability setgid, + capability setpcap, + capability setuid, + capability sys_admin, + capability sys_nice, + capability sys_ptrace, + capability sys_rawio, + capability sys_resource, + capability sys_time, + capability sys_tty_config, + capability syslog, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network netlink raw, + network packet dgram, + network packet raw, + network qipcrtr dgram, + + mount -> @{run}/systemd/mount-rootfs/{,**}, + mount -> @{run}/systemd/namespace-@{rand6}/{,**}, + mount options=(rw move) /dev/shm/ -> @{run}/credentials/*/, + mount options=(rw rshared) -> /, + mount options=(rw rslave) -> /, + mount options=(rw rslave) -> /dev/, + mount options=(rw slave) -> @{run}/systemd/incoming/, + mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow) tmpfs -> /dev/shm/, + mount fstype=tmpfs options=(rw nodev strictatime) tmpfs -> @{run}/systemd/unit-private-tmp/, + + remount /dev/shm/, + remount @{run}/systemd/mount-rootfs/{,**}, + + umount /, + umount /dev/shm/, + umount @{run}/systemd/mount-rootfs/{,**}, + + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, + + change_profile, + + mqueue (read getattr) type=posix /, + + signal peer=sd//&*, + signal receive peer=@{p_systemd}, + signal send, + + ptrace read, + + unix type=dgram peer=(label=@{p_systemd}), + unix type=dgram peer=(label=systemd-timesyncd), + unix type=stream, + + dbus bus=system, + + @{exec_path} mr, + + @{bin}/** mPx, + @{sbin}/** mPx, + @{lib}/** Px, + /etc/cron.*/* Px, + /etc/init.d/* Px, + /etc/update-motd.d/* Px, + /usr/share/*/** Px, + + # Systemd user: systemd --user + @{lib}/systemd/systemd px -> systemd-user, + + # Mount operations from services and systemd + @{bin}/mount Px -> sd-mount, + @{bin}/umount Px -> sd-umount, + + # Unit services using systemctl + @{bin}/systemctl Cx -> systemctl, + + # Unit services + @{bin}/kill Cx -> kill, + + # Used by very basic services, ideally should be replaced by a unit profiles + @{sh_path} ix, + @{bin}/false ix, + @{bin}/true ix, + + # Required due to stacked profiles + @{bin}/grpck ix, + @{bin}/gzip ix, + @{bin}/install ix, + @{bin}/pwck ix, + @{bin}/readlink ix, + @{lib}/colord-sane ix, + @{lib}/systemd/systemd-nsresourcework ix, + @{lib}/systemd/systemd-userwork ix, + + / r, + @{att}/ r, + @{bin}/{,**} r, + @{lib}/{,**} r, + @{sbin}/{,*} r, + /usr/share/** r, + /etc/** rk, + /home/ r, + + @{efi}/ r, + @{efi}/** rw, + + @{att}/var/lib/systemd/*/ r, + + /var/cache/*/ rw, + /var/cache/*/** rwk, + /var/lib/*/ rw, + /var/lib/*/** rwk, + /var/lib/systemd/*/ r, + /var/log/** rw, + /var/log/journal/** rwl -> /var/log/journal/**, + + @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{user_share_dirs}/icc/edid-@{hex32}.icc r, + + @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, + @{att}/@{run}/systemd/notify rw, + @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, + @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, + + @{run}/ rw, + @{run}/* rw, + @{run}/*/ rw, + @{run}/*/* rw, + @{run}/systemd/{,**} rw, + owner @{run}/*/** rw, + + @{run}/udev/**/ r, + @{run}/udev/data/* r, + + @{sys}/** r, + @{sys}/fs/bpf/systemd/{,**} w, + @{sys}/firmware/efi/efivars/** w, + @{sys}/fs/cgroup/{,**} w, + + @{PROC}/@{pid}/attr/apparmor/exec w, + @{PROC}/@{pid}/attr/current r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map w, + @{PROC}/@{pid}/limits r, + @{PROC}/@{pid}/loginuid rw, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/oom_score_adj rw, + @{PROC}/@{pid}/sessionid r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/setgroups w, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/uid_map r, + @{PROC}/@{pid}/uid_map w, + @{PROC}/cmdline r, + @{PROC}/interrupts r, + @{PROC}/irq/@{int}/node r, + @{PROC}/irq/@{int}/smp_affinity r, + @{PROC}/kmsg r, + @{PROC}/modules r, + @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/** r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, + @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sysvipc/* r, + @{PROC}/version_signature r, + + /dev/** rwk, + + profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + include + include + + include if exists + include if exists + } + + profile kill flags=(attach_disconnected,mediate_deleted,complain) { + include + + signal send, + + @{bin}/kill mr, + + include if exists + } + + include if exists + include if exists +} + +# vim:syntax=apparmor From a194f28c21f15ee0ffd693eb5612ce198bcc75ab Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 22:59:02 +0200 Subject: [PATCH 181/798] feat(fsp): add sd-mount. --- apparmor.d/groups/_full/sd-mount | 71 ++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-mount diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount new file mode 100644 index 000000000..7f7dede60 --- /dev/null +++ b/apparmor.d/groups/_full/sd-mount @@ -0,0 +1,71 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-mount is a subprofile of sd responsible to handle mounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-mount.d directory + +abi , + +include + +@{exec_path} = @{bin}/mount +profile sd-mount flags=(complain) { + include + include + + capability dac_read_search, + capability sys_admin, + + mount -> @{efi}/, + mount -> @{HOME}/{,**}, + mount -> @{HOMEDIRS}/, + mount -> @{MOUNTDIRS}/, + mount -> @{MOUNTS}/{,**}, + mount fstype=binfmt_misc options=(rw nodev noexec nosuid) binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/, + mount fstype=configfs options=(rw nodev noexec nosuid) configfs -> @{sys}/kernel/config/, + mount fstype=debugfs options=(rw nodev noexec nosuid) debugfs -> @{sys}/kernel/debug/, + mount fstype=fusectl options=(rw nodev noexec nosuid) fusectl -> @{sys}/fs/fuse/connections/, + mount fstype=hugetlbfs options=(rw nosuid nodev) hugetlbfs -> /dev/hugepages/, + mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, + mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, + mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, + + mount options=(rw move) -> @{efi}, + mount options=(rw move) -> @{HOME}/{,**}, + mount options=(rw move) -> @{HOMEDIRS}/, + mount options=(rw move) -> @{MOUNTDIRS}/, + mount options=(rw move) -> @{MOUNTS}/{,**}, + mount options=(rw move) -> @{sys}/fs/fuse/connections/, + mount options=(rw move) -> @{sys}/kernel/config/, + mount options=(rw move) -> @{sys}/kernel/debug/, + mount options=(rw move) -> @{sys}/kernel/tracing/, + mount options=(rw move) -> /dev/hugepages/, + mount options=(rw move) -> /dev/mqueue/, + mount options=(rw move) -> /tmp/, + + @{exec_path} mr, + + /var/lib/snapd/snaps/*.snap r, + + @{run}/ r, + owner @{run}/mount/ rw, + owner @{run}/mount/utab{,.*} rwk, + + @{PROC}/@{pid}/mountinfo r, + + /dev/loop-control rw, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 8ff829542d4fea4e9366e7ed03a387637eb24c95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:13:04 +0200 Subject: [PATCH 182/798] feat(profile): add profile for some named minimal systemd service. --- .../cloud-init-hotplugd.service | 22 +++++++ .../systemd-service/debug-shell.service | 19 ++++++ .../groups/systemd-service/dmesg.service | 62 +++++++++++++++++++ .../systemd-service/grub-common.service | 28 +++++++++ .../groups/systemd-service/ldconfig.service | 23 +++++++ .../groups/systemd-service/man-db.service | 39 ++++++++++++ .../systemd-service/secureboot-db.service | 27 ++++++++ .../groups/systemd-service/shadow.service | 23 +++++++ .../snapd.system-shutdown.service | 28 +++++++++ .../system-update-cleanup.service | 22 +++++++ .../systemd-service/usb_modeswitch.service | 17 +++++ 11 files changed, 310 insertions(+) create mode 100644 apparmor.d/groups/systemd-service/cloud-init-hotplugd.service create mode 100644 apparmor.d/groups/systemd-service/debug-shell.service create mode 100644 apparmor.d/groups/systemd-service/dmesg.service create mode 100644 apparmor.d/groups/systemd-service/grub-common.service create mode 100644 apparmor.d/groups/systemd-service/ldconfig.service create mode 100644 apparmor.d/groups/systemd-service/man-db.service create mode 100644 apparmor.d/groups/systemd-service/secureboot-db.service create mode 100644 apparmor.d/groups/systemd-service/shadow.service create mode 100644 apparmor.d/groups/systemd-service/snapd.system-shutdown.service create mode 100644 apparmor.d/groups/systemd-service/system-update-cleanup.service create mode 100644 apparmor.d/groups/systemd-service/usb_modeswitch.service diff --git a/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service new file mode 100644 index 000000000..1b585c0cc --- /dev/null +++ b/apparmor.d/groups/systemd-service/cloud-init-hotplugd.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/bash -c 'read args <&3; echo "args=$args"; \ +# exec /usr/bin/cloud-init devel hotplug-hook $args; \ +# exit 0' + +abi , + +include + +profile cloud-init-hotplugd.service { + include + + @{sh_path} ix, + @{bin}/cloud-init Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/debug-shell.service b/apparmor.d/groups/systemd-service/debug-shell.service new file mode 100644 index 000000000..9f8e235cf --- /dev/null +++ b/apparmor.d/groups/systemd-service/debug-shell.service @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=/usr/bin/bash + +abi , + +include + +profile debug-shell.service { + include + + all, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service new file mode 100644 index 000000000..4c67f680a --- /dev/null +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -0,0 +1,62 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg +# ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname +# ExecStartPost=/bin/chgrp adm /var/log/dmesg +# ExecStartPost=/bin/chmod 0640 /var/log/dmesg + +abi , + +include + +profile dmesg.service flags=(attach_disconnected) { + include + include + + capability chown, + capability fsetid, + + ptrace read peer=@{p_systemd}, + + @{sh_path} r, + @{bin}/basename ix, + @{bin}/chgrp rix, + @{bin}/chmod rix, + @{bin}/chown ix, + @{bin}/date ix, + @{bin}/dirname ix, + @{bin}/gzip ix, + @{bin}/gzip ix, + @{bin}/journalctl r, + @{bin}/ln ix, + @{bin}/mv ix, + @{bin}/rm ix, + @{bin}/savelog rix, + @{bin}/touch ix, + + /etc/machine-id r, + + /var/log/ r, + /var/log/dmesg rw, + /var/log/dmesg.* rwl -> /var/log/dmesg, + + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* rw, + + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service new file mode 100644 index 000000000..4abd74fb1 --- /dev/null +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=/bin/sh -c '[ -s /boot/grub/grubenv ] || rm -f /boot/grub/grubenv; mkdir -p /boot/grub' +# ExecStart=grub-editenv /boot/grub/grubenv unset recordfail +# ExecStartPost=/bin/sh -c 'if grub-editenv /boot/grub/grubenv list | grep -q initrdless_boot_fallback_triggered=1; then echo "grub: GRUB_FORCE_PARTUUID set, initrdless boot paniced, fallback triggered."; fi' + +abi , + +include + +profile grub-common.service { + include + + @{sh_path} rix, + @{bin}/grep ix, + @{bin}/grub-editenv rix, + @{bin}/mkdir ix, + @{bin}/rm ix, + + /boot/grub/ w, + /boot/grub/grubenv rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/ldconfig.service b/apparmor.d/groups/systemd-service/ldconfig.service new file mode 100644 index 000000000..f7d193e9e --- /dev/null +++ b/apparmor.d/groups/systemd-service/ldconfig.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /sbin/ldconfig -X + +abi , + +include + +profile ldconfig.service { + include + + @{lib}/ r, + @{sbin}/ldconfig r, + + /var/cache/ldconfig/aux-cache rw, + /var/cache/ldconfig/aux-cache~ rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service new file mode 100644 index 000000000..24b34fc25 --- /dev/null +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/mandb --quiet + +abi , + +include + +profile man-db.service flags=(attach_disconnected) { + include + include + + @{bin}/install ix, + @{bin}/mandb r, + + /usr/{,local/}share/man/{,**} r, + + /etc/man_db.conf r, + /etc/manpath.config r, + + /usr/share/man/{,**} r, + /usr/local/man/{,**} r, + /usr/local/share/man/{,**} r, + + /usr/{,share/}man/{,**} r, + /usr/local/{,share/}man/{,**} r, + + /usr/share/**/man/man@{u8}/*.@{int}.gz r, + + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/secureboot-db.service b/apparmor.d/groups/systemd-service/secureboot-db.service new file mode 100644 index 000000000..a951747be --- /dev/null +++ b/apparmor.d/groups/systemd-service/secureboot-db.service @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStartPre=-/usr/bin/chattr -i /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f +# ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose + +abi , + +include + +profile secureboot-db.service flags=(complain) { + include + + @{bin}/chattr ix, + @{bin}/sbkeysync PUx, + + @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/shadow.service b/apparmor.d/groups/systemd-service/shadow.service new file mode 100644 index 000000000..95f780b89 --- /dev/null +++ b/apparmor.d/groups/systemd-service/shadow.service @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile shadow.service flags=(attach_disconnected) { + include + include + + @{sh_path} rix, + @{sbin}/grpck Px -> &grpck, + @{sbin}/pwck Px -> &pwck, + + /etc/machine-id r, + /etc/shadow r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service new file mode 100644 index 000000000..e8939006e --- /dev/null +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# /bin/mount /run -o remount,exec +# /bin/mkdir -p /run/initramfs +# /bin/cp /usr/lib/snapd/system-shutdown /run/initramfs/shutdown + +abi , + +include + +profile snapd.system-shutdown.service { + include + + audit @{bin}/cp ix, + audit @{bin}/mkdir ix, + audit @{bin}/mount ix, + + @{lib}/snapd/system-shutdown r, + + @{run}/initramfs/ rw, + @{run}/initramfs/shutdown rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/system-update-cleanup.service b/apparmor.d/groups/systemd-service/system-update-cleanup.service new file mode 100644 index 000000000..4166cb76c --- /dev/null +++ b/apparmor.d/groups/systemd-service/system-update-cleanup.service @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# ExecStart=rm -fv /system-update /etc/system-update + +abi , + +include + +profile system-update-cleanup.service { + include + + @{bin}/rm ix, + + /etc/system-update w, + /system-update w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-service/usb_modeswitch.service b/apparmor.d/groups/systemd-service/usb_modeswitch.service new file mode 100644 index 000000000..00a62c933 --- /dev/null +++ b/apparmor.d/groups/systemd-service/usb_modeswitch.service @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +profile usb_modeswitch.service { + include + + @{sbin}/usb_modeswitch_dispatcher ix, + + include if exists +} + +# vim:syntax=apparmor From 1aa0142a6aa0b31732fdf286fea14e3600b2f76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:20:32 +0200 Subject: [PATCH 183/798] feat(fsp): add/update systemd drop in files with AppArmorProfile set to the target profile. --- systemd/full/system/apport-coredump-hook@.service | 2 ++ systemd/full/system/apt-news.service | 2 ++ systemd/full/system/bluetooth.service | 2 +- systemd/full/system/cloud-init-hotplugd.service | 2 ++ systemd/full/system/colord.service | 2 ++ systemd/full/system/debug-shell.service | 2 ++ systemd/full/system/dmesg.service | 2 ++ systemd/full/system/fwupd.service | 2 ++ systemd/full/system/grub-common.service | 2 ++ systemd/full/system/ldconfig.service | 2 ++ systemd/full/system/logrotate.service | 2 ++ systemd/full/system/low-memory-monitor.service | 3 --- systemd/full/system/man-db.service | 2 ++ systemd/full/system/paccache.service | 2 -- systemd/full/system/passim.service | 2 -- systemd/full/system/pcscd.service | 2 ++ systemd/full/system/power-profiles-daemon.service | 2 ++ systemd/full/system/reflector.service | 2 -- systemd/full/system/rsyslog.service | 2 ++ systemd/full/system/secureboot-db.service | 2 ++ systemd/full/system/shadow.service | 3 +-- systemd/full/system/snapd.system-shutdown.service | 2 ++ systemd/full/system/system-update-cleanup.service | 2 ++ systemd/full/system/systemd-coredump@.service | 2 ++ systemd/full/system/systemd-initctl.service | 2 ++ systemd/full/system/systemd-journal-remote.service | 2 ++ systemd/full/system/systemd-nsresourced.service | 2 ++ systemd/full/system/systemd-oomd.service | 2 ++ systemd/full/system/systemd-rfkill.service | 2 ++ systemd/full/system/systemd-timesyncd.service | 2 ++ systemd/full/system/usb_modeswitch@.service | 2 ++ 31 files changed, 52 insertions(+), 12 deletions(-) create mode 100644 systemd/full/system/apport-coredump-hook@.service create mode 100644 systemd/full/system/apt-news.service create mode 100644 systemd/full/system/cloud-init-hotplugd.service create mode 100644 systemd/full/system/colord.service create mode 100644 systemd/full/system/debug-shell.service create mode 100644 systemd/full/system/dmesg.service create mode 100644 systemd/full/system/fwupd.service create mode 100644 systemd/full/system/grub-common.service create mode 100644 systemd/full/system/ldconfig.service create mode 100644 systemd/full/system/logrotate.service delete mode 100644 systemd/full/system/low-memory-monitor.service create mode 100644 systemd/full/system/man-db.service delete mode 100644 systemd/full/system/paccache.service delete mode 100644 systemd/full/system/passim.service create mode 100644 systemd/full/system/pcscd.service create mode 100644 systemd/full/system/power-profiles-daemon.service delete mode 100644 systemd/full/system/reflector.service create mode 100644 systemd/full/system/rsyslog.service create mode 100644 systemd/full/system/secureboot-db.service create mode 100644 systemd/full/system/snapd.system-shutdown.service create mode 100644 systemd/full/system/system-update-cleanup.service create mode 100644 systemd/full/system/systemd-coredump@.service create mode 100644 systemd/full/system/systemd-initctl.service create mode 100644 systemd/full/system/systemd-journal-remote.service create mode 100644 systemd/full/system/systemd-nsresourced.service create mode 100644 systemd/full/system/systemd-oomd.service create mode 100644 systemd/full/system/systemd-rfkill.service create mode 100644 systemd/full/system/systemd-timesyncd.service create mode 100644 systemd/full/system/usb_modeswitch@.service diff --git a/systemd/full/system/apport-coredump-hook@.service b/systemd/full/system/apport-coredump-hook@.service new file mode 100644 index 000000000..73bbc99d8 --- /dev/null +++ b/systemd/full/system/apport-coredump-hook@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apport \ No newline at end of file diff --git a/systemd/full/system/apt-news.service b/systemd/full/system/apt-news.service new file mode 100644 index 000000000..d7bf885dd --- /dev/null +++ b/systemd/full/system/apt-news.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&apt_news diff --git a/systemd/full/system/bluetooth.service b/systemd/full/system/bluetooth.service index 03d352890..5cccff422 100644 --- a/systemd/full/system/bluetooth.service +++ b/systemd/full/system/bluetooth.service @@ -1,2 +1,2 @@ [Service] -NoNewPrivileges=no \ No newline at end of file +AppArmorProfile=&bluetoothd \ No newline at end of file diff --git a/systemd/full/system/cloud-init-hotplugd.service b/systemd/full/system/cloud-init-hotplugd.service new file mode 100644 index 000000000..a2a121fc3 --- /dev/null +++ b/systemd/full/system/cloud-init-hotplugd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&cloud-init-hotplugd.service diff --git a/systemd/full/system/colord.service b/systemd/full/system/colord.service new file mode 100644 index 000000000..9a64fbc26 --- /dev/null +++ b/systemd/full/system/colord.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&colord diff --git a/systemd/full/system/debug-shell.service b/systemd/full/system/debug-shell.service new file mode 100644 index 000000000..f895f7941 --- /dev/null +++ b/systemd/full/system/debug-shell.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=debug-shell.service \ No newline at end of file diff --git a/systemd/full/system/dmesg.service b/systemd/full/system/dmesg.service new file mode 100644 index 000000000..d4647117b --- /dev/null +++ b/systemd/full/system/dmesg.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=dmesg.service \ No newline at end of file diff --git a/systemd/full/system/fwupd.service b/systemd/full/system/fwupd.service new file mode 100644 index 000000000..5054a73d6 --- /dev/null +++ b/systemd/full/system/fwupd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&fwupd \ No newline at end of file diff --git a/systemd/full/system/grub-common.service b/systemd/full/system/grub-common.service new file mode 100644 index 000000000..8520aea76 --- /dev/null +++ b/systemd/full/system/grub-common.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=grub-common.service \ No newline at end of file diff --git a/systemd/full/system/ldconfig.service b/systemd/full/system/ldconfig.service new file mode 100644 index 000000000..1b2a9c287 --- /dev/null +++ b/systemd/full/system/ldconfig.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=ldconfig.service \ No newline at end of file diff --git a/systemd/full/system/logrotate.service b/systemd/full/system/logrotate.service new file mode 100644 index 000000000..bc984e025 --- /dev/null +++ b/systemd/full/system/logrotate.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&logrotate \ No newline at end of file diff --git a/systemd/full/system/low-memory-monitor.service b/systemd/full/system/low-memory-monitor.service deleted file mode 100644 index dabf76f3a..000000000 --- a/systemd/full/system/low-memory-monitor.service +++ /dev/null @@ -1,3 +0,0 @@ -[Service] -NoNewPrivileges=no - diff --git a/systemd/full/system/man-db.service b/systemd/full/system/man-db.service new file mode 100644 index 000000000..d3a78dd80 --- /dev/null +++ b/systemd/full/system/man-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=man-db.service \ No newline at end of file diff --git a/systemd/full/system/paccache.service b/systemd/full/system/paccache.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/paccache.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/passim.service b/systemd/full/system/passim.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/passim.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/pcscd.service b/systemd/full/system/pcscd.service new file mode 100644 index 000000000..8d39f3f26 --- /dev/null +++ b/systemd/full/system/pcscd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pcscd diff --git a/systemd/full/system/power-profiles-daemon.service b/systemd/full/system/power-profiles-daemon.service new file mode 100644 index 000000000..45c5ed93b --- /dev/null +++ b/systemd/full/system/power-profiles-daemon.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&power-profiles-daemon \ No newline at end of file diff --git a/systemd/full/system/reflector.service b/systemd/full/system/reflector.service deleted file mode 100644 index 03d352890..000000000 --- a/systemd/full/system/reflector.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -NoNewPrivileges=no \ No newline at end of file diff --git a/systemd/full/system/rsyslog.service b/systemd/full/system/rsyslog.service new file mode 100644 index 000000000..6b49a73f0 --- /dev/null +++ b/systemd/full/system/rsyslog.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&rsyslogd diff --git a/systemd/full/system/secureboot-db.service b/systemd/full/system/secureboot-db.service new file mode 100644 index 000000000..722781b8a --- /dev/null +++ b/systemd/full/system/secureboot-db.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=secureboot-db.service diff --git a/systemd/full/system/shadow.service b/systemd/full/system/shadow.service index dabf76f3a..52d2f644c 100644 --- a/systemd/full/system/shadow.service +++ b/systemd/full/system/shadow.service @@ -1,3 +1,2 @@ [Service] -NoNewPrivileges=no - +AppArmorProfile=&shadow.service diff --git a/systemd/full/system/snapd.system-shutdown.service b/systemd/full/system/snapd.system-shutdown.service new file mode 100644 index 000000000..7953d522a --- /dev/null +++ b/systemd/full/system/snapd.system-shutdown.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=snapd.system-shutdown.service \ No newline at end of file diff --git a/systemd/full/system/system-update-cleanup.service b/systemd/full/system/system-update-cleanup.service new file mode 100644 index 000000000..24c914f77 --- /dev/null +++ b/systemd/full/system/system-update-cleanup.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=system-update-cleanup.service \ No newline at end of file diff --git a/systemd/full/system/systemd-coredump@.service b/systemd/full/system/systemd-coredump@.service new file mode 100644 index 000000000..d13624709 --- /dev/null +++ b/systemd/full/system/systemd-coredump@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-coredump diff --git a/systemd/full/system/systemd-initctl.service b/systemd/full/system/systemd-initctl.service new file mode 100644 index 000000000..e44c8767f --- /dev/null +++ b/systemd/full/system/systemd-initctl.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-initctl \ No newline at end of file diff --git a/systemd/full/system/systemd-journal-remote.service b/systemd/full/system/systemd-journal-remote.service new file mode 100644 index 000000000..e08cf75a9 --- /dev/null +++ b/systemd/full/system/systemd-journal-remote.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-journal-remote \ No newline at end of file diff --git a/systemd/full/system/systemd-nsresourced.service b/systemd/full/system/systemd-nsresourced.service new file mode 100644 index 000000000..2dc668b80 --- /dev/null +++ b/systemd/full/system/systemd-nsresourced.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-nsresourced diff --git a/systemd/full/system/systemd-oomd.service b/systemd/full/system/systemd-oomd.service new file mode 100644 index 000000000..c384626ee --- /dev/null +++ b/systemd/full/system/systemd-oomd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-oomd diff --git a/systemd/full/system/systemd-rfkill.service b/systemd/full/system/systemd-rfkill.service new file mode 100644 index 000000000..4abf222d5 --- /dev/null +++ b/systemd/full/system/systemd-rfkill.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-rfkill diff --git a/systemd/full/system/systemd-timesyncd.service b/systemd/full/system/systemd-timesyncd.service new file mode 100644 index 000000000..0cd6fefbf --- /dev/null +++ b/systemd/full/system/systemd-timesyncd.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&systemd-timesyncd diff --git a/systemd/full/system/usb_modeswitch@.service b/systemd/full/system/usb_modeswitch@.service new file mode 100644 index 000000000..0eca1db25 --- /dev/null +++ b/systemd/full/system/usb_modeswitch@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=usb_modeswitch.service \ No newline at end of file From d5a65ba8319d63faa358abfc55c51e5fd77bc3f3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:26:18 +0200 Subject: [PATCH 184/798] feat(profile): add a few small profile needed by fsp. --- apparmor.d/profiles-a-f/e2scrub | 18 ++++++++++++++++ .../open-iscsi-net-interface-handler | 19 +++++++++++++++++ apparmor.d/profiles-s-z/u-d-c-print-pci-ids | 19 +++++++++++++++++ .../udev-bridge-network-interface | 21 +++++++++++++++++++ 4 files changed, 77 insertions(+) create mode 100644 apparmor.d/profiles-a-f/e2scrub create mode 100644 apparmor.d/profiles-m-r/open-iscsi-net-interface-handler create mode 100644 apparmor.d/profiles-s-z/u-d-c-print-pci-ids create mode 100644 apparmor.d/profiles-s-z/udev-bridge-network-interface diff --git a/apparmor.d/profiles-a-f/e2scrub b/apparmor.d/profiles-a-f/e2scrub new file mode 100644 index 000000000..2e7e88487 --- /dev/null +++ b/apparmor.d/profiles-a-f/e2scrub @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/e2scrub +profile e2scrub @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler new file mode 100644 index 000000000..2593b78ac --- /dev/null +++ b/apparmor.d/profiles-m-r/open-iscsi-net-interface-handler @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/open-iscsi/net-interface-handler +profile open-iscsi-net-interface-handler @{exec_path} flags=(complain) { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/u-d-c-print-pci-ids b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids new file mode 100644 index 000000000..2ae7f66ef --- /dev/null +++ b/apparmor.d/profiles-s-z/u-d-c-print-pci-ids @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/u-d-c-print-pci-ids +profile u-d-c-print-pci-ids @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/udev-bridge-network-interface b/apparmor.d/profiles-s-z/udev-bridge-network-interface new file mode 100644 index 000000000..7e3ba52f9 --- /dev/null +++ b/apparmor.d/profiles-s-z/udev-bridge-network-interface @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/udev/bridge-network-interface +profile udev-bridge-network-interface @{exec_path} { + include + + @{exec_path} mr, + @{sh_path} r, + + /etc/default/bridge-utils r, + + include if exists +} + +# vim:syntax=apparmor From 3984cf8accfaf48badb6f6ad9916a392bde499d5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:27:55 +0200 Subject: [PATCH 185/798] feat(profile): initial profile for pollinate. --- apparmor.d/profiles-m-r/pollinate | 48 +++++++++++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/profiles-m-r/pollinate diff --git a/apparmor.d/profiles-m-r/pollinate b/apparmor.d/profiles-m-r/pollinate new file mode 100644 index 000000000..5a10cc9e2 --- /dev/null +++ b/apparmor.d/profiles-m-r/pollinate @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pollinate +profile pollinate @{exec_path} { + include + include + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/curl rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/dpkg-query rpx, + @{bin}/hostname rix, + @{bin}/logger rix, + @{bin}/systemd-detect-virt rPx, + @{bin}/xxd rix, + + /etc/cloud/build.info r, + /etc/default/pollinate r, + /etc/lsb-release r, + /etc/pollinate/{,**} r, + + owner /var/cache/pollinate/seeded w, + + owner /tmp/pollinate.@{rand12}/{,**} rw, + + @{PROC}/uptime r, + + /dev/urandom w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 5a6c7c526..2736540a8 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -266,6 +266,7 @@ plymouth complain plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted +pollinate complain ptyxis complain ptyxis-agent complain pycompile complain From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:29:52 +0200 Subject: [PATCH 186/798] feat(profile): integrate fsp with apt and ubuntu. --- apparmor.d/groups/apt/apt-methods-http | 5 +++-- apparmor.d/groups/apt/dpkg-script-apparmor | 1 + apparmor.d/groups/apt/dpkg-script-systemd | 3 +++ apparmor.d/groups/apt/dpkg-scripts | 3 +++ apparmor.d/groups/apt/unattended-upgrade | 2 ++ apparmor.d/groups/ubuntu/cron-ubuntu-fan | 8 +------- apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 0b375c8f8..7fb3a2cc4 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/apt/methods/http{,s} -profile apt-methods-http @{exec_path} { +profile apt-methods-http @{exec_path} flags=(attach_disconnected) { include include include @@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} { network inet6 stream, network netlink raw, + signal receive peer=@{p_apt_news}, + signal receive peer=@{p_packagekitd}, signal receive peer=apt-get, signal receive peer=apt, signal receive peer=aptitude, - signal receive peer=@{p_packagekitd}, signal receive peer=role_*, signal receive peer=synaptic, signal receive peer=ubuntu-advantage, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 73b14390a..e9a03f282 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} { /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, /var/lib/dpkg/info/*.list r, + /var/lib/dpkg/info/format r, /var/lib/dpkg/status r, /var/lib/dpkg/triggers/File r, /var/lib/dpkg/triggers/Unincorp r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 4acafd139..8ca92515c 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} { /etc/systemd/system/*.wants/ rw, /etc/systemd/system/*.wants/* rw, + /etc/pam.d/sed@{rand6} rw, + /etc/pam.d/common-password rw, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 4fb4d04c4..3102b23bb 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/update-rc.d Cx -> rc, # Maintainer scripts can legitimately start/restart anything + # PU is only used as a safety fallback. @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, @@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} { include include + capability dac_read_search, + dbus send bus=system path=/ interface=org.freedesktop.DBus member=ReloadConfig diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 95b8b2760..c2d94e25a 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { capability setuid, capability sys_nice, + network inet dgram, + network inet6 dgram, network netlink raw, signal send peer=apt-methods-http, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 8f5952d9b..3ca55909d 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/fanctl rix, - @{bin}/flock rix, + @{sbin}/fanctl rPx, @{bin}/grep rix, - @{bin}/id rix, @{sbin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, - @{bin}/touch rix, /etc/network/fan r, - @{run}/ubuntu-fan/ rw, - @{run}/ubuntu-fan/.lock rwk, - include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index b3cbf7f07..3ad03eb05 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} { @{exec_path} mr, + @{bin}/systemctl Cx -> systemctl, + /usr/share/apport/apport-checkreports Px, + profile systemctl { + include + include + + include if exists + } + include if exists } From 38c6e35a1b0e5af40b06a50484e4b95a86f45581 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:33:37 +0200 Subject: [PATCH 187/798] feat(profile): add some ubuntu specific profiles. --- apparmor.d/groups/ubuntu/apt_news | 39 +++++++++++++++++++++++++ apparmor.d/groups/ubuntu/fanctl | 33 +++++++++++++++++++++ apparmor.d/groups/ubuntu/ubuntu-fan-net | 24 +++++++++++++++ dists/flags/ubuntu.flags | 3 ++ 4 files changed, 99 insertions(+) create mode 100644 apparmor.d/groups/ubuntu/apt_news create mode 100644 apparmor.d/groups/ubuntu/fanctl create mode 100644 apparmor.d/groups/ubuntu/ubuntu-fan-net diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news new file mode 100644 index 000000000..faf15dfbe --- /dev/null +++ b/apparmor.d/groups/ubuntu/apt_news @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +profile apt_news @{exec_path} flags=(attach_disconnected) { + include + include + include + include + + capability chown, + capability kill, + capability setgid, + capability setuid, + + signal send set=int peer=apt-methods-*, + + @{exec_path} mr, + + @{lib}/apt/methods/* Px, + + /etc/ubuntu-advantage/uaclient.conf r, + + @{run}/ubuntu-advantage/ rw, + @{run}/ubuntu-advantage/apt-news/{,**} rw, + + owner @{run}/ubuntu-advantage/apt-news/** rw, + + @{PROC}/@{pid}/fd/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl new file mode 100644 index 000000000..ef278da63 --- /dev/null +++ b/apparmor.d/groups/ubuntu/fanctl @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/fanctl +profile fanctl @{exec_path} flags=(attach_disconnected) { + include + + network netlink raw, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/flock ix, + @{bin}/id ix, + @{bin}/touch ix, + @{bin}/mkdir ix, + @{bin}/ip ix, + @{bin}/sed ix, + + /etc/network/fan r, + + @{run}/ubuntu-fan/ rw, + @{run}/ubuntu-fan/.lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net new file mode 100644 index 000000000..f9d7c01f5 --- /dev/null +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/ubuntu-fan/fan-net +profile ubuntu-fan-net @{exec_path} { + include + + @{exec_path} mr, + + @{sh_path} mr, + @{bin}/{m,g,}awk ix, + @{bin}/grep ix, + @{bin}/networkctl Px, + @{sbin}/fanctl Px, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index a6d6bcc85..7339702a2 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -1,12 +1,14 @@ apport attach_disconnected,complain apport-checkreports complain apport-gtk complain +apt_news attach_disconnected,complain apt-esm-hook complain apt-esm-json-hook complain apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain livepatch-notification complain @@ -18,6 +20,7 @@ software-properties-gtk complain ubuntu-advantage complain ubuntu-advantage-notification complain ubuntu-distro-info complain +ubuntu-fan-net attach_disconnected,complain ubuntu-report complain update-manager attach_disconnected,complain update-motd-fsck-at-reboot complain From 28d9d48de457eb5d2db6a065d1341386479bc27f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:39:35 +0200 Subject: [PATCH 188/798] feat(profile): small update to systemd profiles. --- apparmor.d/groups/systemd/bootctl | 27 ++++++++----------- apparmor.d/groups/systemd/homectl | 2 +- .../systemd/systemd-generator-ds-identify | 4 +-- apparmor.d/groups/systemd/systemd-logind | 2 +- .../systemd/systemd-networkd-wait-online | 2 +- apparmor.d/groups/systemd/systemd-nsresourced | 7 +++-- 6 files changed, 21 insertions(+), 23 deletions(-) diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 9508cfcf2..f7d001c70 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/bootctl -profile bootctl @{exec_path} flags=(attach_disconnected) { +profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -17,27 +17,22 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, - signal (send) peer=child-pager, + signal send peer=child-pager, - ptrace (read) peer=unconfined, + ptrace read peer=unconfined, @{exec_path} mr, @{pager_path} rPx -> child-pager, @{efi}/ r, - @{efi}/EFI/{,**} r, - @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw, - @{efi}/EFI/BOOT/BOOTX64.EFI w, - @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw, - @{efi}/EFI/systemd/systemd-boot*.efi w, - @{efi}/loader/.#bootctlrandom-seed@{hex} rw, - @{efi}/loader/.#entries.srel* w, - @{efi}/loader/{,**} r, - @{efi}/loader/entries.srel w, - @{efi}/loader/random-seed w, - - /etc/kernel/entry-token r, + @{efi}/@{hex32}/ rw, + @{efi}/EFI/{,**} rwl, + @{efi}/loader/ rw, + @{efi}/loader/** rwl -> @{efi}/loader/#@{int}, + + /etc/kernel/.#entry-token@{hex16} rw, + /etc/kernel/entry-token rw, /etc/machine-id r, /etc/machine-info r, @@ -63,7 +58,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, - @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/groups/systemd/homectl b/apparmor.d/groups/systemd/homectl index 3a78c531e..3c962e309 100644 --- a/apparmor.d/groups/systemd/homectl +++ b/apparmor.d/groups/systemd/homectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homectl -profile homectl @{exec_path} { +profile homectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify index 346e7d94e..ba6141d86 100644 --- a/apparmor.d/groups/systemd/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify @@ -12,16 +12,16 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @{sh_path} rix, - @{sbin}/blkid rPx, @{bin}/grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, + @{sbin}/blkid rPx, /etc/cloud/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 39192e7e1..b1869b16b 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -30,7 +30,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { mqueue getattr type=posix /, mqueue r type=posix /, - unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system, + unix bind type=stream addr=@@{udbus}/bus/systemd-logind/system, #aa:dbus own bus=system name=org.freedesktop.login1 diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online index 0d5e40730..c36b5af39 100644 --- a/apparmor.d/groups/systemd/systemd-networkd-wait-online +++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-networkd-wait-online -profile systemd-networkd-wait-online @{exec_path} flags=(complain) { +profile systemd-networkd-wait-online @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index d1beae428..97dcb3b05 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-nsresourced -profile systemd-nsresourced @{exec_path} { +profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include include @@ -19,7 +19,7 @@ profile systemd-nsresourced @{exec_path} { @{exec_path} mr, - @{lib}/systemd/systemd-nsresourcework Px -> systemd-nsresourced//&systemd-nsresourcework, + @{lib}/systemd/systemd-nsresourcework ix, # no new privs @{run}/systemd/nsresource/ rw, @{run}/systemd/nsresource/** rw, @@ -32,6 +32,9 @@ profile systemd-nsresourced @{exec_path} { @{sys}/kernel/btf/vmlinux r, @{sys}/kernel/security/lsm r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/pressure/* r, + include if exists } From 581a55c7269cccd518baf9f65c5078edecaffcb4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:40:49 +0200 Subject: [PATCH 189/798] feat(profile): update systemd-homework/homed as they get stacked. --- apparmor.d/groups/systemd/systemd-homed | 20 ++++++-- apparmor.d/groups/systemd/systemd-homework | 58 +++++++++++++++++++++- 2 files changed, 73 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index a89cd90f8..c53be3a35 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -14,6 +14,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { include include + userns, + capability chown, capability dac_override, capability dac_read_search, @@ -24,6 +26,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { capability setpcap, capability setuid, capability sys_admin, + capability sys_ptrace, capability sys_resource, network inet dgram, @@ -32,16 +35,24 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { network inet6 raw, network netlink raw, - mount options=(rw, rslave) -> @{run}/, - mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/, + mount -> @{run}/systemd/user-home-mount/, + mount options=(rw private) -> @{run}/systemd/user-home-mount/, + mount options=(rw rslave) -> @{run}/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system, #aa:dbus own bus=system name=org.freedesktop.home1 + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd @{exec_path} mr, - @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework, + @{lib}/systemd/systemd-homework rPx -> &systemd-homework, @{sbin}/mkfs.btrfs rPx, @{sbin}/mkfs.fat rPx, @{sbin}/mke2fs rPx, @@ -74,9 +85,12 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, @{PROC}/pressure/* r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/uid_map w, /dev/loop-control rwk, diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework index f0fe98a16..b81c196f8 100644 --- a/apparmor.d/groups/systemd/systemd-homework +++ b/apparmor.d/groups/systemd/systemd-homework @@ -7,14 +7,68 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-homework -profile systemd-homework @{exec_path} { +profile systemd-homework @{exec_path} flags=(attach_disconnected) { include - include include + include + include + + userns, + + capability chown, + capability fowner, + capability fsetid, + capability setfcap, + capability setgid, + capability setuid, + capability sys_admin, + capability sys_resource, + + network netlink raw, + + mount options=(rw rslave) -> @{run}/, + mount -> @{run}/systemd/user-home-mount/, + + umount @{run}/systemd/user-home-mount/, + + signal (send receive) set=kill peer=systemd-homed//&systemd-homework, + + ptrace read peer=systemd-homed//&systemd-homework, @{exec_path} mr, + @{sbin}/mkfs.btrfs rPx, + @{sbin}/mkfs.fat rPx, + @{sbin}/mke2fs rPx, + /etc/machine-id r, + /etc/skel/{,**} r, + + /var/cache/systemd/home/{,**} rw, + + @{HOMEDIRS}/ r, + @{HOMEDIRS}/.#homework@{user}.* rw, + @{HOMEDIRS}/@{user}.home rw, + + @{run}/ r, + @{run}/cryptsetup/ r, + @{run}/cryptsetup/* rwk, + @{run}/systemd/user-home-mount/ rw, + @{run}/systemd/user-home-mount/@{user}/{,**} rw, + + @{sys}/fs/ r, + + @{PROC}/devices r, + @{PROC}/swaps r, + @{PROC}/sys/fs/nr_open r, + owner @{PROC}/@{pid}/gid_map w, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/uid_map w, + + /dev/loop-control rwk, + /dev/loop@{int} rw, + /dev/mapper/control rw, include if exists } From 9325dd5ca0cb1f37bda1d2abd90333cacb2d9958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:43:19 +0200 Subject: [PATCH 190/798] feat(profile): revisit systemd-udevd and ensure most program get transitionned confined. --- apparmor.d/groups/systemd/systemd-udevd | 66 ++++++++++++++----------- 1 file changed, 36 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 3861056b8..9c993e0d5 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -37,44 +37,45 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{coreutils_path} rix, - @{pager_path} rPx -> child-pager, - @{bin}/*-print-pci-ids rix, - @{sbin}/alsactl rPUx, - @{bin}/ddcutil rPx, - @{sbin}/dmsetup rPx, - @{sbin}/ethtool rix, - @{sbin}/issue-generator rPx, - @{sbin}/kdump-config rPUx, - @{bin}/kmod rPx, - @{bin}/logger rix, - @{bin}/ls rix, - @{sbin}/lvm rPx, - @{bin}/mknod rix, - @{sbin}/multipath rPx, - @{bin}/nfsrahead rix, - @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, - @{bin}/setfacl rix, - @{bin}/sg_inq rix, - @{bin}/snap rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-run rix, - @{bin}/unshare rix, - @{bin}/vmmouse_detect rPUx, + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/logger rix, + @{bin}/ls rix, + @{bin}/mknod rix, + @{bin}/nfsrahead rix, + @{bin}/setfacl rix, + @{bin}/sg_inq rix, + @{bin}/systemd-run rix, # TODO: rCx -> run, + @{bin}/unshare rix, + @{sbin}/ethtool rix, + + @{bin}/ddcutil rPx, + @{bin}/kmod rCx -> kmod, + @{bin}/nvidia-modprobe rPx -> child-modprobe-nvidia, + @{bin}/snap rPx, + @{bin}/systemctl rCx -> systemctl, + @{bin}/vmmouse_detect rPx, + @{pager_path} rPx -> child-pager, + @{sbin}/alsactl rPx, + @{sbin}/dmsetup rPx, + @{sbin}/issue-generator rPx, + @{sbin}/kdump-config rPx, + @{sbin}/lvm rPx, + @{sbin}/multipath rPx, + @{sbin}/u-d-c-print-pci-ids rPx, @{lib}/crda/* rPUx, @{lib}/gdm-runtime-config rPx, @{lib}/nfsrahead rPUx, - @{lib}/open-iscsi/net-interface-handler rPUx, + @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, - /etc/console-setup/*.sh rPUx, - /etc/network/cloud-ifupdown-helper rPUx, + /etc/console-setup/*.sh rPUx, + /etc/network/cloud-ifupdown-helper rPUx, /etc/default/* r, /etc/machine-id r, @@ -120,6 +121,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /dev/ rw, /dev/** rwk, + profile kmod flags=(attach_disconnected,complain) { + include + include + + include if exists + } + profile systemctl flags=(attach_disconnected,complain) { include include @@ -127,8 +135,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, - # / r, - include if exists } From 32a9806219898f6c5a25b7efb3a15320ff7af24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:52:40 +0200 Subject: [PATCH 191/798] feat(fsp): update systemd user drop in files with AppArmorProfile set to the target profile. --- systemd/full/user/filter-chain.service | 2 ++ systemd/full/user/pipewire-media-session.service | 5 ----- systemd/full/user/pipewire-pulse.service | 2 ++ systemd/full/user/pipewire.service | 2 ++ systemd/full/user/wireplumber.service | 2 ++ systemd/full/user/wireplumber@.service | 2 ++ 6 files changed, 10 insertions(+), 5 deletions(-) create mode 100644 systemd/full/user/filter-chain.service delete mode 100644 systemd/full/user/pipewire-media-session.service create mode 100644 systemd/full/user/pipewire-pulse.service create mode 100644 systemd/full/user/pipewire.service create mode 100644 systemd/full/user/wireplumber.service create mode 100644 systemd/full/user/wireplumber@.service diff --git a/systemd/full/user/filter-chain.service b/systemd/full/user/filter-chain.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/filter-chain.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/pipewire-media-session.service b/systemd/full/user/pipewire-media-session.service deleted file mode 100644 index c392e82fe..000000000 --- a/systemd/full/user/pipewire-media-session.service +++ /dev/null @@ -1,5 +0,0 @@ -[Service] -NoNewPrivileges=no -MemoryDenyWriteExecute=no -LockPersonality=no -RestrictNamespaces=no diff --git a/systemd/full/user/pipewire-pulse.service b/systemd/full/user/pipewire-pulse.service new file mode 100644 index 000000000..1d35a493e --- /dev/null +++ b/systemd/full/user/pipewire-pulse.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire-pulse \ No newline at end of file diff --git a/systemd/full/user/pipewire.service b/systemd/full/user/pipewire.service new file mode 100644 index 000000000..4dd212f51 --- /dev/null +++ b/systemd/full/user/pipewire.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&pipewire \ No newline at end of file diff --git a/systemd/full/user/wireplumber.service b/systemd/full/user/wireplumber.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file diff --git a/systemd/full/user/wireplumber@.service b/systemd/full/user/wireplumber@.service new file mode 100644 index 000000000..c47175f40 --- /dev/null +++ b/systemd/full/user/wireplumber@.service @@ -0,0 +1,2 @@ +[Service] +AppArmorProfile=&wireplumber \ No newline at end of file From 60b91279162036a7d1a55df72d40977387fe1336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 29 May 2025 23:53:47 +0200 Subject: [PATCH 192/798] feat(profile): update pipewire profiles. --- apparmor.d/groups/freedesktop/pipewire-pulse | 8 +++++++- apparmor.d/groups/freedesktop/pulseaudio | 6 +++--- apparmor.d/groups/freedesktop/wireplumber | 4 ++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index 530fa97db..fddbe02f7 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -11,15 +11,18 @@ include profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include + include + include include capability sys_ptrace, - ptrace (read), + ptrace read, @{exec_path} mr, @{bin}/pactl rix, + @{bin}/pipewire mr, /usr/share/pipewire/{,**} r, @@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/module/apparmor/parameters/enabled r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index fab642571..05e4c3ec2 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/pulse/{,**} rw, - owner @{desktop_config_dirs}/pulse/cookie k, + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/pulse/{,**} rw, + owner @{desktop_config_dirs}/pulse/cookie k, owner @{HOME}/.pulse/{,**} rw, owner @{user_config_dirs}/ w, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa6928298..0925bad91 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -75,6 +75,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/1/cgroup r, + @{PROC}/1/cmdline r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, From d9cfef3e5d5a0bc035383e82d4cc69a9a25c0435 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:03:11 +0200 Subject: [PATCH 193/798] refractor(profile): move systemd generators to their own group --- .../{systemd => systemd-generators}/systemd-generator-bless-boot | 0 .../{systemd => systemd-generators}/systemd-generator-cloud-init | 0 .../{systemd => systemd-generators}/systemd-generator-cryptsetup | 0 .../{systemd => systemd-generators}/systemd-generator-debug | 0 .../{systemd => systemd-generators}/systemd-generator-ds-identify | 0 .../systemd-generator-environment-arch | 0 .../systemd-generator-environment-flatpak | 0 .../systemd-generator-friendly-recovery | 0 .../{systemd => systemd-generators}/systemd-generator-fstab | 0 .../{systemd => systemd-generators}/systemd-generator-getty | 0 .../{systemd => systemd-generators}/systemd-generator-gpt-auto | 0 .../systemd-generator-hibernate-resume | 0 .../systemd-generator-integritysetup | 0 .../{systemd => systemd-generators}/systemd-generator-ostree | 0 .../{systemd => systemd-generators}/systemd-generator-rc-local | 0 .../groups/{systemd => systemd-generators}/systemd-generator-run | 0 .../{systemd => systemd-generators}/systemd-generator-snapd | 0 .../{systemd => systemd-generators}/systemd-generator-sshd-socket | 0 .../systemd-generator-system-update | 0 .../groups/{systemd => systemd-generators}/systemd-generator-sysv | 0 .../systemd-generator-user-autostart | 0 .../systemd-generator-user-environment | 0 .../{systemd => systemd-generators}/systemd-generator-veritysetup | 0 23 files changed, 0 insertions(+), 0 deletions(-) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-bless-boot (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cloud-init (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-cryptsetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-debug (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ds-identify (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-arch (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-environment-flatpak (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-friendly-recovery (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-fstab (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-getty (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-gpt-auto (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-hibernate-resume (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-integritysetup (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-ostree (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-rc-local (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-run (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-snapd (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sshd-socket (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-system-update (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-sysv (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-autostart (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-user-environment (100%) rename apparmor.d/groups/{systemd => systemd-generators}/systemd-generator-veritysetup (100%) diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-bless-boot rename to apparmor.d/groups/systemd-generators/systemd-generator-bless-boot diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cloud-init rename to apparmor.d/groups/systemd-generators/systemd-generator-cloud-init diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-cryptsetup rename to apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-debug rename to apparmor.d/groups/systemd-generators/systemd-generator-debug diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ds-identify rename to apparmor.d/groups/systemd-generators/systemd-generator-ds-identify diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-arch rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-arch diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-environment-flatpak rename to apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak diff --git a/apparmor.d/groups/systemd/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-friendly-recovery rename to apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-fstab rename to apparmor.d/groups/systemd-generators/systemd-generator-fstab diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-getty rename to apparmor.d/groups/systemd-generators/systemd-generator-getty diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-gpt-auto rename to apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-hibernate-resume rename to apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-integritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-integritysetup diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-ostree rename to apparmor.d/groups/systemd-generators/systemd-generator-ostree diff --git a/apparmor.d/groups/systemd/systemd-generator-rc-local b/apparmor.d/groups/systemd-generators/systemd-generator-rc-local similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-rc-local rename to apparmor.d/groups/systemd-generators/systemd-generator-rc-local diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd-generators/systemd-generator-run similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-run rename to apparmor.d/groups/systemd-generators/systemd-generator-run diff --git a/apparmor.d/groups/systemd/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-snapd rename to apparmor.d/groups/systemd-generators/systemd-generator-snapd diff --git a/apparmor.d/groups/systemd/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sshd-socket rename to apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-system-update rename to apparmor.d/groups/systemd-generators/systemd-generator-system-update diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd-generators/systemd-generator-sysv similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-sysv rename to apparmor.d/groups/systemd-generators/systemd-generator-sysv diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-autostart rename to apparmor.d/groups/systemd-generators/systemd-generator-user-autostart diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-user-environment rename to apparmor.d/groups/systemd-generators/systemd-generator-user-environment diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup similarity index 100% rename from apparmor.d/groups/systemd/systemd-generator-veritysetup rename to apparmor.d/groups/systemd-generators/systemd-generator-veritysetup From 3d76c98c4b65355203da9ffc4d1693b174d79163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:05:34 +0200 Subject: [PATCH 194/798] feat(profile): add more systemd-generator profiles. --- .../systemd-generator-environment-snapd | 18 +++++++ .../systemd-generator-import | 31 ++++++++++++ .../systemd-generator-openvpn | 27 +++++++++++ .../systemd-generators/systemd-generator-ssh | 48 +++++++++++++++++++ .../systemd-generators/systemd-generator-tpm2 | 30 ++++++++++++ dists/flags/main.flags | 9 +++- 6 files changed, 161 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-import create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-openvpn create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-ssh create mode 100644 apparmor.d/groups/systemd-generators/systemd-generator-tpm2 diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd new file mode 100644 index 000000000..b18bd6bd5 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-environment-generators/snapd-env-generator +profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import new file mode 100644 index 000000000..36ff4e5ff --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-import-generator +profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { + include + + capability sys_ptrace, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + / r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn new file mode 100644 index 000000000..780c63d56 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/openvpn-generator +profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { + include + + @{exec_path} mr, + + @{sh_path} r, + @{bin}/ls ix, + @{bin}/mkdir ix, + + /etc/default/openvpn r, + /etc/openvpn/ r, + + @{run}/systemd/generator/openvpn.service.wants/{,**} w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh new file mode 100644 index 000000000..efb56468e --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-ssh-generator +profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { + include + + capability net_admin, + + network vsock stream, + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sbin}/sshd r, + + @{run}/ r, + @{run}/systemd/ r, + @{run}/systemd/generator/ r, + @{run}/systemd/generator/sockets.target.wants/ rw, + @{run}/systemd/generator/sockets.target.wants/*.socket w, + @{run}/systemd/generator/sshd-*.service w, + @{run}/systemd/generator/sshd-*.socket rw, + @{run}/systemd/system/ r, + @{run}/systemd/transient/ r, + + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + /dev/vsock r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 new file mode 100644 index 000000000..4d601d0f9 --- /dev/null +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/system-generators/systemd-tpm2-generator +profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { + include + + ptrace read peer=@{p_systemd}, + + @{exec_path} mr, + + @{sys}/class/tpmrm/ r, + + @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + + /dev/kmsg w, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2736540a8..6a030fe63 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -329,19 +329,24 @@ systemd-generator-debug attach_disconnected,complain systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain +systemd-generator-environment-snapd attach_disconnected,complain systemd-generator-friendly-recover attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain systemd-generator-hibernate-resume attach_disconnected,complain +systemd-generator-import attach_disconnected,complain systemd-generator-integritysetup attach_disconnected,complain +systemd-generator-openvpn attach_disconnected,complain systemd-generator-ostree attach_disconnected,complain systemd-generator-rc-local attach_disconnected,complain systemd-generator-run attach_disconnected,complain systemd-generator-snapd attach_disconnected,complain +systemd-generator-ssh attach_disconnected,complain systemd-generator-sshd-socket attach_disconnected,complain systemd-generator-system-update attach_disconnected,complain systemd-generator-sysv attach_disconnected,complain +systemd-generator-tpm2 attach_disconnected,complain systemd-generator-user-autostart attach_disconnected,complain systemd-generator-user-environment attach_disconnected,complain systemd-generator-veritysetup attach_disconnected,complain @@ -350,8 +355,8 @@ systemd-homework complain systemd-inhibit attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain -systemd-network-generator complain -systemd-nsresourced complain +systemd-network-generator attach_disconnected,complain +systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain systemd-resolve complain From 89a17146103cadf12e83543d1f5cc3504fcca2b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:14:54 +0200 Subject: [PATCH 195/798] fix(profile): a few linting fixes. --- apparmor.d/groups/_full/sd | 4 ++-- apparmor.d/groups/_full/sd-mount | 2 +- apparmor.d/groups/_full/sdu | 2 +- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/profiles-s-z/wsdd | 2 +- tests/sbin.list | 1 - 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 974bc3544..106e36817 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -131,10 +131,10 @@ profile sd flags=(attach_disconnected,mediate_deleted) { @{bin}/true ix, # Required due to stacked profiles - @{bin}/grpck ix, + @{sbin}/grpck ix, @{bin}/gzip ix, @{bin}/install ix, - @{bin}/pwck ix, + @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, diff --git a/apparmor.d/groups/_full/sd-mount b/apparmor.d/groups/_full/sd-mount index 7f7dede60..1572a8f6d 100644 --- a/apparmor.d/groups/_full/sd-mount +++ b/apparmor.d/groups/_full/sd-mount @@ -36,7 +36,7 @@ profile sd-mount flags=(complain) { mount fstype=mqueue options=(rw nodev noexec nosuid) -> /dev/mqueue/, mount fstype=squashfs options=(ro nodev) /dev/loop@{int} -> /snap/*/@{int}/, mount fstype=tmpfs options=(rw nodev noexec nosuid) tmpfs -> @{run}/lock/, - mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, + mount fstype=tmpfs options=(rw nodev nosuid strictatime) tmpfs -> /tmp/, mount fstype=tracefs options=(rw nodev noexec nosuid) tracefs -> @{sys}/kernel/tracing/, mount options=(rw move) -> @{efi}, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 5ceb669f0..411a8c3ad 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -98,7 +98,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { profile shell flags=(attach_disconnected,mediate_deleted,complain) { include - + @{sh_path} mr, @{bin}/systemctl Px -> sdu//systemctl, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index ef278da63..deee33daf 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{bin}/ip ix, + @{sbin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index 3ad03eb05..dee094aa1 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -19,7 +19,7 @@ profile update-notifier-crash @{exec_path} { profile systemctl { include include - + include if exists } diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 7aa812f79..20575b2a8 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/wsdd +@{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 805ab8bf1..676bc4d56 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1016,7 +1016,6 @@ wpa_supplicant wqlat-bpfcc writeback.bt wrmsr -wsdd xfs_admin xfs_bmap xfs_copy From e771ef77b8c9343f29a07c32c7d3955620a12169 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 00:18:39 +0200 Subject: [PATCH 196/798] tests(packer): update base images content. --- .../cloud-init/archlinux-gnome.user-data.yml | 35 +-------- tests/cloud-init/archlinux-kde.user-data.yml | 37 +--------- tests/cloud-init/archlinux.yml | 72 ++++++++++++++++--- tests/cloud-init/debian.yml | 32 +++++++++ tests/cloud-init/debian13-gnome.user-data.yml | 9 +++ tests/cloud-init/ubuntu.yml | 39 +++++++++- 6 files changed, 145 insertions(+), 79 deletions(-) create mode 100644 tests/cloud-init/debian13-gnome.user-data.yml diff --git a/tests/cloud-init/archlinux-gnome.user-data.yml b/tests/cloud-init/archlinux-gnome.user-data.yml index c292993c1..d33f685b6 100644 --- a/tests/cloud-init/archlinux-gnome.user-data.yml +++ b/tests/cloud-init/archlinux-gnome.user-data.yml @@ -1,39 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - gnome - - gnome-extra - - seahorse - - alacarte +packages: *gnome-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux-kde.user-data.yml b/tests/cloud-init/archlinux-kde.user-data.yml index c89b3a25c..cb4c4d3b0 100644 --- a/tests/cloud-init/archlinux-kde.user-data.yml +++ b/tests/cloud-init/archlinux-kde.user-data.yml @@ -1,41 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - plasma-meta - - sddm - - ark - - dolphin - - konsole - - okular +packages: *kde-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index d860f1a1e..5299efda0 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -1,37 +1,93 @@ #cloud-config -# Core packages for Archlinux core-packages: &core-packages - # Install core packages - apparmor - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 - qemu-guest-agent - rng-tools - spice-vdagent + - vim + - wget - # Install usefull core packages +gnome-packages: &gnome-packages + # Core packages for Archlinux + - apparmor + - base-devel - bash-completion + - docker - git - htop + - just - man - pass - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent - vim - wget -# Core desktop packages for Archlinux -desktop-packages: &desktop-packages - # Install basic services + # Desktop packages for Archlinux - networkmanager - cups - cups-pdf - system-config-printer - - # Install Applications + - chromium - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - alacarte + - gnome + - gnome-extra + - ptyxis + - seahorse + +kde-packages: &kde-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer - chromium + - firefox + - spice-vdagent - terminator + # Install Graphical Interface + - plasma-meta + - sddm + - ark + - dolphin + - konsole + - okular + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index cead162a4..ea3012ad2 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -3,45 +3,77 @@ # Core packages for Debian core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim gnome-packages: &desktop-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Gnome packages for Debian - spice-vdagent - task-gnome-desktop - terminator + - loupe + - ptyxis kde-packages: &kubuntu-packages # Core packages for Debian - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # KDE packages for Debian diff --git a/tests/cloud-init/debian13-gnome.user-data.yml b/tests/cloud-init/debian13-gnome.user-data.yml new file mode 100644 index 000000000..0d5adfe17 --- /dev/null +++ b/tests/cloud-init/debian13-gnome.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *gnome-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index ba640e3af..14db33251 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -1,50 +1,81 @@ #cloud-config -# Core packages for Ubuntu core-packages: &core-packages - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim desktop-packages: &desktop-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu - spice-vdagent - terminator - ubuntu-desktop + - loupe + - ptyxis kubuntu-packages: &kubuntu-packages # Core packages for Ubuntu - apparmor-profiles + - apparmor-utils - auditd - build-essential - config-package-dev - debhelper - devscripts + - docker.io - golang-go - htop + - just + - libpam-apparmor + - lintian - qemu-guest-agent - rsync + - systemd-container + - systemd-coredump + - systemd-homed + - systemd-oomd + - unattended-upgrades - vim # Desktop packages for Ubuntu @@ -74,3 +105,9 @@ desktop-runcmd: &desktop-runcmd # Finally, remove things only installed as dependencies of other things # we have already removed. - apt-get -y autoremove + + # Ensure systemd-networkd is disabled + - systemctl disable systemd-networkd-wait-online.service + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket From d9e6e686e0186d94fab9a9fdecc7d2c48255d3d7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 30 May 2025 01:44:09 +0200 Subject: [PATCH 197/798] build: ignore all rule in abi3. --- pkg/prebuild/builder/abi.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 818edbb76..5fba837d5 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -14,6 +14,7 @@ var ( `abi/4.0`, `abi/3.0`, ` userns,`, ` # userns,`, ` mqueue`, ` # mqueue`, + ` all`, ` # all`, }) ) From 2282128cbddc1017740071b8058c54bf7868e90c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:43:57 +0200 Subject: [PATCH 198/798] feat(fsp): setup RBAC mapping in auth enabled profiles. --- apparmor.d/groups/ssh/sshd | 15 ++++++++------- apparmor.d/groups/utils/chfn | 1 + apparmor.d/groups/utils/chsh | 1 + apparmor.d/groups/utils/login | 3 ++- apparmor.d/groups/utils/su | 5 +++-- apparmor.d/mappings/sudo/base | 30 ++++++++++++++++++++++++++++++ 6 files changed, 45 insertions(+), 10 deletions(-) create mode 100644 apparmor.d/mappings/sudo/base diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 4b99aafd6..cc12a9eec 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -25,6 +25,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -60,13 +61,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/@{shells} rUx, - @{bin}/false rix, - @{sbin}/nologin rPx, - @{bin}/passwd rPx, - @{lib}/{openssh,ssh}/sftp-server rPx, - @{lib}/{openssh,ssh}/sshd-auth rPx, - @{lib}/{openssh,ssh}/sshd-session rix, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/false ix, + @{sbin}/nologin Px, + @{bin}/passwd Px, + @{lib}/{openssh,ssh}/sftp-server Px, + @{lib}/{openssh,ssh}/sshd-auth Px, + @{lib}/{openssh,ssh}/sshd-session ix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 45b50c7ad..824d92bf4 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,6 +15,7 @@ profile chfn @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index e3581be31..a630a7733 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,6 +15,7 @@ profile chsh @{exec_path} { include include include + include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index 6227f4fc5..c35001498 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -14,6 +14,7 @@ profile login @{exec_path} flags=(attach_disconnected) { include include include + include #aa:only RBAC capability audit_write, capability chown, @@ -38,7 +39,7 @@ profile login @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx, + @{shells_path} Ux, #aa:exclude RBAC @{etc_ro}/environment r, @{etc_ro}/security/group.conf r, diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 81e299d23..c4e83ddfa 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,6 +12,7 @@ profile su @{exec_path} { include include include + include #aa:only RBAC capability chown, # pseudo-terminal @@ -21,8 +22,8 @@ profile su @{exec_path} { @{exec_path} mr, - @{bin}/@{shells} rUx, - @{sbin}/nologin rPx, + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{sbin}/nologin Px, @{etc_ro}/default/su r, /etc/default/locale r, diff --git a/apparmor.d/mappings/sudo/base b/apparmor.d/mappings/sudo/base new file mode 100644 index 000000000..95e395501 --- /dev/null +++ b/apparmor.d/mappings/sudo/base @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# It is used by su/sudo to run pre login scripts (as root) such as the motd. +# After the login, Apparmor libpam will transition to the roles defined in +# other files under + + @{shells_path} rCx -> shell, + + profile shell flags=(attach_disconnected) { + include + include + include + + @{shells_path} rix, + @{bin}/env rix, + @{bin}/run-parts rix, #aa:only apt + + #aa:only apt + /etc/update-motd.d/ r, + /etc/update-motd.d/* rPx, + /usr/share/landscape/landscape-sysinfo.wrapper rPx, + + @{run}/motd.dynamic.new rw, #aa:only apt + + include if exists + } + +# vim:syntax=apparmor From 6c6e1c3456fce34164cf54189dc23080db02b54c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:49:16 +0200 Subject: [PATCH 199/798] feat(profile): minor fsp related improvment. --- apparmor.d/groups/freedesktop/colord | 5 +++-- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/network/tailscaled | 2 +- .../groups/systemd-service/snapd.system-shutdown.service | 6 +++--- apparmor.d/groups/ubuntu/fanctl | 2 +- apparmor.d/profiles-g-l/ischroot | 2 +- 6 files changed, 10 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 031ba0605..ee2cdf42e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.ColorManager @{exec_path} mrix, + @{lib}/colord-sane ix, /etc/machine-id r, /etc/sane.d/{,**} r, @@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/ r, owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, - @{att}/@{desktop_share_dirs}/icc/edid-*.icc r, - @{att}/@{user_share_dirs}/icc/edid-*.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{run}/systemd/sessions/* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c4c24efc9..de8643100 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -56,7 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/umount rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zfs rPx, @{bin}/zpool rPx, /etc/grub.d/{,**} rix, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index fa6cd8ddd..bb877ec1a 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -31,7 +31,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { ptrace (read), - #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service index e8939006e..ce819a791 100644 --- a/apparmor.d/groups/systemd-service/snapd.system-shutdown.service +++ b/apparmor.d/groups/systemd-service/snapd.system-shutdown.service @@ -13,9 +13,9 @@ include profile snapd.system-shutdown.service { include - audit @{bin}/cp ix, - audit @{bin}/mkdir ix, - audit @{bin}/mount ix, + @{bin}/cp ix, + @{bin}/mkdir ix, + @{bin}/mount ix, @{lib}/snapd/system-shutdown r, diff --git a/apparmor.d/groups/ubuntu/fanctl b/apparmor.d/groups/ubuntu/fanctl index deee33daf..ef278da63 100644 --- a/apparmor.d/groups/ubuntu/fanctl +++ b/apparmor.d/groups/ubuntu/fanctl @@ -19,7 +19,7 @@ profile fanctl @{exec_path} flags=(attach_disconnected) { @{bin}/id ix, @{bin}/touch ix, @{bin}/mkdir ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{bin}/sed ix, /etc/network/fan r, diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index c5b848bab..4e087343a 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/ischroot -profile ischroot @{exec_path} { +profile ischroot @{exec_path} flags=(attach_disconnected) { include include From d76bc0b3be0cd9452083ed253d9cb46def7a5541 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:50:20 +0200 Subject: [PATCH 200/798] feat(profile): add initial profile for systemd-initctl. --- apparmor.d/groups/systemd/systemd-initctl | 27 +++++++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 28 insertions(+) create mode 100644 apparmor.d/groups/systemd/systemd-initctl diff --git a/apparmor.d/groups/systemd/systemd-initctl b/apparmor.d/groups/systemd/systemd-initctl new file mode 100644 index 000000000..05f32a7f6 --- /dev/null +++ b/apparmor.d/groups/systemd/systemd-initctl @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/systemd/systemd-initctl +profile systemd-initctl @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + + unix type=stream addr=@@{udbus}/bus/systemd-initctl/, + + @{exec_path} mr, + + @{run}/initctl rw, + @{run}/systemd/notify rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6a030fe63..e73dd4cd5 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -353,6 +353,7 @@ systemd-generator-veritysetup attach_disconnected,complain systemd-homed attach_disconnected,complain systemd-homework complain systemd-inhibit attach_disconnected,complain +systemd-initctl attach_disconnected,complain systemd-journald attach_disconnected,mediate_deleted systemd-mount complain systemd-network-generator attach_disconnected,complain From af82a9caa6358a64d0037761a40e286d6018f283 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 31 May 2025 13:52:42 +0200 Subject: [PATCH 201/798] feat(profile): add profiles for whoopsie. --- apparmor.d/profiles-s-z/whoopsie | 31 ++++++++++++++++++ apparmor.d/profiles-s-z/whoopsie-preferences | 34 ++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whoopsie create mode 100644 apparmor.d/profiles-s-z/whoopsie-preferences diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie new file mode 100644 index 000000000..16a0e5a5e --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie +profile whoopsie @{exec_path} { + include + include + + capability setgid, + capability setuid, + + @{exec_path} mr, + + /var/crash/ r, + + /var/lib/whoopsie/ rw, + /var/lib/whoopsie/whoopsie-id rw, + /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + + owner @{run}/lock/whoopsie/ rw, + owner @{run}/lock/whoopsie/lock rwk, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/whoopsie-preferences b/apparmor.d/profiles-s-z/whoopsie-preferences new file mode 100644 index 000000000..3b720d0da --- /dev/null +++ b/apparmor.d/profiles-s-z/whoopsie-preferences @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whoopsie-preferences +profile whoopsie-preferences @{exec_path} { + include + include + include + + #aa:dbus own bus=system name=com.ubuntu.WhoopsiePreferences + + @{exec_path} mr, + + @{bin}/systemctl Cx -> systemctl, + + /etc/whoopsie w, + /etc/whoopsie.@{rand6} rw, + + profile systemctl { + include + include + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index e73dd4cd5..77ea8761f 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -404,6 +404,8 @@ waybar attach_disconnected,complain wechat attach_disconnected,complain wechat-appimage attach_disconnected,complain wg-quick complain +whoopsie complain +whoopsie-preferences complain wsdd complain xdg-dbus-proxy attach_disconnected,complain xdg-desktop-icon complain From 8452eb44f18e96aa9de83c74e0902aabdcad336d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:48:38 +0200 Subject: [PATCH 202/798] feat(abs): minor improvement & cosmetic. --- apparmor.d/abstractions/app/kmod | 2 +- apparmor.d/abstractions/app/pager | 2 +- apparmor.d/abstractions/app/sudo | 4 +++- apparmor.d/abstractions/base.d/complete | 6 ++++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- apparmor.d/abstractions/consoles.d/complete | 7 +++++++ apparmor.d/abstractions/freedesktop.org.d/complete | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/vulkan.d/complete | 1 + apparmor.d/abstractions/webkit | 2 +- apparmor.d/abstractions/zsh | 1 + 11 files changed, 22 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/consoles.d/complete diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 86bb7d78a..6c889bd60 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -7,9 +7,9 @@ include + @{bin}/kmod mr, @{sbin}/depmod mr, @{sbin}/insmod mr, - @{bin}/kmod mr, @{sbin}/lsmod mr, @{sbin}/modinfo mr, @{sbin}/modprobe mr, diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 3be45b4dd..1557b78ef 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -12,7 +12,7 @@ capability dac_override, capability dac_read_search, - signal (receive) set=(stop, cont, term, kill), + signal receive set=(stop, cont, term, kill), @{bin}/ r, @{pager_path} mrix, diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo index 1286b1571..1c47490cd 100644 --- a/apparmor.d/abstractions/app/sudo +++ b/apparmor.d/abstractions/app/sudo @@ -3,7 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no -# Minimal set of rules for sudo. Interactive sudo need more rules. +# Minimal set of rules for sudo. abi , @@ -24,6 +24,8 @@ network netlink raw, # PAM + unix type=stream addr=@@{udbus}/bus/sudo/system, + #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index 06b413342..ecfe09bb5 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -3,14 +3,16 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(cont,term) peer=@{p_systemd_user}, - signal (receive) set=(cont,term) peer=@{p_systemd}, signal (receive) set=(hup term) peer=login, signal (receive) set=(hup) peer=xinit, signal (receive) set=(term,kill) peer=gnome-shell, diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index 38e05f48c..b002d6fa4 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -9,7 +9,7 @@ dbus send bus=system path=/ interface=org.freedesktop.DBus.Peer member=Ping - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + peer=(name=org.freedesktop.Avahi), dbus send bus=system path=/ interface=org.freedesktop.Avahi.Server diff --git a/apparmor.d/abstractions/consoles.d/complete b/apparmor.d/abstractions/consoles.d/complete new file mode 100644 index 000000000..ce7bb73ba --- /dev/null +++ b/apparmor.d/abstractions/consoles.d/complete @@ -0,0 +1,7 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + /dev/tty@{u8} rw, + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 4724c694a..220883c29 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -16,7 +16,7 @@ /opt/*/**.{desktop,png} r, /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, + /etc/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, /var/lib/snapd/desktop/icons/{,**} r, diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 71e76f9da..3dece8578 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -6,7 +6,7 @@ dbus receive bus=session interface=org.freedesktop.DBus.Introspectable - member=Introspect + member=Introspect peer=(name=@{busname}, label=gnome-shell), /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, diff --git a/apparmor.d/abstractions/vulkan.d/complete b/apparmor.d/abstractions/vulkan.d/complete index 8e5b68c08..67f83516e 100644 --- a/apparmor.d/abstractions/vulkan.d/complete +++ b/apparmor.d/abstractions/vulkan.d/complete @@ -1,4 +1,5 @@ # apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only /etc/glvnd/egl_vendor.d/{,*.json} r, diff --git a/apparmor.d/abstractions/webkit b/apparmor.d/abstractions/webkit index 9481d4fec..c9a275250 100644 --- a/apparmor.d/abstractions/webkit +++ b/apparmor.d/abstractions/webkit @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Minimal set of rules for webkit UI. +# Minimal set of rules for webkit GTK UI. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index ff90849c0..02eacfb62 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -12,6 +12,7 @@ /usr/local/share/zsh/{,**} r, /usr/share/oh-my-zsh/{,**} r, + /usr/share/zsh-theme-*/{,**} r, /usr/share/zsh/{,**} r, /etc/zsh/* r, From 86202b0fbf9502671d5e053da7d55699127501c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 15:53:37 +0200 Subject: [PATCH 203/798] feat(fsp): small fsp improvement. --- apparmor.d/groups/_full/sd | 21 ++++++++++++++++++++- apparmor.d/groups/_full/systemd | 1 + apparmor.d/groups/_full/systemd-user | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 +- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 106e36817..44b3a9b7d 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -18,7 +18,7 @@ abi , include @{exec_path} = @{bin}/systemd-executor -profile sd flags=(attach_disconnected,mediate_deleted) { +profile sd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability net_bind_service, capability net_raw, capability perfmon, capability setfcap, @@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) { capability sys_tty_config, capability syslog, + network alg seqpacket, + network bluetooth, network inet dgram, network inet stream, network inet6 dgram, @@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) { umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, + # mount tmpfs -> @{run}/lock/, + # mount tmpfs -> @{sys}/fs/cgroup/, + # mount cgroup -> @{sys}/fs/cgroup/systemd/, + # audit mount /dev/** -> /boot/{,efi/}, + # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, + # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, + + # audit remount @{run}/systemd/unit-root/{,**}, + # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, + # audit remount options=(ro nosuid nodev bind) /var/, + # audit remount options=(ro nosuid nodev noexec bind) /boot/, + + # audit umount @{PROC}/sys/fs/binfmt_misc/, + # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, + # audit umount @{run}/systemd/unit-root/{,**}, + pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, change_profile, diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index eec9b33d9..b7c12c6bd 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { /dev/autofs r, /dev/dri/card@{int} rw, + /dev/initctl w, /dev/input/ r, /dev/kmsg w, /dev/tty rw, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index 3b0d01709..ed531c58b 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) { @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/random/boot_id r, @{PROC}/sys/kernel/threads-max r, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index bb824c7cb..a816e58b8 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { @{bin}/gtk{,4}-update-icon-cache rPx -> flatpak-app//>k-update-icon-cache, @{bin}/update-desktop-database rPx -> flatpak-app//&update-desktop-database, - @{sbin}/update-mime-database rPx -> flatpak-app//&update-mime-database, + @{bin}/update-mime-database rPx -> flatpak-app//&update-mime-database, @{bin}/xdg-dbus-proxy rPx -> flatpak-app//&xdg-dbus-proxy, @{lib}/kf5/kioslave5 rPx, From eb84df319d1fb40226623307f423af8f553d9816 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:00:38 +0200 Subject: [PATCH 204/798] feat(profile): update gnome profiles. --- .../freedesktop/xdg-desktop-portal-gnome | 16 ++++++++-- .../groups/freedesktop/xdg-desktop-portal-gtk | 5 --- .../freedesktop/xdg-user-dirs-gtk-update | 4 +-- apparmor.d/groups/gnome/gjs-console | 7 +++-- apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-control-center | 4 +++ .../groups/gnome/gnome-extension-gsconnect | 3 +- apparmor.d/groups/gnome/gnome-session-binary | 2 ++ apparmor.d/groups/gnome/gnome-shell | 31 ++++++++++--------- apparmor.d/groups/gnome/gsd-color | 4 +-- apparmor.d/groups/gnome/gsd-xsettings | 6 +++- apparmor.d/groups/gnome/loupe | 11 ++++++- apparmor.d/groups/gnome/nautilus | 10 +++++- apparmor.d/groups/gnome/ptyxis | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 13 ++++---- apparmor.d/groups/gvfs/gvfsd-network | 12 ++----- 17 files changed, 83 insertions(+), 50 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ac321fd07..1355aa22b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include + include include include include @@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { network unix stream, - signal (receive) set=term peer=gdm, - signal (receive) set=(hup term) peer=gdm-session-worker, + signal receive set=term peer=gdm, + signal receive set=(hup term) peer=gdm-session-worker, #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal @@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), + dbus send bus=session path=/org/gtk/Notifications + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=:*, label=gnome-shell), + @{exec_path} mr, / r, @@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, + owner @{tmp}/gtkprint_ppd_@{rand6} rw, + owner @{tmp}/gtkprint@{rand6} r, + owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/status r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b77ad03d7..fc11b0700 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=gnome-shell), - @{exec_path} mr, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 224bc2337..641862965 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,9 +9,9 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include + include + include include - include - include include @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 012ca7ee0..fdaa4e825 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -14,12 +14,13 @@ include @{exec_path} = @{bin}/gjs-console profile gjs-console @{exec_path} flags=(attach_disconnected) { include - include + include include include include include include + include include include include @@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { network netlink raw, - signal (receive) set=(term hup) peer=gdm*, + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.Notifications #aa:dbus own bus=session name=org.gnome.ScreenSaver diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ee0f835e..a43168866 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} { /usr/share/xml/iso-codes/{,**} r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1007d55e2..2f9077d19 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -39,8 +39,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.bluez.obex.Agent1 #aa:dbus talk bus=session name=org.bluez.obex label=obexd + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ee9c147b6..104d95fb3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/task/@{tid}/stat r, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index dc9b6812e..8b0ea6307 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome-shell/extensions/ r, /usr/share/gnome-shell/extensions/*/metadata.json r, /usr/share/gnome/autostart/{,*.desktop} r, @@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, + owner @{gdm_config_dirs}/user-dirs.dirs r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 6c781e204..1099f254d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network netlink raw, network unix stream, - ptrace (read), - ptrace (readby) peer=pipewire, + ptrace read, + ptrace readby peer=pipewire, - signal (receive) set=(term, hup) peer=gdm*, - signal (send), + signal receive set=(term, hup) peer=gdm*, + signal send, unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding), unix (send,receive) type=stream addr=none peer=(label=xkbcomp), @@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/gnome-shell/extensions/*/** rPUx, /opt/**/share/icons/{,**} r, - /snap/*/@{uid}/**.png r, - /usr/share/**.{png,jpg,svg} r, + /snap/*/@{uid}/**.@{image_ext} r, + /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, - owner @{HOME}/.mozilla/native-messaging-hosts/ r, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw, - owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw, + owner @{HOME}/.mozilla/native-messaging-hosts/ rw, + owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.{png,jpg,svg} r, + owner @{HOME}/.var/app/**.@{image_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, - owner @{user_games_dirs}/**.{png,jpg,svg} r, - owner @{user_music_dirs}/**.{png,jpg,svg} r, + owner @{user_games_dirs}/**.@{image_ext} r, + owner @{user_music_dirs}/**.@{image_ext} r, owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/ rw, + owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{user_config_dirs}/background r, owner @{user_config_dirs}/ibus/ w, owner @{user_config_dirs}/monitors.xml{,~} rwl, owner @{user_config_dirs}/tiling-assistant/{,**} rw, owner @{user_share_dirs}/backgrounds/{,**} rw, + owner @{user_share_dirs}/dbus-1/services/ r, + owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, + owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw, - owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 2fe22305b..56445aeac 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-*.icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, owner @{user_share_dirs}/icc/ rw, - owner @{user_share_dirs}/icc/edid-*.icc rw, + owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 4fece3366..abf30bc40 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} { include include include + include include include include @@ -33,16 +34,19 @@ profile gsd-xsettings @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources peer=(name=:*, label="@{p_accounts_daemon}"), @{exec_path} mr, + @{sh_path} mr, @{bin}/cat rix, @{bin}/sed rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/busctl rPx, @{bin}/pactl rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 6f783627e..d89d4d6f9 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,14 +9,20 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include include + include include include include + unix type=stream peer=(label=loupe//bwrap), + signal send set=kill peer=loupe//bwrap, #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, + @{run}/mount/utab r, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -56,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include + unix type=stream peer=(label=loupe), + signal receive set=kill peer=loupe, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 60bbfb344..ebf975673 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { mqueue r type=posix /, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.freedesktop.FileManager1 #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell - #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + + dbus send bus=session path=/org/gnome/Mutter/ServiceChannel + interface=org.gnome.Mutter.ServiceChannel + member=OpenWaylandServiceConnection + peer=(name=@{busname}, label=gnome-shell), dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine interface=org.gtk.private.CommandLine diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 2f7dee368..a6f7e5b63 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -28,6 +28,8 @@ profile ptyxis @{exec_path} { owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, + owner /tmp/#@{int} w, + /dev/ptmx rw, include if exists diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 239993f21..ce60a26c3 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -24,7 +24,7 @@ profile ptyxis-agent @{exec_path} { /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cmdline r, /dev/ptmx rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index fd9b5a22d..9af8be00a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -13,14 +13,10 @@ profile gvfsd-dnssd @{exec_path} { include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=:*, label=gvfsd-network), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable @@ -32,6 +28,11 @@ profile gvfsd-dnssd @{exec_path} { member=Spawned peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member={MountLocation,LookupMount,RegisterMount} + peer=(name="@{busname}", label=gvfsd), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index adda9b958..cd64d81ad 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,6 +11,8 @@ include profile gvfsd-network @{exec_path} { include include + include + include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -30,16 +32,6 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gvfsd-dnssd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label=gnome-control-center), - @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, From 55e4b27c2b4b43488edb7b155fd3e5efd0733a18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 16:02:20 +0200 Subject: [PATCH 205/798] feat(tunable): add the archive_path variable. --- apparmor.d/profiles-a-f/atool | 6 +++--- apparmor.d/profiles-a-f/file-roller | 14 +------------- apparmor.d/profiles-s-z/unmkinitramfs | 6 +----- apparmor.d/profiles-s-z/xarchiver | 13 +------------ apparmor.d/tunables/multiarch.d/paths | 3 +++ apparmor.d/tunables/multiarch.d/programs | 3 +++ 6 files changed, 12 insertions(+), 33 deletions(-) diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool index 99cb0fed6..2782aacc0 100644 --- a/apparmor.d/profiles-a-f/atool +++ b/apparmor.d/profiles-a-f/atool @@ -19,9 +19,9 @@ profile atool @{exec_path} { @{bin}/7z rix, @{bin}/arc rix, @{bin}/arj rix, + @{bin}/bzip rix, @{bin}/bzip2 rix, @{bin}/bzip2 rix, - @{bin}/bzip rix, @{bin}/compress rix, @{bin}/cpio rix, @{bin}/gunzip rix, @@ -30,16 +30,15 @@ profile atool @{exec_path} { @{bin}/jar rix, @{bin}/lha rix, @{bin}/lrunzip rix, + @{bin}/lrz rix, @{bin}/lrzcat rix, @{bin}/lrzip rix, - @{bin}/lrz rix, @{bin}/lrztar rix, @{bin}/lrzuntar rix, @{bin}/lzip rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/lzop rix, - @{lib}/p7zip/7z rix, @{bin}/rar rix, @{bin}/tar rix, @{bin}/unace rix, @@ -48,6 +47,7 @@ profile atool @{exec_path} { @{bin}/unzip rix, @{bin}/xz rix, @{bin}/zip rix, + @{lib}/p7zip/7z rix, /etc/atool.conf r, owner @{HOME}/.atoolrc r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 24610cd8c..e7bfafaac 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -26,19 +26,7 @@ profile file-roller @{exec_path} { @{bin}/rm rix, # Archivers - @{bin}/7z rix, - @{bin}/7zz rix, - @{bin}/ar rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/tar rix, - @{bin}/unrar-nonfree rix, - @{bin}/unzip rix, - @{bin}/xz rix, - @{bin}/zip rix, - @{bin}/zstd rix, - @{lib}/p7zip/7z rix, + @{archive_path} rix, # Full access to user's data @{MOUNTS}/** rw, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 6b5607ed1..3ee530970 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -18,22 +18,18 @@ profile unmkinitramfs @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{archive_path} rix, @{bin}/{,e}grep rix, - @{bin}/bzip2 rix, @{bin}/cat rix, - @{bin}/cpio rix, @{bin}/dd rix, @{bin}/getopt rix, - @{bin}/gzip rix, @{bin}/lz4cat rix, @{bin}/lzma rix, @{bin}/lzop rix, @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/rm rix, - @{bin}/xz rix, @{bin}/xzcat rix, - @{bin}/zstd rix, /boot/ r, owner /boot/initrd.img-* r, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index 003770008..f38a69224 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -28,18 +28,7 @@ profile xarchiver @{exec_path} { @{bin}/cp rix, # Archivers - @{bin}/7z rix, - @{lib}/p7zip/7z rix, - @{bin}/unrar-nonfree rix, - @{bin}/zip rix, - @{bin}/unzip rix, - @{bin}/tar rix, - @{bin}/xz rix, - @{bin}/bzip2 rix, - @{bin}/cpio rix, - @{bin}/gzip rix, - @{bin}/zstd rix, - # For deb packages + @{archive_path} rix, @{bin}/{,@{multiarch}-}ar rix, @{open_path} rPx -> child-open, diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index 059f337fd..cca544370 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -72,4 +72,7 @@ # Backup @{backup_path} = @{bin}/@{backup_names} @{lib}/deja-dup/deja-dup-monitor +# Archives +@{archive_path} = @{bin}/@{archive_names} @{lib}/p7zip/7z + # vim:syntax=apparmor diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs index cddb1a7d2..a7cbaf831 100644 --- a/apparmor.d/tunables/multiarch.d/programs +++ b/apparmor.d/tunables/multiarch.d/programs @@ -96,4 +96,7 @@ # Backup @{backup_names} = deja-dup borg +# Archives +@{archive_names} = 7z 7zz ar bzip2 cpio gzip lzip rar tar unrar-nonfree unzip xz zip zstd + # vim:syntax=apparmor From 71a473712c15ee71fe39ce021577b052fea2528f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:58:02 +0200 Subject: [PATCH 206/798] tests: rewrite and expand the profile check to more files. Rewrite: Speed up the checking by not using grep anymore and only using bash, also make it parallel Revisit the way result are shown. Expand: Also scan for mapping files and abstaction completion. Adapt the scan accordingly. --- tests/check.sh | 382 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 261 insertions(+), 121 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 02ae71812..25c82e3d1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # Usage: make check @@ -8,101 +8,250 @@ set -eu -o pipefail -readonly APPARMORD="apparmor.d" -readonly HEADERS=( - "# apparmor.d - Full set of apparmor profiles" - "# Copyright (C) " - "# SPDX-License-Identifier: GPL-2.0-only" -) - -_die() { - echo -e "\033[1;31m ✗ Error: \033[0m$*" - exit 1 +RES=$(mktemp) +echo "false" >"$RES" +MAX_JOBS=$(nproc) +declare WITH_CHECK +readonly MAX_JOBS APPARMORD="apparmor.d" +readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" +_msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } +_warn() { + local type="$1" file="$2" + shift 2 + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" +} +_err() { + local type="$1" file="$2" + shift 2 + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + echo "true" >"$RES" } -_ensure_header() { - local file="$1" - for header in "${HEADERS[@]}"; do - if ! grep -q "^$header" "$file"; then - _die "$file does not contain '$header'" +_in_array() { + local item needle="$1" + shift + for item in "$@"; do + if [[ "${item}" == "${needle}" ]]; then + return 0 fi done + return 1 +} + +_is_enabled() { + _in_array "$1" "${WITH_CHECK[@]}" } -_ensure_indentation() { +_wait() { + local -n job=$1 + job=$((job + 1)) + if ((job >= MAX_JOBS)); then + wait -n + job=$((job - 1)) + fi +} + +_check() { local file="$1" - local in_profile=false - local first_line_after_profile=true local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) - if [[ "$line" =~ $'\t' ]]; then - _die "$file:$line_number: tabs are not allowed." + # Guidelines check + _check_abi + _check_include + _check_profile + _check_subprofiles + + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + done <"$file" - if [[ "$line" =~ ^profile ]]; then - in_profile=true - first_line_after_profile=true + # Results + _res_abi + _res_include + _res_profile + _res_subprofiles + _res_header + _res_vim +} - elif [[ "$line" =~ [[:space:]]+$ ]]; then - _die "$file:$line_number: line has trailing whitespace." +# Guidelines check: https://apparmor.pujol.io/development/guidelines/ - elif $in_profile; then - if $first_line_after_profile; then - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - if ((num_spaces != 2)); then - _die "$file: profile must have a two-space indentation." - fi - first_line_after_profile=false - - else - local leading_spaces="${line%%[! ]*}" - local num_spaces=${#leading_spaces} - - if ((num_spaces % 2 != 0)); then - ok=false - for offset in 5 11; do - num_spaces=$((num_spaces - offset)) - if ((num_spaces < 0)); then - break - fi - if ((num_spaces % 2 == 0)); then - ok=true - break - fi - done - - if ! $ok; then - _die "$file:$line_number: invalid indentation." +RES_ABI=false +readonly ABI_SYNTAX='abi ,' +_check_abi() { + _is_enabled abi || return 0 + if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + RES_ABI=true + fi +} +_res_abi() { + _is_enabled abi || return 0 + if ! $RES_ABI; then + _err guideline "$file" "missing 'abi ,'" + fi +} + +RES_INCLUDE=false +_check_include() { + _is_enabled include || return 0 + if [[ "$line" =~ ^.*"${include}"$ ]]; then + RES_INCLUDE=true + fi +} +_res_include() { + _is_enabled include || return 0 + if ! $RES_INCLUDE; then + _err guideline "$file" "missing '$include'" + fi +} + +RES_PROFILE=false +_check_profile() { + _is_enabled profile || return 0 + if [[ "$line" =~ ^"profile $name" ]]; then + RES_PROFILE=true + fi +} +_res_profile() { + _is_enabled profile || return 0 + if ! $RES_PROFILE; then + _err guideline "$file" "missing profile name: 'profile $name'" + fi +} + +# Style check + +readonly HEADERS=( + "# apparmor.d - Full set of apparmor profiles" + "# Copyright (C) " + "# SPDX-License-Identifier: GPL-2.0-only" +) +_RES_HEADER=(false false false) +_check_header() { + _is_enabled header || return 0 + for idx in "${!HEADERS[@]}"; do + if [[ "$line" == "${HEADERS[$idx]}"* ]]; then + _RES_HEADER[idx]=true + break + fi + done +} +_res_header() { + _is_enabled header || return 0 + for idx in "${!_RES_HEADER[@]}"; do + if ${_RES_HEADER[$idx]}; then + continue + fi + _err style "$file" "missing header: '${HEADERS[$idx]}'" + done +} + +_check_tabs() { + _is_enabled tabs || return 0 + if [[ "$line" =~ $'\t' ]]; then + _err style "$file:$line_number" "tabs are not allowed" + fi +} + +_check_trailing() { + _is_enabled trailing || return 0 + if [[ "$line" =~ [[:space:]]+$ ]]; then + _err style "$file:$line_number" "line has trailing whitespace" + fi +} + +_CHECK_IN_PROFILE=false +_CHECK_FIRST_LINE_AFTER_PROFILE=true +_check_indentation() { + _is_enabled indentation || return 0 + if [[ "$line" =~ ^profile ]]; then + _CHECK_IN_PROFILE=true + _CHECK_FIRST_LINE_AFTER_PROFILE=true + + elif $_CHECK_IN_PROFILE; then + if $_CHECK_FIRST_LINE_AFTER_PROFILE; then + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + if ((num_spaces != 2)); then + _err style "$file:$line_number" "profile must have a two-space indentation" + fi + _CHECK_FIRST_LINE_AFTER_PROFILE=false + + else + local leading_spaces="${line%%[! ]*}" + local num_spaces=${#leading_spaces} + + if ((num_spaces % 2 != 0)); then + ok=false + for offset in 5 11; do + num_spaces=$((num_spaces - offset)) + if ((num_spaces < 0)); then + break + fi + if ((num_spaces % 2 == 0)); then + ok=true + break fi + done + + if ! $ok; then + _err style "$file:$line_number" "invalid indentation" fi fi fi - done <"$file" + fi } -_ensure_include() { - local file="$1" - local include="$2" - if ! grep -q "^ *${include}$" "$file"; then - _die "$file does not contain '$include'" +_CHEK_IN_SUBPROFILE=false +declare -A _RES_SUBPROFILES +_check_subprofiles() { + _is_enabled subprofiles || return 0 + if [[ "$line" =~ ^(' ')+'profile '(.*)' {' ]]; then + indentation="${BASH_REMATCH[1]}" + subprofile="${BASH_REMATCH[2]}" + subprofile="${subprofile%% *}" + include="${indentation}include if exists " + _RES_SUBPROFILES["$subprofile"]="$name//$subprofile does not contain '$include'" + _CHEK_IN_SUBPROFILE=true + elif $_CHEK_IN_SUBPROFILE; then + if [[ "$line" == *"$include" ]]; then + _RES_SUBPROFILES["$subprofile"]=true + + fi fi } +_res_subprofiles() { + _is_enabled subprofiles || return 0 + for msg in "${_RES_SUBPROFILES[@]}"; do + if [[ $msg == true ]]; then + continue + fi + _err guideline "$file" "$msg" + done +} -_ensure_abi() { - local file="$1" - if ! grep -q "^ *abi ," "$file"; then - _die "$file does not contain 'abi ,'" +readonly VIM_SYNTAX="# vim:syntax=apparmor" +RES_VIM=false +_check_vim() { + _is_enabled vim || return 0 + if [[ "$line" =~ ^"$VIM_SYNTAX" ]]; then + RES_VIM=true fi } - -_ensure_vim() { - local file="$1" - if ! grep -q "^# vim:syntax=apparmor" "$file"; then - _die "$file does not contain '# vim:syntax=apparmor'" +_res_vim() { + _is_enabled vim || return 0 + if ! $RES_VIM; then + _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -117,69 +266,60 @@ check_sbin() { } check_profiles() { - echo -e "\033[1m â‹… \033[0mChecking if all profiles contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'profile '" - echo " - 'include if exists '" - echo " - include if exists local for subprofiles" - echo " - vim:syntax=apparmor" - directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*") - # shellcheck disable=SC2068 - for dir in ${directories[@]}; do - for file in $(find "$dir" -maxdepth 1 -type f); do - case "$file" in */README.md) continue ;; esac + _msg "Checking profiles" + mapfile -t files < <( + find "$APPARMORD" \( -path "$APPARMORD/abstractions" -o -path "$APPARMORD/local" -o -path "$APPARMORD/tunables" -o -path "$APPARMORD/mappings" \) \ + -prune -o -type f -print + ) + jobs=0 + WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" name="${name/.apparmor.d/}" include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - if ! grep -q "^profile $name" "$file"; then - _die "$name does not contain 'profile $name'" - fi - mapfile -t subrofiles < <(grep "^ *profile*" "$file" | awk '{print $2}') - for subprofile in "${subrofiles[@]}"; do - include="include if exists " - if ! grep -q "^ *${include}$" "$file"; then - _die "$name: $name//$subprofile does not contain '$include'" - fi - done - done + _check "$file" + ) & + _wait jobs done + wait } check_abstractions() { - echo -e "\033[1m â‹… \033[0mChecking if all abstractions contain:" - echo " - apparmor.d header & license" - echo " - Check indentation: 2 spaces" - echo " - Check for trailing whitespaces" - echo " - 'abi ,'" - echo " - 'include if exists '" - echo " - vim:syntax=apparmor" - directories=( - "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/" - "$APPARMORD/abstractions/attached/" - "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/" - ) - for dir in "${directories[@]}"; do - for file in $(find "$dir" -maxdepth 1 -type f); do + _msg "Checking abstractions" + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + jobs=0 + WITH_CHECK=(abi include header tabs trailing indentation vim) + for file in "${files[@]}"; do + ( name="$(basename "$file")" - root="${dir/${APPARMORD}\/abstractions\//}" - include="include if exists " - _ensure_header "$file" - _ensure_indentation "$file" - _ensure_include "$file" "$include" - _ensure_abi "$file" - _ensure_vim "$file" - done + absdir="${file/${APPARMORD}\//}" + include="include if exists <${absdir}.d>" + _check "$file" + ) & + _wait jobs done + wait + + mapfile -t files < <( + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" + find "$APPARMORD/mappings" -type f + ) + # shellcheck disable=SC2034 + jobs=0 + WITH_CHECK=(header tabs trailing indentation vim) + for file in "${files[@]}"; do + _check "$file" & + _wait jobs + done + wait } check_sbin check_profiles check_abstractions + +FAIL=$(cat "$RES") +if [[ "$FAIL" == "true" ]]; then + exit 1 +fi From fff0df39ba61e862e7d62897b0126e0c2eb91835 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 1 Jun 2025 23:59:14 +0200 Subject: [PATCH 207/798] tests: add more check for sbin path Also look for path that should not use sbin. --- tests/check.sh | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 25c82e3d1..09a2e105b 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -256,13 +256,39 @@ _res_vim() { } check_sbin() { - echo -e "\033[1m â‹… \033[0mEnsuring '@{sbin}' is used in all profiles:" - while IFS= read -r name; do - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) - for file in "${files[@]}"; do - _die "$file contains '@{bin}/$name' instead of '@{sbin}/$name'" - done - done Date: Mon, 2 Jun 2025 20:41:20 +0200 Subject: [PATCH 208/798] test: add some security checks. --- tests/check.sh | 81 ++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 78 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 09a2e105b..59463246e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,7 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK -readonly MAX_JOBS APPARMORD="apparmor.d" +readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -58,6 +58,12 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) + # Rules checks + _check_abstractions + _check_directory_mark + _check_equivalent + _check_too_wide + # Guidelines check _check_abi _check_include @@ -84,13 +90,82 @@ _check() { _res_vim } +# Rules checks: security, compatibility and rule issues + +readonly ABS="abstractions" +readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +declare -A ABS_DEPRECATED=( + ["nameservice"]="nameservice-strict" + ["bash"]="shell" + ["X"]="X-strict" + ["dbus-accessibility-strict"]="bus-accessibility" + ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" + ["dbus-session-strict"]="bus-session" + ["dbus-system-strict"]="bus-system" +) +_check_abstractions() { + _is_enabled abstractions || return 0 + + local absname + for absname in "${ABS_DANGEROUS[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + fi + done + for absname in "${!ABS_DEPRECATED[@]}"; do + if [[ "$line" == *"<$ABS/$absname>"* ]]; then + _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + fi + done +} + +readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') +_check_directory_mark() { + _is_enabled directory_mark || return 0 + for pattern in "${DIRECTORIES[@]}"; do + if [[ "$line" == *"$pattern"* ]]; then + [[ "$line" == *'='* ]] && continue + if [[ ! "$line" == *"$pattern/"* ]]; then + _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + fi + fi + done +} + +declare -A EQUIVALENTS=( + ["awk"]="{m,g,}awk" + ["grep"]="{,e}grep" + ["which"]="which{,.debianutils}" +) +_check_equivalent() { + _is_enabled equivalent || return 0 + local prgmname + for prgmname in "${!EQUIVALENTS[@]}"; do + if [[ "$line" == *"/$prgmname"* ]]; then + if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then + _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + fi + fi + done +} + +readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') +_check_too_wide() { + _is_enabled too_wide || return 0 + for pattern in "${TOOWIDE[@]}"; do + if [[ "$line" == *" $pattern "* ]]; then + _err security "$file:$line_number" "rule too wide: '$pattern'" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false readonly ABI_SYNTAX='abi ,' _check_abi() { _is_enabled abi || return 0 - if [[ "$line" =~ ^' '*"$ABI_SYNTAX" ]]; then + if [[ "$line" == *"$ABI_SYNTAX" ]]; then RES_ABI=true fi } @@ -104,7 +179,7 @@ _res_abi() { RES_INCLUDE=false _check_include() { _is_enabled include || return 0 - if [[ "$line" =~ ^.*"${include}"$ ]]; then + if [[ "$line" == *"${include}"* ]]; then RES_INCLUDE=true fi } From c8f2a435f877367866fa811d4d897238c0d6108b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 2 Jun 2025 23:59:41 +0200 Subject: [PATCH 209/798] tests: remove symbolic link from sbin. --- tests/sbin.list | 288 +++++------------------------------------------- 1 file changed, 30 insertions(+), 258 deletions(-) diff --git a/tests/sbin.list b/tests/sbin.list index 676bc4d56..d2b5c44bc 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -21,7 +21,6 @@ acpid acpidump add-shell addgnupghome -addgroup addpart adduser agetty @@ -31,24 +30,15 @@ alsa-info.sh alsa-init alsabat-test alsactl -alternatives anacron +apache2 apparmor_parser apparmor_status applygnupgdefaults aptd argdist-bpfcc -arp arpd -arptables -arptables-nft -arptables-nft-restore -arptables-nft-save -arptables-restore -arptables-save -arptables-translate aspell-autobuildhash -atd audisp-af_unix audisp-filter audisp-syslog @@ -90,26 +80,18 @@ blockdev blogctl blogd blogger -bluetoothd bpflist-bpfcc bpftool brctl bridge -brltty brltty-setup btrfs btrfs-convert +btrfs-find-root btrfs-image -btrfsck btrfsdist-bpfcc btrfsslower-bpfcc btrfstune -cache_check -cache_dump -cache_metadata_size -cache_repair -cache_restore -cache_writeback cachestat-bpfcc cachetop-bpfcc capable-bpfcc @@ -120,7 +102,6 @@ cgdisk chat chcpu check_mail_queue -check-bios-nx checkproc chgpasswd chkstat-polkit @@ -135,7 +116,6 @@ coldreboot compactsnoop-bpfcc complain config.postfix -cpgr cppw cpudist-bpfcc cpuunclaimed-bpfcc @@ -153,17 +133,13 @@ cryptdisks_start cryptdisks_stop cryptsetup ctrlaltdel -ctstat cups-browsed cups-genppd.5.3 cups-genppdupdate cupsaccept cupsctl cupsd -cupsdisable -cupsenable cupsfilter -cupsreject dbslower-bpfcc dbstat-bpfcc dcb @@ -173,14 +149,9 @@ dcstat-bpfcc ddns-confgen deadlock-bpfcc debugfs -debugfs.reiserfs -debugreiserfs decode -defrag.f2fs -delgroup delpart deluser -depmod devlink dhcpcd dirtop-bpfcc @@ -192,7 +163,6 @@ dmfilemapd dmidecode dmraid dmsetup -dmstats dnsmasq dosfsck dosfslabel @@ -213,34 +183,37 @@ e2undo e4crypt e4defrag eapol_test -ebtables -ebtables-nft -ebtables-nft-restore -ebtables-nft-save -ebtables-restore -ebtables-save -ebtables-translate ec_access efibootdump efibootmgr enforce -era_check -era_dump -era_invalidate -era_restore ethtool eventlogadm -exec execsnoop-bpfcc execsnoop.bt exfat2img exfatlabel +exicyclog +exigrep +exim_checkaccess +exim_convert4r4 +exim_dbmbuild +exim_dumpdb +exim_fixdb +exim_id_update +exim_lock +exim_msgdate +exim_tidydb +exim4 +eximstats +exinext +exipick +exiqgrep +exiqsumm exitsnoop-bpfcc +exiwhat ext4dist-bpfcc ext4slower-bpfcc -f2fs_io -f2fscrypt -f2fslabel f2fsslower-bpfcc faillock fanatic @@ -251,7 +224,6 @@ fatresize fbtest fdformat fdisk -fibmap.f2fs filefrag filegone-bpfcc filelife-bpfcc @@ -270,7 +242,6 @@ fsck.exfat fsck.ext2 fsck.ext3 fsck.ext4 -fsck.f2fs fsck.fat fsck.minix fsck.msdos @@ -295,7 +266,6 @@ gethostlatency-bpfcc gethostlatency.bt getpcaps getsysinfo -getty getweb gnome-menus-blacklist gpart @@ -308,7 +278,6 @@ groupmod grpck grpconv grpunconv -grub-bios-setup grub-install grub-macbless grub-mkconfig @@ -328,62 +297,30 @@ grub2-reboot grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg -halt hardirqs-bpfcc -hc-ifscan hdparm hwclock hwinfo iconvconfig -ifconfig ifrename ifstat import-openSUSE-build-key -init inject-bpfcc inputattach -insmod install_acx100_firmware install_intersil_firmware install-sgmlcatalog installkernel integritysetup invoke-rc.d -ip -ip6tables -ip6tables-apply -ip6tables-legacy ip6tables-legacy-batch -ip6tables-legacy-restore -ip6tables-legacy-save -ip6tables-nft -ip6tables-nft-restore -ip6tables-nft-save -ip6tables-restore -ip6tables-restore-translate -ip6tables-save -ip6tables-translate -ipmaddr ipp-usb ippevepcl ippeveprinter ippeveps ipset -ipset-translate -iptables iptables-apply -iptables-legacy iptables-legacy-batch -iptables-legacy-restore -iptables-legacy-save -iptables-nft -iptables-nft-restore -iptables-nft-save -iptables-restore -iptables-restore-translate -iptables-save -iptables-translate -iptunnel irqbalance irqbalance-ui isadump @@ -397,8 +334,6 @@ isosize ispell-autobuildhash isserial issue-generator -iucode_tool -iucode-tool iw iwconfig iwevent @@ -427,7 +362,6 @@ killsnoop.bt klockstat-bpfcc klogd kpartx -kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -449,29 +383,11 @@ lpadmin lpc lpinfo lpmove -lsmod -lspcmcia luksformat -lvchange -lvconvert -lvcreate -lvdisplay -lvextend lvm lvm_import_vdo -lvmconfig -lvmdevices -lvmdiskscan lvmdump lvmpolld -lvmsadc -lvmsar -lvreduce -lvremove -lvrename -lvresize -lvs -lvscan lwepgen lxc lxd @@ -484,7 +400,6 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc -mii-tool mk_isdnhwdb mkdict mkdosfs @@ -500,10 +415,6 @@ mkfs.ext4 mkfs.f2fs mkfs.fat mkfs.minix -mkfs.msdos -mkfs.ntfs -mkfs.reiserfs -mkfs.vfat mkfs.xfs mkhomedir_helper mkill @@ -515,8 +426,6 @@ mkreiserfs mksubvolume mkswap ModemManager -modinfo -modprobe mount.cifs mount.ddi mount.fuse @@ -533,12 +442,9 @@ mpathpersist multipath multipathc multipathd -mysqld mysqld_qslower-bpfcc -nameif naptime.bt needrestart -netplan netqtop-bpfcc NetworkManager newusers @@ -574,7 +480,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -packer pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -583,13 +488,11 @@ pam_timestamp_check pam-auth-update pam-config paperconfig -parse.f2fs parted partprobe partx pbl pccardctl -pcilmr pcscd pdata_tools perlcalls-bpfcc @@ -598,11 +501,9 @@ perlstat-bpfcc phpcalls-bpfcc phpflow-bpfcc phpstat-bpfcc -pidofproc pidpersec-bpfcc pidpersec.bt pivot_root -plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -618,7 +519,7 @@ postmap postmulti postqueue postsuper -poweroff +posttls-finger ppchcalls-bpfcc pppd pppdump @@ -627,15 +528,6 @@ pppstats pptp pptpsetup profile-bpfcc -pvchange -pvck -pvcreate -pvdisplay -pvmove -pvremove -pvresize -pvs -pvscan pwck pwconv pwhistory_helper @@ -647,108 +539,30 @@ pythongc-bpfcc pythonstat-bpfcc qemu-ga qmqp-source -rarp -rcapparmor -rcauditd -rcautofs -rcavahi-daemon -rcavahi-dnsconfd -rcblk-availability -rcbolt -rcbtrfsmaintenance-refresh -rcca-certificates -rcchrony-wait -rcchronyd -rccolord -rccron -rccups -rccups-browsed -rccups-lpd -rcdbus -rcdisplay-manager -rcdm-event -rcdnsmasq -rcfancontrol +qshape rcfirewalld -rcflatpak-system-helper -rcfstrim -rcfwupd -rcfwupd-offline-update -rcfwupd-refresh -rcgpm -rcirqbalance -rcissue-add-ssh-keys -rcissue-generator -rckexec-load -rclm_sensors -rclogrotate -rclvm2-lvmpolld -rclvm2-monitor -rcmariadb -rcmcelog -rcmdmonitor -rcModemManager -rcmultipathd -rcmysql -rcnetwork -rcnfs-client -rcnmb rcopenvpn -rcostree-prepare-root -rcostree-remount -rcpackagekit -rcpackagekit-offline-update rcpcscd -rcpkcs11_eventmgr -rcpostfix -rcrng-tools -rcrpcbind -rcrsyncd -rcrtkit-daemon -rcsddm -rcsmartd -rcsmb -rcsnmpd -rcsnmptrapd -rcspeech-dispatcherd -rcspice-vdagentd -rcsshd -rctuned -rcudisks2 -rcupower -rcusbmuxd -rcwpa_supplicant -rcwsdd rcxdm rcxvnc rdma rdmaucma-bpfcc -rdmsr readahead-bpfcc readprofile -reboot -refresh_initrd +realm regdbdump -reiserfsck -reiserfstune remove-default-ispell remove-default-wordlist remove-shell request-key reset-trace-bpfcc -resize_reiserfs -resize.f2fs resize2fs resizepart -resolvconf rfkill -rmmod -rmt rmt-tar rndc rndc-confgen rngd -route routel rpc.gssd rpc.idmapd @@ -757,7 +571,6 @@ rpc.svcgssd rpcbind rpcctl rpcdebug -rpcinfo rpmconfigcheck rsyncd rsyslogd @@ -765,14 +578,12 @@ rtacct rtcwake rtkitctl rtmon -rtstat rubycalls-bpfcc rubyflow-bpfcc rubygc-bpfcc rubyobjnew-bpfcc rubystat-bpfcc runc -runlevel runqlat-bpfcc runqlat.bt runqlen-bpfcc @@ -792,8 +603,6 @@ sensors-detect service set_polkit_default_privs setcap -setconsole -setpci setuids.bt setup-nsssysinit.sh setvesablank @@ -805,12 +614,9 @@ shim-install shmsnoop-bpfcc showconsole showmount -shutdown skdump sktest slabratetop-bpfcc -slattach -sload.f2fs sm-notify smart_agetty smartctl @@ -828,12 +634,12 @@ spice-vdagentd ss sshd sshd-gen-keys-start +sshd.hmac ssllatency.bt sslsniff-bpfcc sslsnoop.bt sssd stackcount-bpfcc -start_daemon start-statd start-stop-daemon startproc @@ -855,6 +661,7 @@ sysconf_addword syscount-bpfcc syscount.bt sysctl +syslog2eximlog sysusers2shadow tarcat tc @@ -881,33 +688,20 @@ tcpsynbl-bpfcc tcpsynbl.bt tcptop-bpfcc tcptracer-bpfcc -tcptraceroute tcptraceroute.db -telinit thermald -thin_check -thin_delta -thin_dump -thin_ls -thin_metadata_size -thin_repair -thin_restore -thin_rmap -thin_trim threadsnoop-bpfcc threadsnoop.bt tipc tlp tplist-bpfcc trace-bpfcc -traceroute tsig-keygen ttysnoop-bpfcc tune.exfat tune2fs tuned tuned-adm -tunefs.reiserfs tunelp u-d-c-print-pci-ids ucalls @@ -923,21 +717,21 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-bootloader +update-alternatives update-ca-certificates update-catalog update-cracklib -update-default-aspell update-default-ispell update-default-wordlist update-dictcommon-aspell update-dictcommon-hunspell +update-exim4.conf +update-exim4.conf.template update-fonts-alias update-fonts-dir update-fonts-scale update-grub update-grub-gfxpayload -update-grub2 update-gsfontmap update-icon-caches update-ieee-data @@ -973,30 +767,10 @@ vfscount-bpfcc vfscount.bt vfsstat-bpfcc vfsstat.bt -vgcfgbackup -vgcfgrestore -vgchange -vgck -vgconvert -vgcreate -vgdisplay -vgexport -vgextend -vgimport -vgimportclone -vgimportdevices -vgmerge -vgmknodes -vgreduce -vgremove -vgrename -vgs -vgscan -vgsplit vhangup -vigr vipw virt-what +virt-what-cvm virtiostat-bpfcc virtlockd virtlogd @@ -1015,7 +789,6 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt -wrmsr xfs_admin xfs_bmap xfs_copy @@ -1032,6 +805,7 @@ xfs_metadump xfs_mkfile xfs_ncheck xfs_property +xfs_protofile xfs_quota xfs_repair xfs_rtcp @@ -1043,9 +817,7 @@ xfsdist.bt xfsslower-bpfcc xkbctrl xtables-legacy-multi -xtables-monitor xtables-nft-multi -yast yast2 zdump zerofree From 6ed873aad375bea4734ec5321049e597aec02c32 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:35:43 +0200 Subject: [PATCH 210/798] feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). --- apparmor.d/abstractions/app/kmod | 6 ------ apparmor.d/groups/apt/apt-listchanges | 2 +- apparmor.d/groups/apt/debsecan | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/cron/anacron | 2 +- apparmor.d/groups/cron/cron | 2 +- apparmor.d/groups/cron/cron-apt | 4 ++-- apparmor.d/groups/cron/cron-exim4-base | 6 +++--- apparmor.d/groups/cron/crontab | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/filesystem/btrfs-find-root | 2 +- apparmor.d/groups/firewall/firewalld | 4 ++-- apparmor.d/groups/grub/grub-bios-setup | 2 +- apparmor.d/groups/grub/update-grub | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/iwctl | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/network/openvpn | 6 +++--- apparmor.d/groups/network/tailscale | 2 +- apparmor.d/groups/network/tailscaled | 2 +- apparmor.d/groups/network/wg-quick | 2 +- apparmor.d/groups/pacman/mkinitcpio | 5 +---- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 1 - apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/cockpit-bridge | 2 +- apparmor.d/groups/virt/cockpit-update-motd | 2 +- apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/acpi-powerbtn | 1 - apparmor.d/profiles-a-f/adduser | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/atd | 4 ++-- apparmor.d/profiles-a-f/check-bios-nx | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-a-f/deluser | 4 ++-- apparmor.d/profiles-a-f/dhclient-script | 2 +- apparmor.d/profiles-a-f/exim4 | 2 +- apparmor.d/profiles-a-f/fail2ban-server | 2 +- apparmor.d/profiles-g-l/ifup | 2 +- apparmor.d/profiles-g-l/inxi | 4 ++-- apparmor.d/profiles-g-l/ip | 2 +- apparmor.d/profiles-g-l/ipcalc | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/setpci | 2 +- apparmor.d/profiles-s-z/syncthing | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- apparmor.d/profiles-s-z/wpa-action | 2 +- tests/sbin.list | 16 ++++++++++++++++ 54 files changed, 75 insertions(+), 70 deletions(-) diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod index 6c889bd60..b6beeb7f6 100644 --- a/apparmor.d/abstractions/app/kmod +++ b/apparmor.d/abstractions/app/kmod @@ -8,12 +8,6 @@ include @{bin}/kmod mr, - @{sbin}/depmod mr, - @{sbin}/insmod mr, - @{sbin}/lsmod mr, - @{sbin}/modinfo mr, - @{sbin}/modprobe mr, - @{sbin}/rmmod mr, @{lib}/modprobe.d/ r, @{lib}/modprobe.d/*.conf r, diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges index 936d15d42..0ee42f5a4 100644 --- a/apparmor.d/groups/apt/apt-listchanges +++ b/apparmor.d/groups/apt/apt-listchanges @@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} { @{pager_path} Cx -> pager, @{bin}/dpkg Px -> child-dpkg, - @{bin}/exim4 Px, # Send results using email + @{sbin}/exim4 Px, # Send results using email /usr/share/apt-listchanges/{,**} r, diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan index c9448c7fb..c67b1dfb5 100644 --- a/apparmor.d/groups/apt/debsecan +++ b/apparmor.d/groups/apt/debsecan @@ -27,7 +27,7 @@ profile debsecan @{exec_path} { @{sh_path} rix, # Send results using email - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /etc/apt/apt.conf.d/{,*} r, /etc/apt/apt.conf r, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index dbd02ff6c..ab230a43b 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -40,7 +40,7 @@ profile reportbug @{exec_path} { @{bin}/stty rix, /usr/share/reportbug/handle_bugscript rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/apt-cache rPx, @{bin}/debconf-show rPx, @{bin}/debsums rPx, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 1322108d4..3756c1d03 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -17,7 +17,7 @@ profile anacron @{exec_path} { @{sh_path} rix, @{bin}/run-parts rCx -> run-parts, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, / r, /etc/anacrontab r, diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron index eba78ac82..e91f9b419 100644 --- a/apparmor.d/groups/cron/cron +++ b/apparmor.d/groups/cron/cron @@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{bin}/ionice rix, @{bin}/nice rix, @{bin}/run-parts rCx -> run-parts, diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt index 81e5761d7..0d5d5a081 100644 --- a/apparmor.d/groups/cron/cron-apt +++ b/apparmor.d/groups/cron/cron-apt @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/cron-apt +@{exec_path} = @{bin}/cron-apt profile cron-apt @{exec_path} { include include @@ -46,7 +46,7 @@ profile cron-apt @{exec_path} { @{bin}/apt-get rPx, @{bin}/apt-file rPx, @{bin}/aptitude{,-curses} rPx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, /usr/share/cron-apt/{,*} r, diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base index 2970f8d42..784dfae19 100644 --- a/apparmor.d/groups/cron/cron-exim4-base +++ b/apparmor.d/groups/cron/cron-exim4-base @@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} { @{bin}/hostname rix, @{bin}/xargs rix, @{bin}/find rix, - @{bin}/eximstats rix, + @{sbin}/eximstats rix, - @{bin}/exim4 rPx, - @{bin}/exim_tidydb rix, + @{sbin}/exim4 rPx, + @{sbin}/exim_tidydb rix, @{sbin}/start-stop-daemon rix, @{sbin}/runuser rix, diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab index 156d5e820..d240454f5 100644 --- a/apparmor.d/groups/cron/crontab +++ b/apparmor.d/groups/cron/crontab @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/crontab +@{exec_path} = @{bin}/crontab profile crontab @{exec_path} { include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 91dd32f51..6eeeaa414 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, - @{sbin}/ippfind rix, + @{bin}/ippfind rix, @{bin}/mktemp rix, @{bin}/printenv rix, @{python_path} rix, diff --git a/apparmor.d/groups/filesystem/btrfs-find-root b/apparmor.d/groups/filesystem/btrfs-find-root index eef4b6823..cec2bbb61 100644 --- a/apparmor.d/groups/filesystem/btrfs-find-root +++ b/apparmor.d/groups/filesystem/btrfs-find-root @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/btrfs-find-root +@{exec_path} = @{sbin}/btrfs-find-root profile btrfs-find-root @{exec_path} { include include diff --git a/apparmor.d/groups/firewall/firewalld b/apparmor.d/groups/firewall/firewalld index 01f853c26..57a0baa20 100644 --- a/apparmor.d/groups/firewall/firewalld +++ b/apparmor.d/groups/firewall/firewalld @@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) { @{bin}/alts ix, @{bin}/false ix, @{bin}/kmod Cx -> kmod, - @{sbin}/ebtables-legacy ix, - @{sbin}/ebtables-legacy-restore ix, + @{bin}/ebtables-legacy ix, + @{bin}/ebtables-legacy-restore ix, @{sbin}/ipset ix, @{sbin}/xtables-legacy-multi ix, @{sbin}/xtables-nft-multi mix, diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup index 9ccd02275..b0d606701 100644 --- a/apparmor.d/groups/grub/grub-bios-setup +++ b/apparmor.d/groups/grub/grub-bios-setup @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/grub-bios-setup +@{exec_path} = @{bin}/grub-bios-setup profile grub-bios-setup @{exec_path} { include include diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub index ff17c160a..d4460a3cf 100644 --- a/apparmor.d/groups/grub/update-grub +++ b/apparmor.d/groups/grub/update-grub @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/update-grub{2,} +@{exec_path} = @{sbin}/update-grub profile update-grub @{exec_path} { include include diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index 0ae174b09..b5cceee95 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -37,7 +37,7 @@ profile sddm-xsession @{exec_path} { @{bin}/sed rix, @{bin}/stat rix, @{bin}/tail rix, - @{sbin}/tcsh rix, + @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, @{bin}/which{,.*} rix, diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl index eddcaedf7..0b5bd090e 100644 --- a/apparmor.d/groups/network/iwctl +++ b/apparmor.d/groups/network/iwctl @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/iwctl +@{exec_path} = @{bin}/iwctl profile iwctl @{exec_path} { include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index ecd23ce53..6c4c41e6c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -33,7 +33,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, "/opt/Mullvad VPN/resources/openvpn" rix, "/opt/Mullvad VPN/resources/*.so*" mr, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index f4fcfa50d..6431ee98a 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{run}/openvpn/*.{pid,status} rw, @{run}/systemd/journal/dev-log r, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/systemd-ask-password rPx, @{lib}/nm-openvpn-service-openvpn-helper rPx, /etc/openvpn/force-user-traffic-via-vpn.sh rCx -> force-user-traffic-via-vpn, @@ -83,7 +83,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/which rix, @{sbin}/xtables-nft-multi rix, @@ -110,7 +110,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/env rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale index 096fe276c..4e5bba684 100644 --- a/apparmor.d/groups/network/tailscale +++ b/apparmor.d/groups/network/tailscale @@ -23,7 +23,7 @@ profile tailscale @{exec_path} { @{exec_path} mr, - @{sbin}/ip rPx, + @{bin}/ip rPx, owner @{run}/tailscale/tailscaled.sock rw, diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled index bb877ec1a..8162dff1e 100644 --- a/apparmor.d/groups/network/tailscaled +++ b/apparmor.d/groups/network/tailscaled @@ -35,7 +35,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/resolvectl rPx, @{sbin}/xtables-nft-multi rix, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index e8ece5c88..c89a12a47 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -21,7 +21,7 @@ profile wg-quick @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/mv rix, @{sbin}/nft rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 9eafb72a9..1f1fc66eb 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -42,10 +42,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { @{bin}/zcat rix, @{bin}/zstd rix, - @{bin}/{depmod,insmod} rPx, - @{bin}/{kmod,lsmod} rPx, - @{bin}/{modinfo,rmmod} rPx, - @{sbin}/modprobe rPx, + @{bin}/kmod rPx, @{bin}/plymouth rPx, @{sbin}/plymouth-set-default-theme rPx, @{bin}/sbctl rPx, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 6af9bae96..6cf3b824c 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -97,7 +97,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/update-ca-trust rPx, @{bin}/update-desktop-database rPx, @{sbin}/update-grub rPx, - @{sbin}/update-mime-database rPx, + @{bin}/update-mime-database rPx, @{bin}/vercmp rix, @{bin}/which rix, @{bin}/xmlcatalog rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index fe1bc5781..ce41d6ae8 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -16,7 +16,6 @@ profile pacman-hook-depmod @{exec_path} { @{bin}/basename rix, @{bin}/bash rix, - @{sbin}/depmod rPx, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 3ca55909d..9fd065db3 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -17,7 +17,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 575481de2..916279378 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -25,7 +25,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, @{bin}/grep rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/sleep rix, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index 87ffb3f4a..b6111750b 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -38,7 +38,7 @@ profile cockpit-bridge @{exec_path} { @{bin}/cat ix, @{bin}/date ix, @{bin}/find ix, - @{sbin}/ip ix, + @{bin}/ip ix, @{python_path} ix, @{bin}/test ix, @{bin}/file ix, diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd index d71eb9ec1..1de016aea 100644 --- a/apparmor.d/groups/virt/cockpit-update-motd +++ b/apparmor.d/groups/virt/cockpit-update-motd @@ -15,7 +15,7 @@ profile cockpit-update-motd @{exec_path} { @{sh_path} rix, @{bin}/hostname rix, - @{sbin}/ip rPx, + @{bin}/ip rPx, @{bin}/sed rix, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 94fa568a3..4d730602d 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -116,7 +116,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/virtlogd rPx, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/nft rix, @{bin}/qemu-img rUx, # TODO: Integration with virt-aa-helper @{bin}/qemu-system* rUx, # TODO: Integration with virt-aa-helper diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn index bf7daf85e..fd1d0af03 100644 --- a/apparmor.d/profiles-a-f/acpi-powerbtn +++ b/apparmor.d/profiles-a-f/acpi-powerbtn @@ -17,7 +17,6 @@ profile acpi-powerbtn flags=(attach_disconnected) { @{bin}/pgrep rix, @{bin}/pinky rix, @{bin}/sed rix, - @{sbin}/shutdown rix, /etc/acpi/powerbtn.sh rix, @{bin}/dbus-send Cx -> bus, diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser index d971d22f3..039518b51 100644 --- a/apparmor.d/profiles-a-f/adduser +++ b/apparmor.d/profiles-a-f/adduser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/adduser @{sbin}/group +@{exec_path} = @{sbin}/adduser profile adduser @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index 6999f5baf..c4741b09a 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aa0a365fd..aea3cbf01 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/atd +@{exec_path} = @{bin}/atd profile atd @{exec_path} { include include @@ -28,7 +28,7 @@ profile atd @{exec_path} { @{sh_path} rix, @{sbin}/sendmail rPUx, - @{bin}/exim4 rPx, + @{sbin}/exim4 rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/ r, diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx index 965e0dc3a..c44b6eaa5 100644 --- a/apparmor.d/profiles-a-f/check-bios-nx +++ b/apparmor.d/profiles-a-f/check-bios-nx @@ -25,7 +25,7 @@ profile check-bios-nx @{exec_path} { @{bin}/kmod rCx -> kmod, - @{sbin}/rdmsr rPx, + @{sbin}/rdmsr rPx, owner @{PROC}/@{pid}/fd/@{int} rw, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index cecb0e22d..bb7dfd3b8 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -31,7 +31,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{bin}/gpgconf rCx -> gpg, @{bin}/orage rPUx, - @{bin}/exim4 rPUx, + @{sbin}/exim4 rPUx, @{bin}/geany rPUx, /usr/share/publicsuffix/*.dafsa r, diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 1f5d6f0a7..3505126ad 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/deluser @{sbin}/delgroup +@{exec_path} = @{sbin}/deluser profile deluser @{exec_path} { include include @@ -20,7 +20,7 @@ profile deluser @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{sbin}/crontab rPx, + @{bin}/crontab rPx, @{bin}/gpasswd rPx, @{sbin}/groupdel rPx, @{bin}/mount rCx -> mount, diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index d5505ff86..9a7e77902 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -28,7 +28,7 @@ profile dhclient-script @{exec_path} { @{bin}/fold rix, @{bin}/head rix, @{bin}/hostname rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4 index 9aaccaa16..3af283014 100644 --- a/apparmor.d/profiles-a-f/exim4 +++ b/apparmor.d/profiles-a-f/exim4 @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/exim4 +@{exec_path} = @{sbin}/exim4 profile exim4 @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server index 21d2a1cf8..629208bc6 100644 --- a/apparmor.d/profiles-a-f/fail2ban-server +++ b/apparmor.d/profiles-a-f/fail2ban-server @@ -21,7 +21,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/xtables-nft-multi rix, - @{sbin}/iptables rix, + @{bin}/iptables rix, @{bin}/ r, @{python_path} r, diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup index 42169dd6d..3c641f8e1 100644 --- a/apparmor.d/profiles-g-l/ifup +++ b/apparmor.d/profiles-g-l/ifup @@ -19,7 +19,7 @@ profile ifup @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{sbin}/route rix, @{bin}/seq rix, @{bin}/sleep rix, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index 38b2a17a2..e80875ca2 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -32,7 +32,7 @@ profile inxi @{exec_path} { @{lib}/llvm-[0-9]*/bin/clang rix, @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{sbin}/ip rCx -> ip, + @{bin}/ip rCx -> ip, @{bin}/kmod rCx -> kmod, @{bin}/systemctl rCx -> systemctl, @{bin}/udevadm rCx -> udevadm, @@ -115,7 +115,7 @@ profile inxi @{exec_path} { network netlink raw, - @{sbin}/ip mr, + @{bin}/ip mr, @{sys}/devices/@{pci}/net/*/{duplex,address,speed,operstate} r, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index 3495bcc80..bcb521c01 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ip +@{exec_path} = @{bin}/ip profile ip @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc index 628728846..c6dfa762a 100644 --- a/apparmor.d/profiles-g-l/ipcalc +++ b/apparmor.d/profiles-g-l/ipcalc @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/ipcalc +@{exec_path} = @{bin}/ipcalc profile ipcalc @{exec_path} { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 2382ea062..133cf8ae7 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,7 +38,7 @@ profile kernel @{exec_path} { @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/systemd-detect-virt rPx, - @{bin}/update-alternatives rPx, + @{sbin}/update-alternatives rPx, @{sbin}/dkms rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index b4f3ac2f4..aeb125ef2 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -18,7 +18,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{sbin}/blkid Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 85437017b..485520ca0 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -20,7 +20,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 8b8968464..cd2ddc0e6 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/modprobed-db +@{exec_path} = @{bin}/modprobed-db profile modprobed-db @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci index b45dd3986..019e89e23 100644 --- a/apparmor.d/profiles-s-z/setpci +++ b/apparmor.d/profiles-s-z/setpci @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/setpci +@{exec_path} = @{bin}/setpci profile setpci @{exec_path} flags=(complain) { include include diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 8b66b652f..6ff0fe7e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -23,7 +23,7 @@ profile syncthing @{exec_path} { @{exec_path} mrix, @{open_path} rPx -> child-open, - @{sbin}/ip rix, + @{bin}/ip rix, /usr/share/mime/{,**} r, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 8f08b74fa..68ddb97a5 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/update-alternatives +@{exec_path} = @{sbin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index d0fc54b7c..e23d4db43 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -33,7 +33,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{open_path} rpx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 6f4c120a0..023644eb0 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -38,7 +38,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir ix, @{bin}/gawk rix, @{bin}/lsblk rPx, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/xdg-user-dir rix, @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action index b2cfe0091..b6764ba0e 100644 --- a/apparmor.d/profiles-s-z/wpa-action +++ b/apparmor.d/profiles-s-z/wpa-action @@ -24,7 +24,7 @@ profile wpa-action @{exec_path} { @{bin}/cat rix, @{bin}/date rix, @{bin}/ifup rix, - @{sbin}/ip rix, + @{bin}/ip rix, @{bin}/ln rix, @{bin}/logger rix, @{bin}/rm rix, diff --git a/tests/sbin.list b/tests/sbin.list index d2b5c44bc..15373846c 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -37,6 +37,7 @@ apparmor_status applygnupgdefaults aptd argdist-bpfcc +arp arpd aspell-autobuildhash audisp-af_unix @@ -64,6 +65,7 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode +biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -102,6 +104,7 @@ cgdisk chat chcpu check_mail_queue +check-bios-nx checkproc chgpasswd chkstat-polkit @@ -161,6 +164,7 @@ dmevent_tool dmeventd dmfilemapd dmidecode +dmidecode dmraid dmsetup dnsmasq @@ -236,6 +240,7 @@ flushb fonts-config fsadm fsck +fsck. fsck.btrfs fsck.cramfs fsck.exfat @@ -302,6 +307,7 @@ hdparm hwclock hwinfo iconvconfig +ifconfig ifrename ifstat import-openSUSE-build-key @@ -334,6 +340,7 @@ isosize ispell-autobuildhash isserial issue-generator +iucode_tool iw iwconfig iwevent @@ -362,6 +369,7 @@ killsnoop.bt klockstat-bpfcc klogd kpartx +kvm-ok kvmexit-bpfcc ldattach ldconfig @@ -386,6 +394,7 @@ lpmove luksformat lvm lvm_import_vdo +lvmconfig lvmdump lvmpolld lwepgen @@ -405,6 +414,7 @@ mkdict mkdosfs mke2fs mkfs +mkfs. mkfs.bfs mkfs.btrfs mkfs.cramfs @@ -480,6 +490,7 @@ opensnoop.bt openvpn overlayroot-chroot ownership +ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -547,6 +558,7 @@ rcxdm rcxvnc rdma rdmaucma-bpfcc +rdmsr readahead-bpfcc readprofile realm @@ -558,11 +570,13 @@ request-key reset-trace-bpfcc resize2fs resizepart +resolvconf rfkill rmt-tar rndc rndc-confgen rngd +route routel rpc.gssd rpc.idmapd @@ -778,6 +792,7 @@ visudo vmcore-dmesg vncsession vpddecode +vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc @@ -789,6 +804,7 @@ wpa_passphrase wpa_supplicant wqlat-bpfcc writeback.bt +wrmsr xfs_admin xfs_bmap xfs_copy From f0355f36b9fd74725e086790db305de6c25edafa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 5 Jun 2025 00:36:30 +0200 Subject: [PATCH 211/798] tests: show error line in sbin check. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 59463246e..add9b0685 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -338,7 +338,7 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done @@ -349,7 +349,7 @@ check_sbin() { local pattern='[[:alnum:]_.-]+' # Pattern for valid file names jobs=0 - mapfile -t files < <(grep --files-with-matches --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d) + mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{sbin}/$pattern([[:space:]]|$)" apparmor.d | cut -d: -f1,2) for file in "${files[@]}"; do ( while read -r match; do @@ -359,7 +359,7 @@ check_sbin() { _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi fi - done < <(grep --only-matching -E "@\{sbin\}/$pattern" "$file") + done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & _wait jobs done From edcbaa1b94f511e4b3db9642718887dc98f93511 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:01:24 +0200 Subject: [PATCH 212/798] fix: add gpartedbin back to sbin.list. --- tests/sbin.list | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/sbin.list b/tests/sbin.list index 15373846c..a17f15448 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -275,6 +275,7 @@ getweb gnome-menus-blacklist gpart gparted +gpartedbin gpm groupadd groupdel From 65f96447530dccb2928b682d76c37cfb0164a76e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:37:59 +0200 Subject: [PATCH 213/798] fix: linter check. --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/profiles-g-l/hw-probe | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0064d682b..209971ac2 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -34,7 +34,7 @@ profile gvfsd-wsdd @{exec_path} { @{exec_path} mr, @{bin}/env r, - @{sbin}/wsdd rPx, + @{bin}/wsdd rPx, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 11e863972..73c78f2ed 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -71,7 +71,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/ldd rix, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsof rix, - @{sbin}/lspci rCx -> lspci, + @{bin}/lspci rCx -> lspci, @{bin}/tar rix, @{bin}/which{,.debianutils} rix, @{bin}/xdg-icon-resource rPx, @@ -408,7 +408,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix receive type=stream, - @{sbin}/lspci mr, + @{bin}/lspci mr, owner @{HOME}/.steam/steam.pipe r, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index fc6b8775b..f518a18f0 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -65,7 +65,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, - @{sbin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, From a4737546f76fe1f4aaa65d2ad7d5663c3a317c5d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 10 Jun 2025 23:58:24 +0200 Subject: [PATCH 214/798] tests: update sbin.list --- apparmor.d/profiles-g-l/haveged | 2 +- tests/sbin.list | 43 ++++++++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 910e9a2f0..5773a73fb 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -9,7 +9,7 @@ abi , include -@{exec_path} = @{bin}/haveged +@{exec_path} = @{sbin}/haveged profile haveged @{exec_path} { include diff --git a/tests/sbin.list b/tests/sbin.list index a17f15448..1adc90ee8 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -1,3 +1,5 @@ +a2enmod +a2query aa-audit aa-autodep aa-cleanprof @@ -32,6 +34,7 @@ alsabat-test alsactl anacron apache2 +apache2ctl apparmor_parser apparmor_status applygnupgdefaults @@ -65,7 +68,6 @@ biolatency.bt biolatpcts-bpfcc biopattern-bpfcc biosdecode -biosdecode biosnoop-bpfcc biosnoop.bt biostacks.bt @@ -103,6 +105,7 @@ cfdisk cgdisk chat chcpu +check_forensic check_mail_queue check-bios-nx checkproc @@ -164,7 +167,6 @@ dmevent_tool dmeventd dmfilemapd dmidecode -dmidecode dmraid dmsetup dnsmasq @@ -191,6 +193,8 @@ ec_access efibootdump efibootmgr enforce +ephemeral-disk-warning +escapesrc ethtool eventlogadm execsnoop-bpfcc @@ -264,8 +268,12 @@ g13-syshelp gdisk gdm gdm3 +genccode +gencmn genl +gennorm2 genprof +gensprep getcap gethostlatency-bpfcc gethostlatency.bt @@ -304,10 +312,19 @@ grub2-set-default grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc +haveged hdparm +httxt2dbm +hv_fcopy_daemon +hv_get_dhcp_info +hv_get_dns_info +hv_kvp_daemon +hv_set_ifconfig +hv_vss_daemon hwclock hwinfo iconvconfig +icupkg ifconfig ifrename ifstat @@ -321,6 +338,7 @@ installkernel integritysetup invoke-rc.d ip6tables-legacy-batch +ipmaddr ipp-usb ippevepcl ippeveprinter @@ -328,6 +346,7 @@ ippeveps ipset iptables-apply iptables-legacy-batch +iptunnel irqbalance irqbalance-ui isadump @@ -392,6 +411,7 @@ lpadmin lpc lpinfo lpmove +lsvmbus luksformat lvm lvm_import_vdo @@ -410,6 +430,7 @@ mdflush-bpfcc mdflush.bt mdmon memleak-bpfcc +mii-tool mk_isdnhwdb mkdict mkdosfs @@ -453,7 +474,9 @@ mpathpersist multipath multipathc multipathd +mysqld mysqld_qslower-bpfcc +nameif naptime.bt needrestart netqtop-bpfcc @@ -468,6 +491,7 @@ nfsiostat nfsslower-bpfcc nfsstat nft +nginx nmbd nodegc-bpfcc nodestat-bpfcc @@ -480,6 +504,7 @@ ntfscp ntfslabel ntfsresize ntfsundelete +nvme offcputime-bpfcc offwaketime-bpfcc on_ac_power @@ -491,7 +516,6 @@ opensnoop.bt openvpn overlayroot-chroot ownership -ownership pam_extrausers_chkpwd pam_extrausers_update pam_getenv @@ -510,12 +534,17 @@ pdata_tools perlcalls-bpfcc perlflow-bpfcc perlstat-bpfcc +pg_updatedicts +php-fpm8.3 phpcalls-bpfcc +phpenmod phpflow-bpfcc +phpquery phpstat-bpfcc pidpersec-bpfcc pidpersec.bt pivot_root +plipconfig pluginviewer plymouth-set-default-theme plymouthd @@ -552,6 +581,7 @@ pythonstat-bpfcc qemu-ga qmqp-source qshape +rarp rcfirewalld rcopenvpn rcpcscd @@ -632,6 +662,7 @@ showmount skdump sktest slabratetop-bpfcc +slattach sm-notify smart_agetty smartctl @@ -646,6 +677,7 @@ sofdsnoop-bpfcc softirqs-bpfcc solisten-bpfcc spice-vdagentd +split-logfile ss sshd sshd-gen-keys-start @@ -754,6 +786,7 @@ update-inetd update-info-dir update-initramfs update-java-alternatives +update-language update-locale update-mime update-passwd @@ -762,6 +795,9 @@ update-rc.d update-secureboot-policy update-shells update-smart-drivedb +update-texmf +update-texmf-config +update-tl-stacked-conffile update-xmlcatalog upgrade-from-grub-legacy usb_modeswitch @@ -793,7 +829,6 @@ visudo vmcore-dmesg vncsession vpddecode -vpddecode vpnc vpnc-disconnect wakeuptime-bpfcc From e3bd48bd758601e17cef0d6825268e4cad55ead8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:55:17 +0200 Subject: [PATCH 215/798] build: justfile: add group. --- Justfile | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 825097a1b..4021b0e5a 100644 --- a/Justfile +++ b/Justfile @@ -64,24 +64,34 @@ help: @just --list --unsorted @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." +[group('build')] [doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +[group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild +[group('build')] [doc('Prebuild the profiles in complain mode')] complain: build @./{{build}}/prebuild --complain +[group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build + @./{{build}}/prebuild --full + +[group('build')] +[doc('Prebuild the profiles in FSP mode (complain)')] +fsp-complain: build @./{{build}}/prebuild --complain --full -[doc('Install the profiles')] +[group('build')] +[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -108,26 +118,31 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +[group('packages')] [doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +[group('packages')] [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +[group('tests')] [doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +[group('linter')] [doc('Run the linters')] lint: golangci-lint run @@ -138,18 +153,22 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +[group('linter')] [doc('Run style checks on the profiles')] check: @bash tests/check.sh +[group('docs')] [doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +[group('docs')] [doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +[group('docs')] [doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve @@ -160,6 +179,7 @@ clean: debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +[group('packages')] [doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash @@ -175,6 +195,7 @@ package dist: fi bash dists/docker.sh $dist $version +[group('vm')] [doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} @@ -192,6 +213,7 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +[group('vm')] [doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @@ -211,33 +233,40 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +[group('vm')] [doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +[group('vm')] [doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +[group('vm')] [doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] [doc('List the machines')] list: @echo -e '\033[1m Id Distribution Flavor State\033[0m' @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +[group('vm')] [doc('List the VM images')] images: #!/usr/bin/env bash @@ -254,6 +283,7 @@ images: } ' +[group('vm')] [doc('List the VM images that can be created')] available: #!/usr/bin/env bash @@ -270,6 +300,8 @@ available: } ' + +[group('tests')] [doc('Run the integration tests on the machine')] integration dist flavor: @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ @@ -280,12 +312,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ - +[group('internal')] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' +[group('internal')] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From 3291d9a370f5972f67ba5d524f90312f7fbd49eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 11 Jun 2025 22:56:18 +0200 Subject: [PATCH 216/798] fix: use mappings/sudo in su. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index c4e83ddfa..866da3d6a 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -12,7 +12,7 @@ profile su @{exec_path} { include include include - include #aa:only RBAC + include #aa:only RBAC capability chown, # pseudo-terminal From cdd45bcd608545b4d84ca7826c5cf69e73883b39 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 11 Jun 2025 17:53:27 +0200 Subject: [PATCH 217/798] add xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..e44377ea3 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,6 +77,7 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, + /usr/share/xkeyboard-config-2/{,**} r, include if exists From c947fe6c6cb2a9cf4102f9f951d875c0af33039c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:48:53 +0200 Subject: [PATCH 218/798] complete xkeyboard-config-2 permissions --- apparmor.d/abstractions/X-strict | 1 + apparmor.d/abstractions/desktop | 1 - apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 1 + 4 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index d3e2cef4f..9330d2223 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -12,6 +12,7 @@ /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions + /usr/share/xkeyboard-config-2/{,**} r, /etc/X11/cursors/{,**} r, diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index e44377ea3..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -77,7 +77,6 @@ /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/xkeyboard-config-2/{,**} r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 3befcd92a..75d382c40 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -23,6 +23,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /usr/share/kbd/keymaps/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/.#locale.conf@{hex16} rw, /etc/.#vconsole.conf* rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index d5762a84e..64c83f5c8 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -45,6 +45,7 @@ profile software-properties-gtk @{exec_path} { /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, From 5216cbdcdefc716848bbf762ea5de92a41c52ce2 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 10:54:00 +0200 Subject: [PATCH 219/798] add more xkeyboard-config-2 ressources --- apparmor.d/abstractions/desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..f53627fcc 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,6 +27,7 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 1f7e019500a87027fd03f89e148e52b71946e4c0 Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 12 Jun 2025 16:23:05 +0200 Subject: [PATCH 220/798] clean desktop abstraction --- apparmor.d/abstractions/desktop | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index f53627fcc..73e533992 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -27,7 +27,6 @@ /usr/{local/,}share/ r, /usr/{local/,}share/glib-@{version}/schemas/** r, /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/gnome/* r, /etc/xdg/{,*-}mimeapps.list r, From 8118bf3d23052e3319c73c29f36e376212ccb8b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:48:07 +0200 Subject: [PATCH 221/798] fix: pinentry gtk need access to its cmdline. fix #768 --- apparmor.d/profiles-m-r/pinentry-gtk | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index a0244956d..d07a64a5a 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -11,16 +11,12 @@ include profile pinentry-gtk @{exec_path} { include include - include - include include - include + include @{exec_path} mr, - /usr/share/gtk-@{int}.@{int}/{,**} r, - - owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, + @{PROC}/@{pid}/cmdline r, owner /dev/tty@{int} r, From 4cb6de3d2d440f08766a0dc1aa23df220a913418 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 21:50:22 +0200 Subject: [PATCH 222/798] fix(profile): ufw: allow kmod. fix #765 --- apparmor.d/groups/firewall/ufw | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index b7f133641..3b931fb2b 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -32,11 +32,13 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{python_path} rix, @{bin}/ r, @{bin}/cat rix, + @{bin}/echo rix, @{bin}/env r, + @{bin}/kmod rCx -> kmod, + @{lib}/ufw/ufw-init rix, @{sbin}/sysctl rix, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, - @{lib}/ufw/ufw-init rix, /etc/default/ufw rw, /etc/ufw/ rw, @@ -56,6 +58,18 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/net/ipv{4,6}/** rw, @{PROC}/sys/kernel/modprobe r, + profile kmod flags=(attach_disconnected) { + include + include + + capability sys_module, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + include if exists } From d3aa4ae4a12c6a1be645282aacf829be39f8e564 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:08 +0200 Subject: [PATCH 223/798] fix(abs): ensure generic app can run widevine. fix #764 --- apparmor.d/abstractions/common/app | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 99da31590..efb3c838b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -54,7 +54,7 @@ @{MOUNTS}/** rwl, owner @{HOME}/ r, owner @{HOME}/.var/app/** rmix, - owner @{HOME}/** rwlk -> @{HOME}/**, + owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, owner @{user_games_dirs}/** rmix, @@ -122,6 +122,7 @@ owner @{PROC}/@{pid}/fd/@{int} rw, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/io r, + owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mounts r, From 110f4ea40e7d806790952b2a7451a14f1e70e734 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:01:40 +0200 Subject: [PATCH 224/798] feat(abs): mesa: add /var/cache as fallback location. --- apparmor.d/abstractions/mesa.d/complete | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index a19166367..1d718c0b1 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -2,6 +2,20 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only + # Fallback location when @{user_cache_dirs} is not available + /var/cache/mesa_shader_cache_db/ rw, + /var/cache/mesa_shader_cache_db/index rw, + /var/cache/mesa_shader_cache_db/marker rw, + /var/cache/mesa_shader_cache_db/part@{int}/ rw, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk, + /var/cache/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk, + /var/cache/mesa_shader_cache/ rw, + /var/cache/mesa_shader_cache/@{hex2}/ rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38} rw, + /var/cache/mesa_shader_cache/@{hex2}/@{hex38}.tmp rwk, + /var/cache/mesa_shader_cache/index rw, + /var/cache/mesa_shader_cache/marker rw, + # Extra Mesa rules for desktop environments owner @{desktop_cache_dirs}/ w, owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw, From 2941334b7ccca275cd7dbd409709d452069bd19f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:04:55 +0200 Subject: [PATCH 225/798] fix(profile): brave flag & stacked helper. fix #763 --- apparmor.d/groups/browsers/brave | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index cc3d18b58..0decb0d4b 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -14,11 +14,13 @@ include @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev} @{exec_path} = @{lib_dirs}/@{name} -profile brave @{exec_path} { +profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave-crashpad-handler), + unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + + signal receive peer=brave//&brave-crashpad-handler, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.brave path=/org/mpris/MediaPlayer2 From 07007f93c4a5a81de933485a931db7377440f949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:06:55 +0200 Subject: [PATCH 226/798] fix(fsp): ignore not yet used mappings. --- apparmor.d/groups/utils/chfn | 1 - apparmor.d/groups/utils/chsh | 1 - 2 files changed, 2 deletions(-) diff --git a/apparmor.d/groups/utils/chfn b/apparmor.d/groups/utils/chfn index 824d92bf4..45b50c7ad 100644 --- a/apparmor.d/groups/utils/chfn +++ b/apparmor.d/groups/utils/chfn @@ -15,7 +15,6 @@ profile chfn @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, diff --git a/apparmor.d/groups/utils/chsh b/apparmor.d/groups/utils/chsh index a630a7733..e3581be31 100644 --- a/apparmor.d/groups/utils/chsh +++ b/apparmor.d/groups/utils/chsh @@ -15,7 +15,6 @@ profile chsh @{exec_path} { include include include - include #aa:only RBAC capability audit_write, capability chown, From 5ae1cc854da90f275ea6144d60a587e98bec461b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:20:13 +0200 Subject: [PATCH 227/798] fix(profile): pacman: add integration witn limine. fix #756 --- apparmor.d/groups/pacman/pacman | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 14753416f..e72c62667 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -81,6 +81,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/killall rix, @{sbin}/ldconfig rix, @{sbin}/locale-gen rPx, + @{bin}/limine-install rPUx, @{bin}/mkinitcpio rPx, @{sbin}/needrestart rPx, @{bin}/pacdiff rPx, From b88cf164ec5c3b8764068911f93cb240c7c19620 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:38:37 +0200 Subject: [PATCH 228/798] feat(profile): gnome-shell: allow some basic tools needed by some extensions. fix #705 --- apparmor.d/groups/gnome/gnome-shell | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1099f254d..b97d6d568 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -170,6 +170,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @@ -386,8 +387,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, - @{bin}/pmap rix, - @{bin}/grep rix, + @{bin}/cat rix, + @{bin}/grep rix, + @{bin}/kmod rPx -> gnome-shell//lsmod, + @{bin}/pmap rix, @{sys}/devices/system/node/ r, @@ -400,6 +403,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile lsmod flags=(attach_disconnected,mediate_deleted) { + include + include + + @{sys}/module/{,**} r, + + include if exists + } + profile pkexec { include include From 8fa7c49a6512c3e3a3b6171f64159273e894f9b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:42:11 +0200 Subject: [PATCH 229/798] feat(profile): add firefox crashhelper --- apparmor.d/abstractions/app/firefox | 1 + .../groups/browsers/firefox-crashhelper | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 apparmor.d/groups/browsers/firefox-crashhelper diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 73cb82070..1ea0c3b86 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,6 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, + @{lib_dirs}/crashhelper rPx, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper new file mode 100644 index 000000000..55443a330 --- /dev/null +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{name} = firefox{,.sh,-esr,-bin} +@{lib_dirs} = @{lib}/@{name} /opt/@{name} +@{config_dirs} = @{HOME}/.mozilla/ +@{cache_dirs} = @{user_cache_dirs}/mozilla/ + +@{exec_path} = @{lib_dirs}/crashhelper +profile firefox-crashhelper @{exec_path} { + include + + @{exec_path} mr, + + owner "@{config_dirs}/firefox/Crash Reports/" rw, + owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + + include if exists +} + +# vim:syntax=apparmor From 011de3c301600addf6cc9ab763f61b378302c0f8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:48:16 +0200 Subject: [PATCH 230/798] feat(profile): flatpak: ensure remote can be added/removed. see #690 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-system-helper | 6 +++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 52e9e32ef..c34ae962f 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -96,6 +96,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{tmp}/#@{int} rw, owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw, + owner @{tmp}/remote-summary-sig.@{rand6} rw, + owner @{tmp}/remote-summary.@{rand6} rw, owner /dev/shm/flatpak*/{,**} rw, @{run}/.userns r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index dfaa920ac..1381a1483 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -40,7 +40,7 @@ profile flatpak-system-helper @{exec_path} { /etc/flatpak/{,**} r, /etc/machine-id r, - /usr/share/flatpak/remotes.d/ r, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, /usr/share/mime/mime.cache r, @@ -51,8 +51,8 @@ profile flatpak-system-helper @{exec_path} { owner /{var/,}tmp/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - /tmp/remote-summary-sig.@{rand6} r, - /tmp/remote-summary.@{rand6} r, + @{tmp}/remote-summary-sig.@{rand6} r, + @{tmp}/remote-summary.@{rand6} r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, From 34f9a53a3bb8e4ab7a20127631765960ef012f29 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 22:53:36 +0200 Subject: [PATCH 231/798] ci: start dropping ci tests on ubuntu 22.04. --- .github/workflows/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4baa4a776..cac8fce43 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,8 +23,6 @@ jobs: mode: default - os: ubuntu-24.04 mode: full-system-policy - - os: ubuntu-22.04 - mode: default steps: - name: Check out repository code uses: actions/checkout@v4 From eeebcf91f3b374d2ac83fd40b9c5e7d2bace1cdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:05:50 +0200 Subject: [PATCH 232/798] feat(abs): add base-strict. For now, it is only a restructuring of the base abstraction with awareness of the apparmor.d architecture. --- apparmor.d/abstractions/base-strict | 131 ++++++++++++++++++++++ apparmor.d/abstractions/crypto.d/complete | 8 ++ apparmor.d/abstractions/glibc | 41 +++++++ apparmor.d/abstractions/ld | 23 ++++ apparmor.d/abstractions/locale | 26 +++++ 5 files changed, 229 insertions(+) create mode 100644 apparmor.d/abstractions/base-strict create mode 100644 apparmor.d/abstractions/glibc create mode 100644 apparmor.d/abstractions/ld create mode 100644 apparmor.d/abstractions/locale diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict new file mode 100644 index 000000000..0f4382bfe --- /dev/null +++ b/apparmor.d/abstractions/base-strict @@ -0,0 +1,131 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no + + # Do not use it manually, It automatically replaces the base abstraction in + # profiles when the re-attached mode is enabled. + + # For now, it is only a restructuring of the base abstraction with awareness + # of the apparmor.d architecture. + + abi , + + include + include + include + include + + # Allow us to signal ourselves + signal peer=@{profile_name}, + + # Checking for PID existence is quite common so add it by default for now + signal (receive, send) set=exists, + + #aa:exclude RBAC + # Allow unconfined processes to send us signals by default + signal receive peer=unconfined, + + # Systemd: allow to receive any signal from the systemd profiles stack + signal receive peer=@{p_systemd}, + signal receive peer=@{p_systemd_user}, + + # Htop like programs can send any signal to any process + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, + + # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd + signal receive peer=su, + signal receive peer=sudo, + signal receive set=(cont,term,kill,stop) peer=gnome-shell, + signal receive set=(cont,term,kill,stop) peer=login, + signal receive set=(cont,term,kill,stop) peer=openbox, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(cont,term,kill,stop) peer=xinit, + + # Allow other processes to read our /proc entries, futexes, perf tracing and + # kcmp for now (they will need 'read' in the first place). Administrators can + # override with: + # deny ptrace readby ... + ptrace readby, + + # Allow other processes to trace us by default (they will need 'trace' in + # the first place). Administrators can override with: + # deny ptrace tracedby ... + ptrace tracedby, + + # Allow us to ptrace read ourselves + ptrace read peer=@{profile_name}, + + # Allow us to create and use abstract and anonymous sockets + unix peer=(label=@{profile_name}), + + # Allow unconfined processes to us via unix sockets + unix receive peer=(label=unconfined), + + # Allow communication to children profiles + signal peer=@{profile_name}//*, + unix type=stream peer=(label=@{profile_name}//*), + + # Allow us to create abstract and anonymous sockets + unix create, + + # Allow us to getattr, getopt, setop and shutdown on unix sockets + unix (getattr, getopt, setopt, shutdown), + + # Allow all programs to use common libraries + @{lib}/** r, + @{lib}/**.so* m, + @{lib}/@{multiarch}/**.so* m, + @{lib}/@{multiarch}/** r, + + # Some applications will display license information + /usr/share/common-licenses/** r, + + # Allow access to the uuidd daemon (this daemon is a thin wrapper around + # time and getrandom()/{,u}random and, when available, runs under an + # unprivilged, dedicated user). + @{run}/uuidd/request r, + + # Transparent hugepage support + @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, + + # Systemd's equivalent of /dev/log + @{run}/systemd/journal/dev-log w, + + # Systemd native journal API (see sd_journal_print(4)) + @{run}/systemd/journal/socket w, + + # Nested containers and anything using systemd-cat need this. 'r' shouldn't + # be required but applications fail without it. journald doesn't leak + # anything when reading so this is ok. + @{run}/systemd/journal/stdout rw, + + # Allow determining the highest valid capability of the running kernel + @{PROC}/sys/kernel/cap_last_cap r, + + # Controls how core dump files are named + @{PROC}/sys/kernel/core_pattern r, + + # Sometimes used to determine kernel/user interfaces to use + @{PROC}/sys/kernel/version r, + + # Harmless and frequently used + /dev/null rw, + /dev/random r, + /dev/urandom r, + /dev/zero rw, + + # The __canary_death_handler function writes a time-stamped log + # message to /dev/log for logging by syslogd. So, /dev/log, timezones, + # and localisations of date should be available EVERYWHERE, so + # StackGuard, FormatGuard, etc., alerts can be properly logged. + /dev/log w, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/crypto.d/complete b/apparmor.d/abstractions/crypto.d/complete index a163af66d..8fb84d261 100644 --- a/apparmor.d/abstractions/crypto.d/complete +++ b/apparmor.d/abstractions/crypto.d/complete @@ -4,7 +4,15 @@ include + # FIPS-140-2 versions of some crypto libraries need to access their + # associated integrity verification file, or they will abort. + @{lib}/.lib*.so*.hmac r, + @{lib}/@{multiarch}/.lib*.so*.hmac r, + @{etc_ro}/gnutls/config r, @{etc_ro}/gnutls/pkcs11.conf r, + # Used to determine if Linux is running in FIPS mode + @{PROC}/sys/crypto/fips_enabled r, + # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc new file mode 100644 index 000000000..aa6e14416 --- /dev/null +++ b/apparmor.d/abstractions/glibc @@ -0,0 +1,41 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Used by Glibc when binding to ephemeral ports + @{etc_ro}/bindresvport.blacklist r, + + # Depending on which Glibc routine uses this file, base may not be the + # best place -- but many profiles require it, and it is quite harmless. + @{PROC}/sys/kernel/ngroups_max r, + + # Glibc's sysconf(3) routine to determine free memory, etc + @{sys}/devices/system/cpu/ r, + @{sys}/devices/system/cpu/online r, + @{sys}/devices/system/cpu/possible r, + @{PROC}/cpuinfo r, + @{PROC}/meminfo r, + @{PROC}/stat r, + + # Glibc's *printf protections read the maps file + @{PROC}/@{pid}/auxv r, + @{PROC}/@{pid}/maps r, + @{PROC}/@{pid}/status r, + + # Glibc statvfs + @{PROC}/filesystems r, + + # Glibc malloc (man 5 proc) + @{PROC}/sys/vm/overcommit_memory r, + + # Recent glibc uses /dev/full in preference to /dev/null for programs + # that don't have open fds at exec() + /dev/full rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/ld b/apparmor.d/abstractions/ld new file mode 100644 index 000000000..21ac745e2 --- /dev/null +++ b/apparmor.d/abstractions/ld @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # ld.so.cache and ld are used to load shared libraries. + # As such, they can be used everywhere + + abi , + + /opt/*-linux-uclibc/lib/ld-uClibc*so* mr, + + @{etc_ro}/ld.so.cache mr, + @{etc_ro}/ld.so.conf r, + @{etc_ro}/ld.so.conf.d/ r, + @{etc_ro}/ld.so.conf.d/*.conf r, + @{etc_ro}/ld.so.preload r, + @{etc_ro}/ld-musl-*.path r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/locale b/apparmor.d/abstractions/locale new file mode 100644 index 000000000..873c303f5 --- /dev/null +++ b/apparmor.d/abstractions/locale @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2002-2009 Novell/SUSE +# Copyright (C) 2009-2011 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{etc_ro}/locale.alias r, + @{etc_ro}/locale.conf r, + @{etc_ro}/locale/** r, + @{etc_ro}/localtime r, + @{etc_rw}/localtime r, + + /usr/share/**/locale/** r, + /usr/share/locale-bundle/** r, + /usr/share/locale-langpack/** r, + /usr/share/locale/ r, + /usr/share/locale/** r, + /usr/share/X11/locale/** r, + /usr/share/zoneinfo{,-icu}/ r, + /usr/share/zoneinfo{,-icu}/** r, + + include if exists + +# vim:syntax=apparmor From 7dd860f2770ea0f7668e891ac7c59e2dc4808cee Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:15:07 +0200 Subject: [PATCH 233/798] feat(profile): minor update & cosmetic. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/abstractions/common/game | 4 ++-- apparmor.d/groups/apparmor/aa-log | 2 -- apparmor.d/groups/apparmor/aa-status | 4 ++-- apparmor.d/groups/bluetooth/bluetoothd | 3 ++- apparmor.d/groups/bluetooth/obexd | 2 ++ apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/gnome-initial-setup | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- .../groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/kde/ksmserver-logout-greeter | 1 - apparmor.d/groups/ssh/sshd | 8 +++++--- .../systemd-generators/systemd-generator-ssh | 4 ++++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/systemd-localed | 1 + apparmor.d/groups/utils/lspci | 4 ---- apparmor.d/profiles-a-f/fwupd | 1 + apparmor.d/profiles-g-l/haveged | 7 +++---- apparmor.d/profiles-g-l/linuxqq | 2 +- apparmor.d/profiles-m-r/mandb | 8 ++++---- apparmor.d/profiles-m-r/mimetype | 1 - apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pam-auth-update | 3 ++- apparmor.d/profiles-m-r/pcscd | 14 +++++++------- 25 files changed, 47 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1ea0c3b86..d988f608c 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -26,7 +26,7 @@ include include include - include + include include include include @@ -126,6 +126,8 @@ @{sys}/devices/**/uevent r, @{sys}/devices/power/events/energy-* r, @{sys}/devices/power/type r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 3b4a982f1..6b97b014c 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -6,9 +6,9 @@ # wine, proton, game launchers should use this abstraction. # This abstraction uses the following tunables: -# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories +# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories # (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d") -# - @{user_games_dirs} for user specific game directories (eg: steam storage dir) +# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir) abi , diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 03352e8bf..1a3e0aeff 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,8 +21,6 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, - /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status index 17de74439..9badb78c1 100644 --- a/apparmor.d/groups/apparmor/aa-status +++ b/apparmor.d/groups/apparmor/aa-status @@ -22,8 +22,8 @@ profile aa-status @{exec_path} { @{sys}/module/apparmor/parameters/enabled r, @{PROC}/ r, - @{PROC}/@{pids}/attr/apparmor/current r, - @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 8ca699aaf..aa84eebd9 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + + @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 5c1a7633e..efb5f42e4 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -31,6 +31,8 @@ profile obexd @{exec_path} { owner @{HOME}/bluetooth/* rw, + @{run}/systemd/users/@{uid} r, + include if exists } diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 25f8ecc7f..fba734ad4 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} { owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, owner @{user_share_dirs}/evolution/calendar/{,**} rwk, - owner @{user_share_dirs}/evolution/tasks/system/ w, - owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw, + owner @{user_share_dirs}/evolution/memos/system/{,**} rw, + owner @{user_share_dirs}/evolution/tasks/system/{,**} rw, owner @{user_share_dirs}/gvfs-metadata/{,*} r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 4063fc473..40b8bc9b5 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, @{bin}/lscpu rPx, - @{bin}/lspci rPx, + @{bin}/lspci rPx, @{bin}/xrandr rPx, @{lib}/gnome-initial-setup-goa-helper rix, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 56445aeac..1b12a68cd 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index db440bf4c..f084e7b12 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index de8643100..87c3d4104 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/grub-mkconfig +@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 01fe51783..67e56c3c6 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/dev/i915/perf_stream_paranoid r, owner @{PROC}/@{pid}/exe r, - owner @{PROC}/@{pid}/status r, include if exists } diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index cc12a9eec..a514e7c99 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability audit_write, capability chown, - capability dac_read_search, capability dac_override, + capability dac_read_search, capability fowner, capability kill, capability net_bind_service, @@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(hup) peer=@{p_systemd}, + unix type=stream peer=(label=sshd-session), + + signal receive set=hup peer=@{p_systemd}, - ptrace (read,trace) peer=@{p_systemd}, + ptrace (read trace) peer=@{p_systemd}, dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh index efb56468e..0f6aa11d9 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh @@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/firmware/dmi/entries/*/raw r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index 4d601d0f9..ee5d924cc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sys}/class/tpmrm/ r, + @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 75d382c40..104a141ce 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, /usr/share/kbd/keymaps/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index b390346bb..0ae22a03a 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include - capability sys_admin, - @{exec_path} mr, - /app/lib/libzypak-preload-host*.so rm, - /usr/share/hwdata/pci.ids r, /usr/share/misc/pci.ids r, /usr/share/misc/pci.ids.gz r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 5fb948234..961b55c97 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, /usr/share/mime/mime.cache r, + /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, /etc/lsb-release r, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 5773a73fb..527629202 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -20,10 +20,9 @@ profile haveged @{exec_path} { @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, - @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/kernel/random/poolsize r, - @{PROC}/sys/kernel/random/write_wakeup_threshold w, - owner @{PROC}/@{pid}/status r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/random/poolsize r, + @{PROC}/sys/kernel/random/write_wakeup_threshold w, /dev/random w, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 3f3134400..dd653bd61 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib_dirs}/chrome_crashpad_handler ix, @{lib_dirs}/resources/app/{,**} m, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index 4826337d0..cd825471d 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/mandb -profile mandb @{exec_path} flags=(complain) { +profile mandb @{exec_path} { include include include @@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) { /etc/man_db.conf r, /etc/manpath.config r, - /var/cache/man/ r, - /var/cache/man/** rwk, - /usr/share/man/{,**} r, /usr/local/man/{,**} r, /usr/local/share/man/{,**} r, @@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) { /usr/share/**/man/man@{u8}/*.@{int}.gz r, + owner /var/cache/man/ rw, + owner /var/cache/man/** rwk, + owner @{user_share_dirs}/man/** rwk, include if exists diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index d6823da9b..cf8431c7a 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -13,7 +13,6 @@ profile mimetype @{exec_path} { include @{exec_path} r, - /usr/bin/perl r, /usr/share/mime/**.xml r, /usr/share/mime/globs r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 41fa96c4c..9b3525fa5 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} { capability dac_read_search, capability sys_ptrace, - ptrace read peer=unconfined, + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update index 90cc6a4ba..947fb2f4e 100644 --- a/apparmor.d/profiles-m-r/pam-auth-update +++ b/apparmor.d/profiles-m-r/pam-auth-update @@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) { @{exec_path} mrix, - @{bin}/md5sum ix, @{bin}/cp ix, + @{bin}/md5sum ix, + @{bin}/stty ix, /usr/share/pam{,-configs}/{,*} r, diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd index 67e0ee74e..d5bcc4293 100644 --- a/apparmor.d/profiles-m-r/pcscd +++ b/apparmor.d/profiles-m-r/pcscd @@ -16,13 +16,13 @@ profile pcscd @{exec_path} { network netlink raw, - ptrace (read) peer=@{p_systemd_user}, - ptrace (read) peer=gsd-smartcard, - ptrace (read) peer=keepassxc, - ptrace (read) peer=pkcs11-register, - ptrace (read) peer=rngd, - ptrace (read) peer=scdaemon, - ptrace (read) peer=veracrypt, + ptrace read peer=@{p_systemd_user}, + ptrace read peer=gsd-smartcard, + ptrace read peer=keepassxc, + ptrace read peer=pkcs11-register, + ptrace read peer=rngd, + ptrace read peer=scdaemon, + ptrace read peer=veracrypt, @{exec_path} mr, From 1118d2ffc5bdde1def44447be76715d55f10bd5a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:17:45 +0200 Subject: [PATCH 234/798] build: use the base-strict abstraction automatically. --- apparmor.d/abstractions/attached/base | 6 +++--- pkg/prebuild/builder/attach.go | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 4c35d915d..e394c5b99 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,14 +8,14 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, - deny /apparmor/.null rw, - deny @{att}/apparmor/.null rw, + /apparmor/.null rw, + @{att}/apparmor/.null rw, include if exists diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index f7f0c9bed..aeafcbf7d 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,6 +49,10 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) } return strings.Replace(profile, origin, insert+origin, 1), nil From 390a8b1b011dbb335c1054ea5124a02423925da2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:20:03 +0200 Subject: [PATCH 235/798] build: add the fsp-debug build command. --- Justfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 4021b0e5a..109cfed3b 100644 --- a/Justfile +++ b/Justfile @@ -90,6 +90,11 @@ fsp: build fsp-complain: build @./{{build}}/prebuild --complain --full +[group('build')] +[doc('Prebuild the profiles in FSP mode (debug)')] +fsp-debug: build + @./{{build}}/prebuild --complain --full --debug + [group('build')] [doc('Install prebuild profiles')] install: @@ -312,13 +317,13 @@ integration dist flavor: @bats --recursive --timing --print-output-on-failure Projects/integration/ -[group('internal')] +[private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[group('internal')] +[private] get_osinfo dist: #!/usr/bin/env python3 osinfo = { From d01b7ce7d6e0a701e59c9eb3adf780cefb7935b0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 16 Jun 2025 23:42:30 +0200 Subject: [PATCH 236/798] chore: cleanup linter issue. --- apparmor.d/abstractions/base-strict | 2 +- pkg/aa/apparmor_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 0f4382bfe..818a4937f 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -8,7 +8,7 @@ # Do not use it manually, It automatically replaces the base abstraction in # profiles when the re-attached mode is enabled. - # For now, it is only a restructuring of the base abstraction with awareness + # For now, it is only a restructuring of the base abstraction with awareness # of the apparmor.d architecture. abi , diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go index 71be0ba0a..172cfc2b5 100644 --- a/pkg/aa/apparmor_test.go +++ b/pkg/aa/apparmor_test.go @@ -223,11 +223,11 @@ func TestAppArmorProfileFile_Integration(t *testing.T) { &Include{IfExists: true, IsMagic: true, Path: "local/aa-status"}, &Capability{Names: []string{"dac_read_search"}}, &File{Path: "@{exec_path}", Access: []string{"m", "r"}}, - &File{Path: "@{PROC}/@{pids}/attr/apparmor/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/apparmor/current", Access: []string{"r"}}, &File{Path: "@{PROC}/", Access: []string{"r"}}, &File{Path: "@{sys}/module/apparmor/parameters/enabled", Access: []string{"r"}}, &File{Path: "@{sys}/kernel/security/apparmor/profiles", Access: []string{"r"}}, - &File{Path: "@{PROC}/@{pids}/attr/current", Access: []string{"r"}}, + &File{Path: "@{PROC}/@{pid}/attr/current", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/consoles"}, &File{Owner: true, Path: "@{PROC}/@{pid}/mounts", Access: []string{"r"}}, &Include{IsMagic: true, Path: "abstractions/base"}, From fc45e5ee66b7b9b2c3d0c15fd095991b591a2313 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:18:39 +0200 Subject: [PATCH 237/798] feat(fsp): add initial sd-umount. --- apparmor.d/groups/_full/sd-umount | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 apparmor.d/groups/_full/sd-umount diff --git a/apparmor.d/groups/_full/sd-umount b/apparmor.d/groups/_full/sd-umount new file mode 100644 index 000000000..e5d67f0a9 --- /dev/null +++ b/apparmor.d/groups/_full/sd-umount @@ -0,0 +1,34 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Part of the systemd (as PID 1) profile. + +# sd-umount is a subprofile of sd responsible to handle unmounting operation. + +# Only use this profile with a fully configured system. Otherwise it **WILL** +# break your computer. See https://apparmor.pujol.io/full-system-policy/. + +# Distributions and other programs can add rules in the usr/sd-umount.d directory + +abi , + +include + +@{exec_path} = @{bin}/umount +profile sd-umount flags=(complain) { + include + + capability sys_admin, + + umount @{efi}, + + @{exec_path} mr, + + @{PROC}/@{pid}/mountinfo r, + + include if exists + include if exists +} + +# vim:syntax=apparmor From 0478e62f56d238d82e873b4174645597249ade77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:19:43 +0200 Subject: [PATCH 238/798] feat(fsp): sd/sdu: improve integration with stacked profiles. --- apparmor.d/groups/_full/sd | 5 +++-- apparmor.d/groups/_full/sdu | 16 ++++++++++++++-- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 44b3a9b7d..48172638e 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{lib}/{,**} r, @{sbin}/{,*} r, /usr/share/** r, + /etc/*/ w, /etc/** rk, /home/ r, @@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, - @{desktop_share_dirs}/icc/edid-@{hex32}.icc r, - @{user_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r, + @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r, @{att}/@{run}/systemd/io.systemd.ManagedOOM rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 411a8c3ad..c9338fd22 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include network netlink raw, @@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, owner @{run}/user/@{uid}/pulse/pid rw, - owner @{user_state_dirs}/wireplumber/ r, + owner @{user_state_dirs}/wireplumber/ rw, owner @{user_state_dirs}/wireplumber/stream-properties rw, owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw, @{run}/systemd/users/@{uid} r, @{run}/systemd/users/@{int} r, - @{run}/udev/data/c116:@{int} r, # for ALSA + @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) + @{run}/udev/data/c81:@{int} r, # For video4linux + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, + @{sys}/bus/media/devices/ r, + @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, + @{sys}/devices/**/device:*/{,**/}path r, + @{sys}/devices/**/sound/**/pcm_class r, + @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/sound/seq/uevent r, From e7f25571d0865cd08bceac7c4e5bba845a8805a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 17 Jun 2025 00:22:34 +0200 Subject: [PATCH 239/798] chore(profile): rename netplan.script to netplan. --- apparmor.d/groups/network/{netplan.script => netplan} | 8 ++++---- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- dists/flags/main.flags | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/groups/network/{netplan.script => netplan} (81%) diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan similarity index 81% rename from apparmor.d/groups/network/netplan.script rename to apparmor.d/groups/network/netplan index 094726865..5855131a8 100644 --- a/apparmor.d/groups/network/netplan.script +++ b/apparmor.d/groups/network/netplan @@ -7,7 +7,7 @@ abi , include @{exec_path} = /usr/share/netplan/netplan.script -profile netplan.script @{exec_path} flags=(attach_disconnected) { +profile netplan @{exec_path} flags=(attach_disconnected) { include include include @@ -33,7 +33,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { @{run}/udev/rules.d/90-netplan.rules rw, @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw, - include if exists + include if exists } profile systemctl { @@ -42,10 +42,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) { capability net_admin, - include if exists + include if exists } - include if exists + include if exists } # vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 916279378..840e33cdd 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -38,7 +38,7 @@ profile subiquity-console-conf @{exec_path} { @{sbin}/sshd rPx, @{bin}/snap rPUx, /usr/lib/snapd/snap-recovery-chooser rPUx, - /usr/share/netplan/netplan.script rPUx, # TODO: rPx, + /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, /usr/share/subiquity/console-conf-tui rix, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 77ea8761f..71670d4d7 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -240,7 +240,7 @@ multipathd complain needrestart-hook complain needrestart-notify complain needrestart-restart complain -netplan.script attach_disconnected,complain +netplan attach_disconnected,complain networkctl attach_disconnected,complain networkd-dispatcher complain nm-online complain From 0e4cc45a5b19e7503f51914cda745da46732b449 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 20:03:53 +0200 Subject: [PATCH 240/798] tests: simplify sbin check. --- tests/check.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index add9b0685..b1783bf8e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -353,11 +353,9 @@ check_sbin() { for file in "${files[@]}"; do ( while read -r match; do - if [[ $match =~ (@\{sbin\}/($pattern)) ]]; then - name="${BASH_REMATCH[2]}" - if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" - fi + name="${match/\@\{sbin\}\//}" + if ! _in_array "$name" "${sbin[@]}"; then + _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & From d2dbf771cc7fb08235b8305afb967053c25a38cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:07:17 +0200 Subject: [PATCH 241/798] feat(profiles): ensure we use {,e}grep instead of grep. --- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/dpkg-script-apparmor | 2 +- apparmor.d/groups/browsers/torbrowser-launcher | 2 +- apparmor.d/groups/browsers/torbrowser-start | 2 +- apparmor.d/groups/cron/cron-ntp | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/filesystem/lvmpolld | 2 +- apparmor.d/groups/freedesktop/plymouth-set-default-theme | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/startplasma | 2 +- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/pacman/aurpublish | 2 +- apparmor.d/groups/pacman/pacman-key | 2 +- apparmor.d/groups/ssh/ssh-agent-launch | 2 +- .../groups/systemd-generators/systemd-generator-ds-identify | 2 +- apparmor.d/groups/systemd-service/grub-common.service | 2 +- apparmor.d/groups/systemd/systemd-sleep-grub | 2 +- apparmor.d/groups/ubuntu/cron-ubuntu-fan | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/ubuntu/ubuntu-fan-net | 2 +- apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot | 2 +- apparmor.d/groups/whonix/anondate | 2 +- apparmor.d/groups/whonix/pam-info | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/groups/whonix/systemcheck-canary | 2 +- apparmor.d/groups/whonix/torbrowser-wrapper | 2 +- apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-a-f/ddcutil | 2 +- apparmor.d/profiles-a-f/finalrd | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/install-catalog | 2 +- apparmor.d/profiles-g-l/kdump-config | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo.wrapper | 2 +- apparmor.d/profiles-g-l/language-validate | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-g-l/logrotate | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/secure-time-sync | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/syncoid | 2 +- apparmor.d/profiles-s-z/sysstat-sa | 2 +- apparmor.d/profiles-s-z/tlp | 2 +- apparmor.d/profiles-s-z/ucfr | 2 +- apparmor.d/profiles-s-z/update-cracklib | 2 +- apparmor.d/profiles-s-z/veracrypt | 2 +- apparmor.d/profiles-s-z/whatis | 2 +- apparmor.d/profiles-s-z/zed | 2 +- 55 files changed, 55 insertions(+), 55 deletions(-) diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index 08e1400b2..bd2f7fbb0 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -25,7 +25,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/env rix, @{bin}/find rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/ls rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index e9a03f282..122e4541e 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -13,7 +13,7 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/deb-systemd-helper Px, @{bin}/deb-systemd-invoke Px, diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher index 0f6273107..4969a14c3 100644 --- a/apparmor.d/groups/browsers/torbrowser-launcher +++ b/apparmor.d/groups/browsers/torbrowser-launcher @@ -32,7 +32,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/sed ix, @{bin}/tail ix, diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start index 58bb31ac8..ce6a3678c 100644 --- a/apparmor.d/groups/browsers/torbrowser-start +++ b/apparmor.d/groups/browsers/torbrowser-start @@ -22,7 +22,7 @@ profile torbrowser-start @{exec_path} { @{bin}/expr ix, @{bin}/file ix, @{bin}/getconf ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/ln ix, @{bin}/mkdir ix, diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp index 17ab7f745..7221cc6e1 100644 --- a/apparmor.d/groups/cron/cron-ntp +++ b/apparmor.d/groups/cron/cron-ntp @@ -14,7 +14,7 @@ profile cron-ntp @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/sed rix, include if exists diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index 63a664096..fa6e9874f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -18,7 +18,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/cat rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logger rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 6eeeaa414..b3658b738 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -50,7 +50,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cp rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gs rix, @{bin}/gsc rix, @{bin}/hostname rix, diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index 052180a99..d110fb83b 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -25,7 +25,7 @@ profile xdm-xsession @{exec_path} { @{bin}/fortune rPUx, @{bin}/gpg-agent rPx, @{bin}/gpg-connect-agent rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/readlink rix, diff --git a/apparmor.d/groups/filesystem/lvmpolld b/apparmor.d/groups/filesystem/lvmpolld index 4168ad4fe..cce01b0d0 100644 --- a/apparmor.d/groups/filesystem/lvmpolld +++ b/apparmor.d/groups/filesystem/lvmpolld @@ -13,7 +13,7 @@ profile lvmpolld @{exec_path} { include @{exec_path} rm, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/umount rPx, @{run}/lvmpolld.pid rwk, diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme index b9b2cfd45..da13572e5 100644 --- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme +++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme @@ -15,7 +15,7 @@ profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/plymouth rPx, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 2f9077d19..85b3268dd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -67,7 +67,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{bin}/@{shells} rUx, @{bin}/gcm-viewer rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, @{bin}/sed rix, @{bin}/tecla rPx, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index e0ff334db..1f29958d1 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -20,7 +20,7 @@ profile gnome-session @{exec_path} { @{bin}/find rix, @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/head rix, @{bin}/id rix, @{bin}/locale rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b97d6d568..e977af95e 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -388,7 +388,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} mr, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rPx -> gnome-shell//lsmod, @{bin}/pmap rix, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index ebb150ed2..45c382855 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -24,7 +24,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) @{sh_path} rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kcminit rPx, @{bin}/sed rix, @{bin}/uname rPx, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index b69d7fdb9..004b89d57 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -21,7 +21,7 @@ profile startplasma @{exec_path} { @{sh_path} rix, @{bin}/env rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kapplymousetheme rPUx, @{bin}/kdeinit5_shutdown rPUx, @{bin}/ksplashqml rPUx, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87207e2b7..87a418153 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -42,7 +42,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chronyc rPUx, @{bin}/date rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, @{bin}/logger rix, diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish index a7a7bf225..df9af9fef 100644 --- a/apparmor.d/groups/pacman/aurpublish +++ b/apparmor.d/groups/pacman/aurpublish @@ -30,7 +30,7 @@ profile aurpublish @{exec_path} { @{bin}/gettext rix, @{bin}/git rPx, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/makepkg rix, @{bin}/mkdir rix, @{bin}/mktemp rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 287bc026a..025d87b29 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -22,7 +22,7 @@ profile pacman-key @{exec_path} { @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> gpg, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ngettext rix, @{bin}/pacman-conf rPx, @{bin}/touch rix, diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch index c9f0c6373..86bd0866f 100644 --- a/apparmor.d/groups/ssh/ssh-agent-launch +++ b/apparmor.d/groups/ssh/ssh-agent-launch @@ -15,7 +15,7 @@ profile ssh-agent-launch @{exec_path} { @{sh_path} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/getopt rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ssh-agent rPx, /etc/X11/Xsession.options r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify index ba6141d86..daa877efe 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ds-identify @@ -17,7 +17,7 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/systemd-detect-virt rPx, @{bin}/tr rix, @{bin}/uname rix, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index 4abd74fb1..f8cf34f25 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -14,7 +14,7 @@ profile grub-common.service { include @{sh_path} rix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/grub-editenv rix, @{bin}/mkdir ix, @{bin}/rm ix, diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub b/apparmor.d/groups/systemd/systemd-sleep-grub index b2b42bf44..38be5772f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-grub +++ b/apparmor.d/groups/systemd/systemd-sleep-grub @@ -14,7 +14,7 @@ profile systemd-sleep-grub @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/uname rix, /etc/sysconfig/bootloader r, diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan index 9fd065db3..a80a4f729 100644 --- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan +++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan @@ -16,7 +16,7 @@ profile cron-ubuntu-fan @{exec_path} { @{sh_path} rix, @{sbin}/fanctl rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 840e33cdd..dc67817ed 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -24,7 +24,7 @@ profile subiquity-console-conf @{exec_path} { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ip rix, @{bin}/mkdir rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index f9d7c01f5..74fe83551 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,7 +14,7 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index 0573f38bf..c244f2902 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -18,7 +18,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{bin}/cat rix, @{bin}/cut rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rix, @{bin}/mount rCx -> mount, @{bin}/stat rix, diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate index 27e4eb594..325535cce 100644 --- a/apparmor.d/groups/whonix/anondate +++ b/apparmor.d/groups/whonix/anondate @@ -19,7 +19,7 @@ profile anondate @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/minimum-unixtime-show rix, @{bin}/rm rix, @{bin}/systemd-cat rix, diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info index 1cc3e7668..23ab3aeb4 100644 --- a/apparmor.d/groups/whonix/pam-info +++ b/apparmor.d/groups/whonix/pam-info @@ -15,7 +15,7 @@ profile pam-info @{exec_path} { @{sh_path} rix, @{sbin}/faillock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/str_replace rix, @{bin}/wc rix, @{bin}/whoami rix, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index e76570b34..10f30b50b 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -20,7 +20,7 @@ profile rads @{exec_path} { @{bin}/chvt rix, @{bin}/free rix, @{bin}/gawk rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index d34f8087c..dbe561ab6 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary index 4130d9cd9..17bedc43b 100644 --- a/apparmor.d/groups/whonix/systemcheck-canary +++ b/apparmor.d/groups/whonix/systemcheck-canary @@ -14,7 +14,7 @@ profile systemcheck-canary @{exec_path} { @{exec_path} mr, @{bin}/sleep rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/whoami rix, @{bin}/cat rix, @{bin}/date rix, diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper index fc20ad0fb..c86d91099 100644 --- a/apparmor.d/groups/whonix/torbrowser-wrapper +++ b/apparmor.d/groups/whonix/torbrowser-wrapper @@ -20,7 +20,7 @@ profile torbrowser-wrapper @{exec_path} { @{bin}/basename ix, @{bin}/cp ix, @{bin}/dirname ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index d56782267..83806e753 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -16,7 +16,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/dmsetup rPUx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, @{sbin}/lvm rPx, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index c752dcbb8..7c353bf65 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -21,7 +21,7 @@ profile ddcutil @{exec_path} { @{bin}/find rix, @{bin}/sed rix, @{bin}/xargs rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, / r, diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index d8f2f819e..b22730a27 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -24,7 +24,7 @@ profile finalrd @{exec_path} { @{bin}/dirname ix, @{bin}/env ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/ln ix, @{bin}/mkdir ix, @{bin}/mount ix, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 795c92f00..779dd8e67 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -17,7 +17,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, /usr/lib/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog index b1a56c41d..6a26d4dea 100644 --- a/apparmor.d/profiles-g-l/install-catalog +++ b/apparmor.d/profiles-g-l/install-catalog @@ -16,7 +16,7 @@ profile install-catalog @{exec_path} { @{sh_path} rix, @{bin}/basename rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2b3516202..f8b75f742 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -25,7 +25,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper index aeac3e6a1..056b2d83c 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper +++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper @@ -25,7 +25,7 @@ profile landscape-sysinfo.wrapper @{exec_path} { @{bin}/cut rix, @{bin}/date rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/landscape-sysinfo rPx, / r, diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index bf999b79e..80f914fab 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -15,7 +15,7 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/locale rix, /usr/share/locale-langpack/{,*} r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 191ac5782..8cc8a65e1 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -43,7 +43,7 @@ profile libreoffice @{exec_path} { @{sh_path} rix, @{bin}/basename rix, @{bin}/dirname rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/ls rix, @{bin}/paperconf rix, @{bin}/sed rix, diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 8d3dc2171..0dee9ed6a 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -30,7 +30,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cat rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{sbin}/invoke-rc.d rix, @{bin}/kill rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index cd2ddc0e6..013143152 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -19,7 +19,7 @@ profile modprobed-db @{exec_path} { @{bin}/cut rix, @{bin}/gawk rix, @{bin}/getent rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/logname rix, @{bin}/md5sum rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index e5ee2fd8f..4474c1bfc 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -15,7 +15,7 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{sh_path} rix, @{bin}/bzip2 rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/lzop rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 5ae5df7e6..d13099bc3 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -24,7 +24,7 @@ profile pass @{exec_path} { @{bin}/env r, @{bin}/find ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/head ix, @{bin}/mkdir ix, @{bin}/mktemp ix, diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync index 51016373d..9c3f6d9df 100644 --- a/apparmor.d/profiles-s-z/secure-time-sync +++ b/apparmor.d/profiles-s-z/secure-time-sync @@ -23,7 +23,7 @@ profile secure-time-sync @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/curl rix, @{bin}/date rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/id rPx, @{bin}/sed rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1a0bd0ea9..dfd488a48 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -28,7 +28,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, @{sh_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{open_path} rPx -> child-open-strict, diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index 821a3fd63..e275fb764 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -15,7 +15,7 @@ profile syncoid @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/mbuffer rix, @{bin}/perl rix, @{bin}/ps rPx, diff --git a/apparmor.d/profiles-s-z/sysstat-sa b/apparmor.d/profiles-s-z/sysstat-sa index 37f5e3ca1..9dcc199bc 100644 --- a/apparmor.d/profiles-s-z/sysstat-sa +++ b/apparmor.d/profiles-s-z/sysstat-sa @@ -17,7 +17,7 @@ profile sysstat-sa @{exec_path} { @{sh_path} rix, @{bin}/date ix, @{bin}/find ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/rm ix, @{bin}/sar.sysstat ix, @{bin}/xargs ix, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index c01edd9ec..9faea6e3e 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -32,7 +32,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/cp rix, @{sbin}/ethtool rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{sbin}/hdparm rPx, @{bin}/head rix, @{bin}/id rPx, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index b38f8aae4..add5c5b64 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -16,7 +16,7 @@ profile ucfr @{exec_path} { @{bin}/basename ix, @{bin}/{m,g,}awk ix, @{bin}/getopt ix, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib index b7f00b263..8f848b0ad 100644 --- a/apparmor.d/profiles-s-z/update-cracklib +++ b/apparmor.d/profiles-s-z/update-cracklib @@ -21,7 +21,7 @@ profile update-cracklib @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/find rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gzip rix, @{bin}/install rix, @{bin}/install rix, diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt index 1e5417b15..b9b92a721 100644 --- a/apparmor.d/profiles-s-z/veracrypt +++ b/apparmor.d/profiles-s-z/veracrypt @@ -30,7 +30,7 @@ profile veracrypt @{exec_path} { @{sh_path} rix, @{open_path} rPx -> child-open-help, @{sbin}/dmsetup rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/kmod rix, @{sbin}/ldconfig rix, @{sbin}/losetup rCx -> losetup, diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis index 43fa8ff09..3febd0b0b 100644 --- a/apparmor.d/profiles-s-z/whatis +++ b/apparmor.d/profiles-s-z/whatis @@ -13,7 +13,7 @@ profile whatis @{exec_path} { include @{exec_path} mr, - @{bin}/grep rix, + @{bin}/{,e}grep rix, /usr/{,**/}man/{,**/}{,whatis} r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index bb160a5e5..b131897d4 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -23,7 +23,7 @@ profile zed @{exec_path} { @{bin}/diff rix, @{bin}/expr rix, @{bin}/flock rix, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/hostname rix, @{bin}/logger rix, @{bin}/ls rix, From be62e5186f739b2316fc8ac2c22c3a5be37ad163 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:16:16 +0200 Subject: [PATCH 242/798] feat(profiles): ensure we use which{,.debianutils} instead of which. --- apparmor.d/abstractions/app/editor | 2 +- apparmor.d/groups/apt/apt-systemd-daily | 2 +- apparmor.d/groups/apt/aptitude-create-state-bundle | 2 +- apparmor.d/groups/browsers/brave-wrapper | 2 +- apparmor.d/groups/browsers/chrome-wrapper | 2 +- apparmor.d/groups/browsers/msedge-wrapper | 2 +- apparmor.d/groups/cron/cron-apt-compat | 2 +- apparmor.d/groups/cron/cron-apt-xapian-index | 3 +-- apparmor.d/groups/cron/cron-aptitude | 2 +- apparmor.d/groups/cron/cron-mlocate | 2 +- apparmor.d/groups/cron/cron-plocate | 2 +- apparmor.d/groups/cron/cron-popularity-contest | 2 +- apparmor.d/groups/display-manager/x11-xsession | 2 +- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/kde/sddm-xsession | 2 +- apparmor.d/groups/network/openvpn | 2 +- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/profiles-a-f/anyremote | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- apparmor.d/profiles-a-f/claws-mail | 2 +- apparmor.d/profiles-g-l/ganyremote | 2 +- apparmor.d/profiles-g-l/gsmartcontrol-root | 2 +- apparmor.d/profiles-g-l/kanyremote | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/mumble-overlay | 2 +- apparmor.d/profiles-m-r/openbox | 2 +- apparmor.d/profiles-m-r/os-prober | 2 +- apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-m-r/pokemmo | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 2 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/update-pciids | 2 +- apparmor.d/profiles-s-z/uupdate | 2 +- apparmor.d/profiles-s-z/xinit | 2 +- 35 files changed, 35 insertions(+), 36 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index f62e36339..2bd14077b 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -13,7 +13,7 @@ @{bin}/nvim mrix, @{bin}/sensible-editor mr, @{bin}/vim{,.*} mrix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily index bd2f7fbb0..4f0d4e36b 100644 --- a/apparmor.d/groups/apt/apt-systemd-daily +++ b/apparmor.d/groups/apt/apt-systemd-daily @@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} { @{bin}/touch rix, @{bin}/uniq rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xargs rix, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle index 59f7a54f6..a2f5e2050 100644 --- a/apparmor.d/groups/apt/aptitude-create-state-bundle +++ b/apparmor.d/groups/apt/aptitude-create-state-bundle @@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tar rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper index 7001da3fe..b4f70689c 100644 --- a/apparmor.d/groups/browsers/brave-wrapper +++ b/apparmor.d/groups/browsers/brave-wrapper @@ -23,7 +23,7 @@ profile brave-wrapper @{exec_path} { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/brave rPx, diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper index 0a97d4052..709eb79a1 100644 --- a/apparmor.d/groups/browsers/chrome-wrapper +++ b/apparmor.d/groups/browsers/chrome-wrapper @@ -22,7 +22,7 @@ profile chrome-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/chrome rPx, diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper index 3da31e332..8268db2e1 100644 --- a/apparmor.d/groups/browsers/msedge-wrapper +++ b/apparmor.d/groups/browsers/msedge-wrapper @@ -22,7 +22,7 @@ profile msedge-wrapper @{exec_path} flags=(attach_disconnected) { @{bin}/mkdir rix, @{bin}/readlink rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib_dirs}/msedge rPx, diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat index 1778d4b7e..fcf5e4430 100644 --- a/apparmor.d/groups/cron/cron-apt-compat +++ b/apparmor.d/groups/cron/cron-apt-compat @@ -22,7 +22,7 @@ profile cron-apt-compat @{exec_path} { @{bin}/dd rix, @{bin}/cksum rix, @{bin}/cut rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/sleep rix, include if exists diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index index 83eb22428..15f93efec 100644 --- a/apparmor.d/groups/cron/cron-apt-xapian-index +++ b/apparmor.d/groups/cron/cron-apt-xapian-index @@ -14,9 +14,8 @@ profile cron-apt-xapian-index @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/{,e}grep rix, - @{bin}/nice rix, @{bin}/ionice rix, diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude index a471b2844..82b33e8ab 100644 --- a/apparmor.d/groups/cron/cron-aptitude +++ b/apparmor.d/groups/cron/cron-aptitude @@ -17,7 +17,7 @@ profile cron-aptitude @{exec_path} { @{bin}/cp rix, @{bin}/date rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dirname rix, @{bin}/rm rix, @{bin}/mv rix, diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate index ec9690938..f91956bcd 100644 --- a/apparmor.d/groups/cron/cron-mlocate +++ b/apparmor.d/groups/cron/cron-mlocate @@ -15,7 +15,7 @@ profile cron-mlocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate index 0604eba3a..7f52d1a14 100644 --- a/apparmor.d/groups/cron/cron-plocate +++ b/apparmor.d/groups/cron/cron-plocate @@ -15,7 +15,7 @@ profile cron-plocate @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/true rix, @{bin}/flock rix, @{bin}/nocache rix, diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest index fa6e9874f..44d3a546f 100644 --- a/apparmor.d/groups/cron/cron-popularity-contest +++ b/apparmor.d/groups/cron/cron-popularity-contest @@ -74,7 +74,7 @@ profile cron-popularity-contest @{exec_path} { @{bin}/mv rix, @{bin}/rm rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sh_path} rix, /var/log/ r, diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession index 4eb916aab..361a30b26 100644 --- a/apparmor.d/groups/display-manager/x11-xsession +++ b/apparmor.d/groups/display-manager/x11-xsession @@ -34,7 +34,7 @@ profile x11-xsession @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 9804ddcb0..03e77816c 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -35,7 +35,7 @@ profile gdm-xsession @{exec_path} { @{bin}/tr rix, @{bin}/truncate rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index b5cceee95..f27f3dc3c 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -40,7 +40,7 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which{,.*} rix, + @{bin}/which{,.debianutils} rix, @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index 6431ee98a..a6ff1a939 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -84,7 +84,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/cut rix, @{bin}/ip rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{sbin}/xtables-nft-multi rix, /etc/iproute2/rt_tables r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e72c62667..e9f3bf807 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -101,7 +101,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{sbin}/update-grub rPx, @{bin}/update-mime-database rPx, @{bin}/vercmp rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/xmlcatalog rix, @{lib}/systemd/systemd-* rPx, @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index bb5cd329c..5a4e130a0 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -52,7 +52,7 @@ profile apport-gtk @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote index 6af2cd38d..43ecdb0cd 100644 --- a/apparmor.d/profiles-a-f/anyremote +++ b/apparmor.d/profiles-a-f/anyremote @@ -41,7 +41,7 @@ profile anyremote @{exec_path} { @{bin}/tail rix, @{bin}/tr rix, @{bin}/wc rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/convert-im6.q16 rCx -> imagemagic, @{bin}/killall rCx -> killall, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index 43edd3233..a10df8394 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -20,7 +20,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { @{bin}/gzip rix, @{bin}/precat rix, @{bin}/prezip-bin rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/zcat rix, @{bin}/dpkg-trigger rPx, diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail index bb7dfd3b8..263bb5794 100644 --- a/apparmor.d/profiles-a-f/claws-mail +++ b/apparmor.d/profiles-a-f/claws-mail @@ -24,7 +24,7 @@ profile claws-mail @{exec_path} flags=(complain) { @{exec_path} mr, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote index b2dc7b92d..727bf8cdf 100644 --- a/apparmor.d/profiles-g-l/ganyremote +++ b/apparmor.d/profiles-g-l/ganyremote @@ -30,7 +30,7 @@ profile ganyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root index 515d2234c..4fdb1084b 100644 --- a/apparmor.d/profiles-g-l/gsmartcontrol-root +++ b/apparmor.d/profiles-g-l/gsmartcontrol-root @@ -15,7 +15,7 @@ profile gsmartcontrol-root @{exec_path} { @{exec_path} r, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/pkexec rCx -> pkexec, diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote index 10e085799..91eb37c58 100644 --- a/apparmor.d/profiles-g-l/kanyremote +++ b/apparmor.d/profiles-g-l/kanyremote @@ -31,7 +31,7 @@ profile kanyremote @{exec_path} { @{bin}/{,e}grep rix, @{bin}/cut rix, @{bin}/id rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{m,g,}awk rix, @{bin}/head rix, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 133cf8ae7..6bc2c8961 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -33,7 +33,7 @@ profile kernel @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, @{bin}/dpkg rPx -> child-dpkg, diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay index c077f3836..86792860c 100644 --- a/apparmor.d/profiles-m-r/mumble-overlay +++ b/apparmor.d/profiles-m-r/mumble-overlay @@ -16,7 +16,7 @@ profile mumble-overlay @{exec_path} { @{sh_path} rix, @{bin}/file rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/glxgears rPx, diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox index e4e8a36e2..899290792 100644 --- a/apparmor.d/profiles-m-r/openbox +++ b/apparmor.d/profiles-m-r/openbox @@ -58,7 +58,7 @@ profile openbox @{exec_path} { @{lib}/@{multiarch}/openbox-xdg-autostart rix, @{sh_path} rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, # Apps allowed to run @{bin}/* rPUx, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index 162c0b743..da853aa9a 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -51,7 +51,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{bin}/udevadm rPx, @{bin}/umount rix, @{bin}/uname rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{lib}/newns rix, @{lib}/os-prober/* rix, @{lib}/os-probes/{,**} rix, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index d13099bc3..096f0316a 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo index 111b157c5..324b08f17 100644 --- a/apparmor.d/profiles-m-r/pokemmo +++ b/apparmor.d/profiles-m-r/pokemmo @@ -37,7 +37,7 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) { @{bin}/java ix, @{bin}/perl ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, @{lib}/jvm/java-@{int}-openjdk/bin/java ix, # Installer diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ee7adab75..45c6766e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -72,7 +72,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { @{bin}/tail rix, @{bin}/tree rix, @{bin}/tty rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, owner @{user_passwordstore_dirs}/ r, owner @{user_passwordstore_dirs}/.gpg-id r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 0a7b992b6..3c3374d85 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,7 +33,7 @@ profile ucf @{exec_path} { @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/dpkg-query rpx, @{bin}/dpkg-divert rPx, diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids index bba603690..901dae9a0 100644 --- a/apparmor.d/profiles-s-z/update-pciids +++ b/apparmor.d/profiles-s-z/update-pciids @@ -24,7 +24,7 @@ profile update-pciids @{exec_path} { @{bin}/chmod rix, @{bin}/echo rix, @{bin}/cat rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/bunzip2 rix, @{bin}/bzip2 rix, @{bin}/gzip rix, diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate index eb26a4967..88a6cd406 100644 --- a/apparmor.d/profiles-s-z/uupdate +++ b/apparmor.d/profiles-s-z/uupdate @@ -18,7 +18,7 @@ profile uupdate @{exec_path} flags=(complain) { @{sh_path} rix, @{bin}/basename rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, @{bin}/tr rix, @{bin}/{,e}grep rix, @{bin}/getopt rix, diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit index 61151a7db..9abc02350 100644 --- a/apparmor.d/profiles-s-z/xinit +++ b/apparmor.d/profiles-s-z/xinit @@ -35,7 +35,7 @@ profile xinit @{exec_path} { @{bin}/tail rix, @{bin}/tempfile rix, @{bin}/touch rix, - @{bin}/which rix, + @{bin}/which{,.debianutils} rix, /etc/X11/xinit/xinitrc rix, /etc/X11/xinit/xserverrc rix, From 27907e5a17e3720e6b369ea62256eb7d36551b92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:27:34 +0200 Subject: [PATCH 243/798] feat(profiles): ensure we use {m,g,}awk instead of awk. --- apparmor.d/groups/network/nm-dispatcher | 2 +- apparmor.d/groups/whonix/rads | 2 +- apparmor.d/profiles-g-l/kernel-postinst-kdump | 2 +- apparmor.d/profiles-m-r/modprobed-db | 2 +- apparmor.d/profiles-s-z/tomb | 3 +-- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 2 +- 7 files changed, 7 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 87a418153..029a5e39a 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -41,7 +41,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { @{bin}/chown rix, @{bin}/chronyc rPUx, @{bin}/date rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/id rix, @{sbin}/invoke-rc.d rCx -> invoke-rc, diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads index 10f30b50b..8bdeb2c13 100644 --- a/apparmor.d/groups/whonix/rads +++ b/apparmor.d/groups/whonix/rads @@ -19,7 +19,7 @@ profile rads @{exec_path} { @{bin}/cat rix, @{bin}/chvt rix, @{bin}/free rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/{,e}grep rix, @{bin}/mkdir rix, @{bin}/rm rix, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 91af3a842..e1358ec29 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -14,7 +14,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/du rix, @{bin}/find rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db index 013143152..90bf73cf3 100644 --- a/apparmor.d/profiles-m-r/modprobed-db +++ b/apparmor.d/profiles-m-r/modprobed-db @@ -17,7 +17,7 @@ profile modprobed-db @{exec_path} { @{bin}/cat rix, @{bin}/cp rix, @{bin}/cut rix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/getent rix, @{bin}/{,e}grep rix, @{bin}/logname rix, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 508ac6eff..93e29bcfa 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -27,7 +27,7 @@ profile tomb @{exec_path} { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/awk rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/chmod rix, @@ -41,7 +41,6 @@ profile tomb @{exec_path} { @{bin}/env rix, @{bin}/file rix, @{bin}/findmnt rix, - @{bin}/gawk rix, @{bin}/getent rix, @{bin}/gettext rix, @{bin}/hostname rix, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index e23d4db43..b7ad3a2e8 100755 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -31,7 +31,7 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{lib_dirs}/crashpad_handler ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 023644eb0..55155f2b8 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -36,7 +36,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/wechat-appimage.AppImage ix, /tmp/.mount_wechat??????/AppRun ix, @{bin}/mkdir ix, - @{bin}/gawk rix, + @{bin}/{m,g,}awk rix, @{bin}/lsblk rPx, @{bin}/ip rix, @{bin}/xdg-user-dir rix, From 033a7475e08db25afacdeca23f8aab1786d7d70a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:35:13 +0200 Subject: [PATCH 244/798] tests: enforce equivalent tests. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index b1783bf8e..801e81114 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -134,6 +134,7 @@ _check_directory_mark() { declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" + ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" ["which"]="which{,.debianutils}" ) @@ -371,7 +372,10 @@ check_profiles() { -prune -o -type f -print ) jobs=0 - WITH_CHECK=(abi include profile header tabs trailing indentation subprofiles vim) + WITH_CHECK=( + equivalent + abi include profile header tabs trailing indentation subprofiles vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -388,7 +392,10 @@ check_abstractions() { _msg "Checking abstractions" mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 - WITH_CHECK=(abi include header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + abi include header tabs trailing indentation vim + ) for file in "${files[@]}"; do ( name="$(basename "$file")" @@ -406,7 +413,10 @@ check_abstractions() { ) # shellcheck disable=SC2034 jobs=0 - WITH_CHECK=(header tabs trailing indentation vim) + WITH_CHECK=( + equivalent + header tabs trailing indentation vim + ) for file in "${files[@]}"; do _check "$file" & _wait jobs From f29041576e234e3d4873da2434d4fd3298c2b01d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 19 Jun 2025 23:55:20 +0200 Subject: [PATCH 245/798] feat(profile): move away from old or too wide abstractions. --- .../groups/browsers/opera-crashreporter | 2 +- apparmor.d/groups/filesystem/udiskie | 10 ++--- apparmor.d/groups/hyprland/hyprpm | 1 - apparmor.d/groups/network/nm-dhcp-helper | 2 +- apparmor.d/groups/usb/usbguard-applet-qt | 18 +++----- apparmor.d/groups/virt/libvirtd | 3 +- apparmor.d/profiles-a-f/atftpd | 8 +++- apparmor.d/profiles-a-f/dhclient-script | 8 +++- apparmor.d/profiles-a-f/dumpcap | 8 ++-- apparmor.d/profiles-a-f/ffplay | 3 +- apparmor.d/profiles-a-f/fritzing | 44 ++++++++----------- apparmor.d/profiles-g-l/light-locker | 12 ++--- apparmor.d/profiles-m-r/mkvtoolnix-gui | 10 ++--- apparmor.d/profiles-m-r/netstat | 8 +++- apparmor.d/profiles-m-r/pcb-gtk | 8 +--- apparmor.d/profiles-s-z/sing-box | 1 - apparmor.d/profiles-s-z/tftp | 8 +++- apparmor.d/profiles-s-z/vsftpd | 8 +++- apparmor.d/profiles-s-z/youtube-dl | 4 +- 19 files changed, 82 insertions(+), 84 deletions(-) diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter index 01661215a..eb67ede59 100644 --- a/apparmor.d/groups/browsers/opera-crashreporter +++ b/apparmor.d/groups/browsers/opera-crashreporter @@ -17,7 +17,7 @@ profile opera-crashreporter @{exec_path} { include include include - include + include include ptrace (trace, read) peer=opera, diff --git a/apparmor.d/groups/filesystem/udiskie b/apparmor.d/groups/filesystem/udiskie index a6a2e2ad3..53b726c23 100644 --- a/apparmor.d/groups/filesystem/udiskie +++ b/apparmor.d/groups/filesystem/udiskie @@ -11,16 +11,12 @@ include profile udiskie @{exec_path} { include include - include - include + include include - include - include + include include - include include - include - include + include @{exec_path} r, @{python_path} r, diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm index 3a5878808..149128b1e 100644 --- a/apparmor.d/groups/hyprland/hyprpm +++ b/apparmor.d/groups/hyprland/hyprpm @@ -11,7 +11,6 @@ profile hyprpm @{exec_path} { include include include - include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper index 5e93bdbf5..3e232154e 100644 --- a/apparmor.d/groups/network/nm-dhcp-helper +++ b/apparmor.d/groups/network/nm-dhcp-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/{,NetworkManager/}nm-dhcp-helper profile nm-dhcp-helper @{exec_path} { include - include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/usb/usbguard-applet-qt b/apparmor.d/groups/usb/usbguard-applet-qt index a76398dd9..558b9093c 100644 --- a/apparmor.d/groups/usb/usbguard-applet-qt +++ b/apparmor.d/groups/usb/usbguard-applet-qt @@ -10,22 +10,21 @@ include @{exec_path} = @{bin}/usbguard-applet-qt profile usbguard-applet-qt @{exec_path} { include - include - include - include + include + include include - include include - include - include - include include + include # Needed? ptrace (read), @{exec_path} mr, + /var/lib/dbus/machine-id r, + /etc/machine-id r, + owner @{user_config_dirs}/USBGuard/ rw, owner @{user_config_dirs}/USBGuard/* rwkl -> @{user_config_dirs}/USBGuard/#@{int}, @@ -37,11 +36,6 @@ profile usbguard-applet-qt @{exec_path} { owner @{PROC}/@{pid}/cmdline r, - /usr/share/hwdata/pnp.ids r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 4d730602d..844af4443 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -17,8 +17,9 @@ include @{exec_path} = @{sbin}/libvirtd profile libvirtd @{exec_path} flags=(attach_disconnected) { include + include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd index dc7f2bf36..2444bd128 100644 --- a/apparmor.d/profiles-a-f/atftpd +++ b/apparmor.d/profiles-a-f/atftpd @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/atftpd profile atftpd @{exec_path} { include - include + include # For libwrap (TCP Wrapper) support include @@ -18,6 +18,12 @@ profile atftpd @{exec_path} { capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # FTP dirs (add "w" if you need write permissions and hence upload files) diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 9a7e77902..3967512b8 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -10,13 +10,19 @@ include @{exec_path} = @{bin}/dhclient-script profile dhclient-script @{exec_path} { include - include + include include capability net_admin, capability sys_admin, audit capability sys_module, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, @{sh_path} mrix, diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap index 634aebd02..a1050aa94 100644 --- a/apparmor.d/profiles-a-f/dumpcap +++ b/apparmor.d/profiles-a-f/dumpcap @@ -10,16 +10,14 @@ include @{exec_path} = @{bin}/dumpcap profile dumpcap @{exec_path} { include + include + include include - include - include # To capture packekts capability net_raw, capability net_admin, - signal (receive) peer=wireshark, - network inet dgram, network inet6 dgram, network netlink raw, @@ -27,6 +25,8 @@ profile dumpcap @{exec_path} { network packet raw, network bluetooth raw, + signal (receive) peer=wireshark, + dbus (eavesdrop) bus=session, @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay index a4dec5d34..4152ed49a 100644 --- a/apparmor.d/profiles-a-f/ffplay +++ b/apparmor.d/profiles-a-f/ffplay @@ -11,10 +11,9 @@ include profile ffplay @{exec_path} { include include - include + include include include - include network inet stream, network inet6 stream, diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing index 18b990bbc..c57323c6a 100644 --- a/apparmor.d/profiles-a-f/fritzing +++ b/apparmor.d/profiles-a-f/fritzing @@ -10,16 +10,13 @@ include @{exec_path} = @{bin}/fritzing{,.real} profile fritzing @{exec_path} { include - include - include - include + include + include include - include - include include - include - include + include include + include network inet dgram, network inet6 dgram, @@ -30,26 +27,25 @@ profile fritzing @{exec_path} { @{exec_path} mrix, + /usr/share/fritzing/{,**} r, + /usr/share/hwdata/pnp.ids r, + + /etc/debian_version r, + /etc/fstab r, + /etc/machine-id r, + /var/lib/dbus/machine-id r, + owner @{user_config_dirs}/Fritzing/ rw, owner @{user_config_dirs}/Fritzing/** rwkl -> @{user_config_dirs}/Fritzing/**, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/ rw, owner @{HOME}/@{XDG_DOCUMENTS_DIR}/Fritzing/** rw, - /usr/share/fritzing/{,**} r, - - /usr/share/hwdata/pnp.ids r, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/mounts r, - - /etc/fstab r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, + owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - /etc/debian_version r, + @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* + @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx + @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* @{sys}/bus/ r, @{sys}/class/ r, @@ -57,15 +53,13 @@ profile fritzing @{exec_path} { @{sys}/devices/**/tty*/uevent r, @{sys}/devices/**/tty/**/uevent r, - @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* - @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/c166:@{int} r, # for /dev/ttyACM[0-9]* + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, /dev/ttyS@{int} rw, /dev/ttyACM@{int} rw, - owner @{run}/lock/LCK..ttyACM[0-9]* rwk, - include if exists } diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker index 8d2fcdcc8..60189d911 100644 --- a/apparmor.d/profiles-g-l/light-locker +++ b/apparmor.d/profiles-g-l/light-locker @@ -11,19 +11,12 @@ include profile light-locker @{exec_path} { include include - include - include - include + include include - include include - include @{exec_path} mr, - @{PROC}/1/cgroup r, - owner @{PROC}/@{pid}/cgroup r, - # when locking the screen and switching/closing sessions @{run}/systemd/sessions/* r, @@ -33,6 +26,9 @@ profile light-locker @{exec_path} { @{sys}/devices/@{pci}/subsystem_vendor r, @{sys}/devices/@{pci}/subsystem_device r, + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui index 835e1a391..4e0ace19a 100644 --- a/apparmor.d/profiles-m-r/mkvtoolnix-gui +++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui @@ -10,19 +10,15 @@ include @{exec_path} = @{bin}/mkvtoolnix-gui profile mkvtoolnix-gui @{exec_path} { include - include + include include - include - include - include - include + include include - include include include + include include include - include signal (send) set=(term, kill) peer=mkvmerge, diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat index e19884997..a23a095e9 100644 --- a/apparmor.d/profiles-m-r/netstat +++ b/apparmor.d/profiles-m-r/netstat @@ -13,12 +13,18 @@ include profile netstat @{exec_path} { include include - include + include capability dac_read_search, capability sys_ptrace, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + ptrace (trace,read), @{exec_path} rmix, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index e736299fa..2f057f2a7 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -10,13 +10,9 @@ include @{exec_path} = @{bin}/pcb-gtk profile pcb-gtk @{exec_path} { include - include - include - include + include include - include - include - include + include include include diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box index 9f395735e..1890510ae 100644 --- a/apparmor.d/profiles-s-z/sing-box +++ b/apparmor.d/profiles-s-z/sing-box @@ -12,7 +12,6 @@ include profile sing-box @{exec_path} { include include - include capability net_bind_service, diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp index 33f6fe6dc..bb0a1c37b 100644 --- a/apparmor.d/profiles-s-z/tftp +++ b/apparmor.d/profiles-s-z/tftp @@ -10,9 +10,15 @@ include @{exec_path} = @{bin}/tftp profile tftp @{exec_path} { include - include + include include + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, include if exists diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd index 2b6af3561..8fe33af50 100644 --- a/apparmor.d/profiles-s-z/vsftpd +++ b/apparmor.d/profiles-s-z/vsftpd @@ -12,7 +12,7 @@ profile vsftpd @{exec_path} { include include include - include + include include # To be able to listen on ports < 1024 @@ -41,6 +41,12 @@ profile vsftpd @{exec_path} { capability dac_read_search, # If session_support=YES, vsftpd will also try and update utmp and wtmp + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + @{exec_path} mr, # To validate allowed users shells diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl index 381e878fa..d0b1c1988 100644 --- a/apparmor.d/profiles-s-z/youtube-dl +++ b/apparmor.d/profiles-s-z/youtube-dl @@ -13,13 +13,11 @@ profile youtube-dl @{exec_path} { include include include - include - include + include include include include include - include network inet dgram, network inet6 dgram, From 3ffff07f3fb386e980d9bb7bc763824bef2e6c5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 20 Jun 2025 00:00:48 +0200 Subject: [PATCH 246/798] tests: enforce abstractions test. --- apparmor.d/profiles-m-r/rsyslogd | 14 +++++--------- tests/check.sh | 10 +++++----- 2 files changed, 10 insertions(+), 14 deletions(-) diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 599fac88f..80d75a928 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -7,15 +7,10 @@ abi , include -# Debugging the syslogger can be difficult if it can't write to the file -# that the kernel is logging denials to. In these cases, you can do the -# following: -# watch -n 1 'dmesg | tail -5' - @{exec_path} = @{sbin}/rsyslogd profile rsyslogd @{exec_path} { include - include + include capability chown, # For creating new log files and changing their owner/group capability net_admin, # For remote logs @@ -24,18 +19,19 @@ profile rsyslogd @{exec_path} { capability sys_nice, capability syslog, + network inet dgram, + network inet6 dgram, + signal receive set=hup peer=@{p_systemd}, @{exec_path} mr, + @{sh_path} mr, @{lib}/@{multiarch}/rsyslog/*.so mr, /etc/rsyslog.conf r, /etc/rsyslog.d/{,**} r, - /etc/CA/*.crt r, - /etc/CA/*.key r, - /var/log/** rw, /var/spool/rsyslog/ r, /var/spool/rsyslog/** rw, diff --git a/tests/check.sh b/tests/check.sh index 801e81114..28adc7710 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -93,7 +93,7 @@ _check() { # Rules checks: security, compatibility and rule issues readonly ABS="abstractions" -readonly ABS_DANGEROUS=(dbus-session dbus-system dbus-accessibility user-tmp) +readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) declare -A ABS_DEPRECATED=( ["nameservice"]="nameservice-strict" ["bash"]="shell" @@ -142,7 +142,7 @@ _check_equivalent() { _is_enabled equivalent || return 0 local prgmname for prgmname in "${!EQUIVALENTS[@]}"; do - if [[ "$line" == *"/$prgmname"* ]]; then + if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi @@ -373,7 +373,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -393,7 +393,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -414,7 +414,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - equivalent + abstractions equivalent header tabs trailing indentation vim ) for file in "${files[@]}"; do From bb6ca01718dad6cd91055c8d2c825143d00ca2f6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:36:23 +0200 Subject: [PATCH 247/798] feat(profile): ufw: integrate ufw-init in ufw, use sysctl in subprofile. --- apparmor.d/groups/firewall/ufw | 22 ++++++++++++++++++---- apparmor.d/groups/firewall/ufw-init | 21 +++++++++++++++++++-- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/firewall/ufw b/apparmor.d/groups/firewall/ufw index 3b931fb2b..39517ee6c 100644 --- a/apparmor.d/groups/firewall/ufw +++ b/apparmor.d/groups/firewall/ufw @@ -30,13 +30,12 @@ profile ufw @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{python_path} rix, - @{bin}/ r, + @{sbin}/ r, @{bin}/cat rix, - @{bin}/echo rix, @{bin}/env r, @{bin}/kmod rCx -> kmod, - @{lib}/ufw/ufw-init rix, - @{sbin}/sysctl rix, + @{lib}/ufw/ufw-init rPx, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -70,6 +69,21 @@ profile ufw @{exec_path} flags=(attach_disconnected) { include if exists } + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index 5c0521790..aae80b87d 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,6 +11,7 @@ profile ufw-init @{exec_path} { include include + capability dac_read_search, capability net_admin, network inet dgram, @@ -22,7 +23,8 @@ profile ufw-init @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{sbin}/sysctl rix, + @{bin}/echo rix, + @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, @@ -30,7 +32,22 @@ profile ufw-init @{exec_path} { /etc/ufw/* r, @{PROC}/@{pid}/net/ip_tables_names r, - @{PROC}/sys/net/ipv{4,6}/** rw, + # @{PROC}/sys/net/ipv{4,6}/** rw, + + profile sysctl { + include + include + + capability net_admin, + + @{sbin}/sysctl mr, + + /etc/ufw/sysctl.conf r, + + @{PROC}/sys/net/ipv{4,6}/** rw, + + include if exists + } include if exists } From ea45cec24d5cbf9c66feb859740b802cf46ececf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:43:02 +0200 Subject: [PATCH 248/798] feat(fsp): improve fsp profiles. --- apparmor.d/groups/_full/sd | 24 ++++++------------------ apparmor.d/groups/_full/sdu | 2 ++ apparmor.d/groups/_full/systemd | 5 ++++- apparmor.d/groups/_full/systemd-user | 2 +- 4 files changed, 13 insertions(+), 20 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 48172638e..da14cabf3 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -86,22 +86,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { umount /, umount /dev/shm/, umount @{run}/systemd/mount-rootfs/{,**}, - - # mount tmpfs -> @{run}/lock/, - # mount tmpfs -> @{sys}/fs/cgroup/, - # mount cgroup -> @{sys}/fs/cgroup/systemd/, - # audit mount /dev/** -> /boot/{,efi/}, - # audit mount options=(rw bind) /dev/** -> /tmp/namespace-dev-@{rand6}/**, - # audit mount options=(rw rbind) -> @{run}/systemd/unit-root/{,**}, - - # audit remount @{run}/systemd/unit-root/{,**}, - # audit remount options=(ro noexec noatime bind) /var/snap/{,**}, - # audit remount options=(ro nosuid nodev bind) /var/, - # audit remount options=(ro nosuid nodev noexec bind) /boot/, - - # audit umount @{PROC}/sys/fs/binfmt_misc/, - # audit umount @{run}/systemd/namespace-@{rand6}/{,**}, - # audit umount @{run}/systemd/unit-root/{,**}, + umount @{run}/systemd/namespace-@{rand6}/{,**}, pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/, @@ -150,20 +135,22 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{bin}/true ix, # Required due to stacked profiles - @{sbin}/grpck ix, + @{bin}/find ix, @{bin}/gzip ix, @{bin}/install ix, - @{sbin}/pwck ix, @{bin}/readlink ix, @{lib}/colord-sane ix, @{lib}/systemd/systemd-nsresourcework ix, @{lib}/systemd/systemd-userwork ix, + @{sbin}/grpck ix, + @{sbin}/pwck ix, / r, @{att}/ r, @{bin}/{,**} r, @{lib}/{,**} r, @{sbin}/{,*} r, + /usr/local/{,**} r, /usr/share/** r, /etc/*/ w, /etc/** rk, @@ -179,6 +166,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { /var/lib/*/ rw, /var/lib/*/** rwk, /var/lib/systemd/*/ r, + /var/log/ r, /var/log/** rw, /var/log/journal/** rwl -> /var/log/journal/**, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index c9338fd22..80d8c1fb9 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -108,6 +108,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + deny capability net_admin, + profile shell flags=(attach_disconnected,mediate_deleted,complain) { include diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index b7c12c6bd..184084fed 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -50,7 +50,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd flags=(attach_disconnected,mediate_deleted) { +profile systemd flags=(attach_disconnected,mediate_deleted,complain) { include include include @@ -129,9 +129,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/environment r, @{etc_ro}/environment.d/{,**} r, + /etc/acpi/events/{,**} r, /etc/binfmt.d/{,**} r, /etc/conf.d/{,**} r, /etc/default/{,**} r, + /etc/machine-id r, /etc/modules-load.d/{,**} r, /etc/networkd-dispatcher/{,**} r, /etc/systemd/{,**} r, @@ -186,6 +188,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/console/active r, + @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, @{sys}/fs/cgroup/{,**} rw, @{sys}/fs/fuse/connections/ r, @{sys}/fs/pstore/ r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index ed531c58b..a5bb4d926 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -16,7 +16,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd -profile systemd-user flags=(attach_disconnected,mediate_deleted) { +profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { include include include From cd619d280a5ba23537114e74ed8fa4c294e00559 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:44:43 +0200 Subject: [PATCH 249/798] feat(profile): update apt profiles. --- apparmor.d/groups/apt/apt-methods-http | 3 ++- apparmor.d/groups/apt/dpkg-script-systemd | 5 +++++ apparmor.d/groups/apt/dpkg-scripts | 11 +++++++++++ apparmor.d/groups/apt/dpkg-statoverride | 1 + apparmor.d/groups/apt/unattended-upgrade | 2 +- 5 files changed, 20 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 7fb3a2cc4..61be160dc 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { owner @{tmp}/aptitude-root.*/aptitude-download-* rw, owner @{tmp}/apt-changelog-*/*.changelog rw, - @{run}/ubuntu-advantage/aptnews.json rw, + @{run}/ubuntu-advantage/aptnews.json rw, + owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 8ca92515c..722e72c53 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{bin}/dpkg mr, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 3102b23bb..e16d25bf2 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} { / r, /*/ r, @{bin}/ r, + @{bin}/* w, @{lib}/ r, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, @@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} { /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + @{PROC}/@{pid}/fd/ r, + profile bus { include include @@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} { @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, + /etc/machine-id r, + + /var/lib/systemd/catalog/database r, + /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, /{run,var}/log/journal/@{hex32}/system.journal* r, diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index 34d6412c1..d2e02f613 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index c2d94e25a..fa6929f35 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/crash/*.crash w, /var/lib/apt/periodic/unattended-upgrades-stamp w, - /var/lib/dpkg/info/ r, + /var/lib/dpkg/info/{,*} r, /var/lib/dpkg/lock rwk, /var/lib/dpkg/lock-frontend rwk, /var/lib/dpkg/updates/ r, From 5eb08f8de57803664d700b7d05fa7023f6b499b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:47:49 +0200 Subject: [PATCH 250/798] feat(profile): improve pacman profiles. --- apparmor.d/groups/pacman/pacman-hook-code | 6 +++--- apparmor.d/groups/pacman/pacman-key | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index 2496d7a9b..ee23781f4 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/share/code-{features,marketplace}/patch.py +@{exec_path} = /usr/share/code-{features,marketplace}{,-insiders}/patch.py profile pacman-hook-code @{exec_path} { include include @@ -20,8 +20,8 @@ profile pacman-hook-code @{exec_path} { @{lib}/code/product.json rw, - /usr/share/code-{features,marketplace}/{,*} r, - /usr/share/code-{features,marketplace}/cache.json rw, + /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, + /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, include if exists } diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 025d87b29..a5cee6fa9 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -21,10 +21,10 @@ profile pacman-key @{exec_path} { @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, - @{bin}/gpg{,2} rCx -> gpg, + @{bin}/gpg{,2} rCx -> &gpg, @{bin}/{,e}grep rix, @{bin}/ngettext rix, - @{bin}/pacman-conf rPx, + @{bin}/pacman-conf rPx -> &pacman-conf, @{bin}/touch rix, @{bin}/tput rix, @{bin}/vercmp rix, From 03d7ef55896e0d5b7bf5348000fbdcab26737490 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:52:22 +0200 Subject: [PATCH 251/798] feat(profile): add profile for sshd session. It is only a first draft as recent update in sshd, split sshd in multiple binaries, it will allow us to also split the confinement in multiple profile. --- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshd-session | 85 ++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/ssh/sshd-session diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index a514e7c99..75438c957 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,7 +69,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{bin}/passwd Px, @{lib}/{openssh,ssh}/sftp-server Px, @{lib}/{openssh,ssh}/sshd-auth Px, - @{lib}/{openssh,ssh}/sshd-session ix, + @{lib}/{openssh,ssh}/sshd-session Px, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session new file mode 100644 index 000000000..e74696334 --- /dev/null +++ b/apparmor.d/groups/ssh/sshd-session @@ -0,0 +1,85 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/{openssh,ssh}/sshd-session +profile sshd-session @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include #aa:only RBAC + + capability audit_write, + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability fsetid, + capability kill, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # sshd doesn't require net_admin. libpam-systemd tries to + # use it if available to set the send/receive buffers size, + # but will fall back to a non-privileged version if it fails. + deny capability net_admin, + + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, + network netlink raw, + + unix type=stream peer=(label=sshd), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} + peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + + @{exec_path} mr, + + @{bin}/@{shells} Ux, #aa:exclude RBAC + @{lib}/{openssh,ssh}/sshd-auth Px, + + @{etc_rw}/motd r, + @{etc_rw}/motd.d/{,**} r, + /etc/machine-id r, + /etc/motd r, + + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + + /var/lib/wtmpdb/ w, + + owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + + owner @{user_cache_dirs}/{,motd*} rw, + + @{att}/@{run}/systemd/sessions/@{int}.ref w, + + @{run}/motd.d/{,*} r, + @{run}/motd.dynamic rw, + @{run}/motd.dynamic.new rw, + + @{PROC}/1/limits r, + owner @{PROC}/@{pid}/loginuid rw, + owner @{PROC}/@{pid}/uid_map r, + + /dev/ptmx rw, + + include if exists +} + +# vim:syntax=apparmor From 226cb23073efb628f344c5c1985a543564671ee0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:53:26 +0200 Subject: [PATCH 252/798] feat(profile): small improvement to steam. --- apparmor.d/groups/steam/steam | 4 ++++ apparmor.d/groups/steam/steamerrorreporter | 2 -- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 73c78f2ed..151a3e161 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -109,6 +109,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger rix, @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix, + @{runtime_dirs}/pressure-vessel/@{bin}/pv-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix, @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web, @{runtime_dirs}/run{,.sh} rix, @@ -370,6 +371,8 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { /dev/hidraw@{int} rw, /dev/tty rw, + @{att}/dev/dri/renderD128 rw, + include if exists } @@ -380,6 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability dac_override, capability dac_read_search, + capability sys_ptrace, unix receive type=stream, diff --git a/apparmor.d/groups/steam/steamerrorreporter b/apparmor.d/groups/steam/steamerrorreporter index b4d5f3e68..d438c604d 100644 --- a/apparmor.d/groups/steam/steamerrorreporter +++ b/apparmor.d/groups/steam/steamerrorreporter @@ -34,8 +34,6 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) { owner @{tmp}/dumps/ r, owner @{tmp}/dumps/*_log.txt rw, - owner @{PROC}/@{pid}/status r, - include if exists } From 6735b8e5f8ffa64a43297a3ff1318ef49376d388 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:55:22 +0200 Subject: [PATCH 253/798] feat(profile): zram: move kmod to its own subprofile. --- apparmor.d/groups/systemd/zram-generator | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index d156d88a4..473848ef3 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -11,16 +11,13 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, - @{exec_path} mr, - @{bin}/kmod rix, + @{bin}/kmod rCx, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, /etc/systemd/zram-generator.conf r, - /etc/modprobe.d/{,**} r, owner @{run}/systemd/generator/{,*/}var-cache-makepkg.mount rw, owner @{run}/systemd/generator/dev-zram@{int}.swap rw, @@ -29,12 +26,18 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{sys}/block/zram@{int}/* rw, @{sys}/devices/virtual/block/zram@{int}/* rw, - @{sys}/module/compression r, @{PROC}/crypto r, owner /dev/pts/@{int} rw, + profile kmod { + include + include + + include if exists + } + include if exists } From 0483f476ed72c35993313a7edd4a9f3d2ddb9239 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 19:56:54 +0200 Subject: [PATCH 254/798] fix(profile): aa-enforce: ensure looking path in sbin is allowed. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index fcf7dc724..1743fd9d0 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -16,7 +16,7 @@ profile aa-enforce @{exec_path} { @{exec_path} mr, - @{bin}/ r, + @{sbin}/ r, @{sbin}/apparmor_parser rPx, /usr/share/terminfo/** r, From 24a9da865f9daddc28e73793c9a8a724f9105592 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:05:47 +0200 Subject: [PATCH 255/798] chore: update sbin.list --- apparmor.d/profiles-a-f/atd | 2 +- tests/sbin.list | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd index aea3cbf01..783d210fb 100644 --- a/apparmor.d/profiles-a-f/atd +++ b/apparmor.d/profiles-a-f/atd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/atd +@{exec_path} = @{sbin}/atd profile atd @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1adc90ee8..1d0eb5b97 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -43,6 +43,7 @@ argdist-bpfcc arp arpd aspell-autobuildhash +atd audisp-af_unix audisp-filter audisp-syslog @@ -313,6 +314,7 @@ grub2-sparc64-setup grub2-switch-to-blscfg hardirqs-bpfcc haveged +hc-ifscan hdparm httxt2dbm hv_fcopy_daemon From e222816d32d5103399dac03651ac2ef222d72647 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:08:44 +0200 Subject: [PATCH 256/798] feat(profile): virt: move privileged actions to subprofle. --- apparmor.d/groups/virt/containerd | 6 ++-- apparmor.d/groups/virt/dockerd | 42 +++++++++++++++++++++++++-- apparmor.d/groups/virt/libvirtd | 9 +++++- apparmor.d/groups/virt/virt-aa-helper | 1 - 4 files changed, 49 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd index 598ec7ca9..95d332a45 100644 --- a/apparmor.d/groups/virt/containerd +++ b/apparmor.d/groups/virt/containerd @@ -87,10 +87,8 @@ profile containerd @{exec_path} flags=(attach_disconnected) { @{run}/nri/nri.sock rw, @{run}/systemd/notify w, - /tmp/cri-containerd.apparmor.d@{int} rwl, - /tmp/ctd-volume@{int}/{,**} rw, - owner @{tmp}/** rwkl, - owner /var/tmp/** rwkl, + /tmp/cri-containerd.apparmor.d@{int} rwl, + /tmp/ctd-volume@{int}/{,**} rw, @{sys}/fs/cgroup/kubepods/** r, @{sys}/kernel/security/apparmor/profiles r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c4b39ff8c..abd6c90ec 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -70,11 +70,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, @{bin}/git rCx -> git, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, @{bin}/unpigz rix, - @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-nft-multi rCx -> nft, + @{sbin}/xtables-legacy-multi rCx -> nft, # Docker needs full access of the containers it manages. # TODO: should be in a sub profile started with pivot_root, not supported yet. @@ -128,13 +129,48 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, - owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/task/@{tid}/mountinfo r, owner @{PROC}/@{pid}/uid_map r, /dev/ r, /dev/**/ r, + profile nft flags=(attach_disconnected) { + include + + capability net_admin, + capability net_raw, + + network inet raw, + network inet6 raw, + network netlink raw, + + @{sbin}/xtables-nft-multi rix, + @{sbin}/xtables-legacy-multi rix, + @{bin}/kmod rPx -> dockerd//kmod, + + @{PROC}/@{pid}/net/ip{,6}_tables_names r, + @{PROC}/sys/kernel/modprobe r, + + @{run}/xtables.lock rwk, + + include if exists + } + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/*/initstate r, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 844af4443..a0d636883 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -106,7 +106,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/dnsmasq rPx, - @{bin}/kmod rPx, + @{bin}/kmod rCx -> kmod, @{sbin}/lvm rPUx, @{bin}/mdevctl rPx, @{bin}/swtpm rPx, @@ -245,6 +245,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { audit deny @{sys}/kernel/security/apparmor/matching rwxl, audit deny @{sys}/kernel/security/apparmor/.* rwxl, + profile kmod { + include + include + + include if exists + } + profile qemu_bridge_helper { include diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 81ec217b9..53afe6012 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -45,7 +45,6 @@ profile virt-aa-helper @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/net/psched r, deny @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/status r, # For gl enabled graphics /dev/dri/{,*} r, From f8250f7e0cc8e70fe679fac2374bad8690e24e09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:22:25 +0200 Subject: [PATCH 257/798] feat(profile): move kmod in subprofile. --- apparmor.d/profiles-g-l/hw-probe | 18 +++++++++++++----- apparmor.d/profiles-g-l/kernel | 13 ++++++++----- apparmor.d/profiles-g-l/kmod | 9 +-------- 3 files changed, 22 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index f518a18f0..3fbb9b0fd 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -61,7 +61,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/lsb_release rPx -> lsb_release, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @@ -98,19 +98,27 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/* r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/* r, - @{sys}/module/*/ r, - @{sys}/module/*/{coresize,refcnt} r, - @{sys}/module/*/holders/ r, @{PROC}/bus/input/devices r, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/ioports r, - @{PROC}/modules r, @{PROC}/scsi/scsi r, /dev/{,**} r, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + + profile pacman flags=(attach_disconnected) { include include diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 6bc2c8961..d375a1bdd 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -13,8 +13,6 @@ profile kernel @{exec_path} { include include - capability sys_module, - @{exec_path} mr, @{sh_path} rix, @@ -24,7 +22,7 @@ profile kernel @{exec_path} { @{bin}/chmod rix, @{bin}/cut rix, @{bin}/dirname rix, - @{bin}/kmod rix, + @{bin}/kmod rCx -> kmod, @{bin}/mv rix, @{bin}/rm rix, @{bin}/rmdir rix, @@ -56,8 +54,6 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, - /etc/modprobe.d/ r, - /etc/modprobe.d/*.conf r, @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, @@ -65,6 +61,13 @@ profile kernel @{exec_path} { @{PROC}/devices r, @{PROC}/cmdline r, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index ccc8d6913..a793bf707 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe} profile kmod @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_read_search, @@ -31,14 +31,10 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sbin}/sysctl rCx -> sysctl, @{bin}/true rix, - @{lib}/modprobe.d/{,*.conf} r, @{lib}/modules/*/modules.* rw, @{run}/modprobe.d/{,*.conf} r, - /etc/depmod.d/{,**} r, - /etc/modprobe.d/{,*.conf} r, - /tmp/**/*.ko{,.zst} r, /usr/src/*/*.ko r, /var/lib/dkms/**/module/*.ko r, @@ -66,9 +62,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) { @{sys}/module/{,**} r, - @{PROC}/cmdline r, - @{PROC}/modules r, - /dev/tty@{int} rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 0572688c592a181b4b35b7e29573302d3b3718b9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:27:06 +0200 Subject: [PATCH 258/798] feat(profile): small general upgrade. --- .../groups/systemd-service/dmesg.service | 1 + .../groups/systemd-service/man-db.service | 2 ++ apparmor.d/groups/ubuntu/esm_cache | 19 +++++++++++++++++++ apparmor.d/groups/ubuntu/update-manager | 6 +++--- apparmor.d/groups/usb/lsusb | 2 ++ apparmor.d/groups/whonix/sdwdate | 2 +- apparmor.d/profiles-a-f/e2scrub_all | 1 + apparmor.d/profiles-g-l/gitstatusd | 5 +++++ apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hddtemp | 18 +++--------------- apparmor.d/profiles-g-l/ischroot | 2 ++ apparmor.d/profiles-g-l/landscape-sysinfo | 6 +++--- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/needrestart-notify | 2 +- apparmor.d/profiles-m-r/pycompile | 9 +++------ apparmor.d/profiles-m-r/rsyslogd | 7 ++++--- apparmor.d/profiles-s-z/update-initramfs | 3 +++ apparmor.d/profiles-s-z/whiptail | 2 ++ 18 files changed, 57 insertions(+), 34 deletions(-) create mode 100644 apparmor.d/groups/ubuntu/esm_cache diff --git a/apparmor.d/groups/systemd-service/dmesg.service b/apparmor.d/groups/systemd-service/dmesg.service index 4c67f680a..0a46f6ed9 100644 --- a/apparmor.d/groups/systemd-service/dmesg.service +++ b/apparmor.d/groups/systemd-service/dmesg.service @@ -17,6 +17,7 @@ profile dmesg.service flags=(attach_disconnected) { capability chown, capability fsetid, + capability sys_admin, ptrace read peer=@{p_systemd}, diff --git a/apparmor.d/groups/systemd-service/man-db.service b/apparmor.d/groups/systemd-service/man-db.service index 24b34fc25..c3bfa7c32 100644 --- a/apparmor.d/groups/systemd-service/man-db.service +++ b/apparmor.d/groups/systemd-service/man-db.service @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only # ExecStart=+/usr/bin/install -d -o man -g man -m 0755 /var/cache/man +# ExecStart=/usr/bin/find /var/cache/man -type f -name *.gz -atime +6 -delete # ExecStart=/usr/bin/mandb --quiet abi , @@ -13,6 +14,7 @@ profile man-db.service flags=(attach_disconnected) { include include + @{bin}/find ix, @{bin}/install ix, @{bin}/mandb r, diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache new file mode 100644 index 000000000..2596d6c12 --- /dev/null +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +profile esm_cache @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index e1636c6d5..0e0dcdb0b 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -51,9 +51,9 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/uname rix, @{lib}/apt/methods/http{,s} rPx, - @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, - @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} rw, + @{lib}/@{python_name}/dist-packages/UpdateManager/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/gi/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, + @{lib}/@{python_name}/dist-packages/uaclient/{,**/}__pycache__/*.cpython-@{int}.pyc.@{u64} rw, /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index f824343d6..b5a24940d 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -21,6 +21,8 @@ profile lsusb @{exec_path} { /etc/udev/hwdb.bin r, + /dev/bus/usb/@{int}/@{int} w, + include if exists } diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate index dbe561ab6..1e4850e7a 100644 --- a/apparmor.d/groups/whonix/sdwdate +++ b/apparmor.d/groups/whonix/sdwdate @@ -30,7 +30,7 @@ profile sdwdate @{exec_path} flags=(attach_disconnected) { @{bin}/touch rix, @{lib}/helper-scripts/* rix, @{bin}/url_to_unixtime rix, - @{bin}/{,e}grep rix, + @{bin}/{,e}grep rix, @{lib}/helper-scripts/ r, @{lib}/sdwdate/ r, diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all index 0079053e0..e5d13f1de 100644 --- a/apparmor.d/profiles-a-f/e2scrub_all +++ b/apparmor.d/profiles-a-f/e2scrub_all @@ -12,6 +12,7 @@ profile e2scrub_all @{exec_path} flags=(attach_disconnected) { include include + capability setuid, capability sys_admin, capability sys_rawio, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index a62ce7fde..8901ade9c 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -9,6 +9,9 @@ include @{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include + include + + signal receive set=term peer=*//shell, @{exec_path} mr, @@ -18,6 +21,8 @@ profile gitstatusd @{exec_path} { owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, + owner @{tmp}/gitstatus.POWERLEVEL9K.*.fifo r, + # Silencer deny capability dac_read_search, deny capability dac_override, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 779dd8e67..719625dbd 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -16,7 +16,7 @@ profile gpu-manager @{exec_path} { @{exec_path} mr, - @{sh_path} rix, + @{sh_path} rix, @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp index e96a45237..55d2abb5d 100644 --- a/apparmor.d/profiles-g-l/hddtemp +++ b/apparmor.d/profiles-g-l/hddtemp @@ -10,32 +10,20 @@ include @{exec_path} = @{bin}/hddtemp profile hddtemp @{exec_path} { include + include + include - # To remove the following errors: - # /dev/sda: Permission denied + capability sys_admin, capability sys_rawio, - # There's the following error in strace: - # ioctl(3, HDIO_DRIVE_CMD, 0x7ffdfeafc074) = -1 EACCES (Permission denied) - # This should be covered by CAP_SYS_RAWIO instead. - # (see: https://www.kernel.org/doc/Documentation/ioctl/hdio.rst) - # It looks like hddtemp works just fine without it. - deny capability sys_admin, - network inet stream, network inet6 stream, @{exec_path} mr, - # Monitored hard drives - /dev/sd[a-z]* r, - # Database file that allows hddtemp to recognize supported drives /etc/hddtemp.db r, - # Needed when the hddtemp daemon is started in the TCP/IP mode - /etc/gai.conf r, - include if exists } diff --git a/apparmor.d/profiles-g-l/ischroot b/apparmor.d/profiles-g-l/ischroot index 4e087343a..8c18782f9 100644 --- a/apparmor.d/profiles-g-l/ischroot +++ b/apparmor.d/profiles-g-l/ischroot @@ -13,6 +13,8 @@ profile ischroot @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /var/lib/update-notifier/tmp.@{rand10} w, + @{PROC}/@{pid}/mountinfo r, include if exists diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 1c3c98d52..5eb5dac06 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -27,9 +27,9 @@ profile landscape-sysinfo @{exec_path} { @{bin}/who rix, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/ w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc w, - @{lib}/@{python_name}/dist-packages/landscape/{,**/}__pycache__/**.pyc.@{u64} w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, /var/log/landscape/{,**} rw, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 8cc8a65e1..b21642cf8 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -13,6 +13,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -109,7 +110,6 @@ profile libreoffice @{exec_path} { @{sys}/kernel/mm/hugepages/ r, @{sys}/kernel/mm/transparent_hugepage/enabled r, @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r, - @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r, diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify index 9b3525fa5..82465ceb2 100644 --- a/apparmor.d/profiles-m-r/needrestart-notify +++ b/apparmor.d/profiles-m-r/needrestart-notify @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/needrestart/notify.d/* profile needrestart-notify @{exec_path} { include + include capability dac_read_search, capability sys_ptrace, @@ -27,7 +28,6 @@ profile needrestart-notify @{exec_path} { /etc/needrestart/notify.conf r, @{PROC}/@{pid}/environ r, - @{PROC}/filesystems r, include if exists } diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index 984fcf03c..b684c3094 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -21,12 +21,9 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { @{bin}/dpkg rCx -> dpkg, - @{lib}/@{python_name}/dist-packages/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/__pycache__/*.pyc.* w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/ w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc w, - @{lib}/@{python_name}/dist-packages/**/__pycache__/*.pyc.* w, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/*.pyc w, + @{lib}/@{python_name}/**/__pycache__/*.pyc.* w, /usr/share/python3/{,**} r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index 80d75a928..ede981f58 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -12,11 +12,12 @@ profile rsyslogd @{exec_path} { include include - capability chown, # For creating new log files and changing their owner/group - capability net_admin, # For remote logs - capability setgid, # For downgrading privileges + capability dac_override, + capability dac_read_search, + capability setgid, capability setuid, capability sys_nice, + capability sys_tty_config, capability syslog, network inet dgram, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index f9e47cb52..472de3343 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -28,12 +28,15 @@ profile update-initramfs @{exec_path} { @{bin}/sha1sum rix, @{bin}/sync rix, @{bin}/uname rix, + @{bin}/run-parts rix, @{bin}/dpkg-trigger rPx, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{sbin}/mkinitramfs rPx, + /etc/initramfs/post-update.d/* rPUx, + /var/lib/initramfs-tools/* w, # For shell pwd diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail index f0efad77b..a42a63312 100644 --- a/apparmor.d/profiles-s-z/whiptail +++ b/apparmor.d/profiles-s-z/whiptail @@ -18,6 +18,8 @@ profile whiptail @{exec_path} { /usr/share/terminfo/** r, + /etc/newt/palette.* r, + include if exists } From 4d201ea417f3b32bc7e276ef4548f1c128a68301 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:35:38 +0200 Subject: [PATCH 259/798] feat(profile): add lsb-release Use it instead of lsb_release. --- apparmor.d/abstractions/app/chromium | 5 ++- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/groups/apt/apt-listbugs | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/grub/grub-install | 2 +- apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/drkonqi | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- .../groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- .../groups/ubuntu/software-properties-dbus | 2 +- .../groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- .../ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 2 +- .../profiles-a-f/check-support-status-hook | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-g-l/hardinfo | 2 +- apparmor.d/profiles-g-l/hw-probe | 2 +- apparmor.d/profiles-g-l/kodi | 2 +- apparmor.d/profiles-g-l/lsb-release | 40 +++++++++++++++++++ apparmor.d/profiles-m-r/mumble | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- 36 files changed, 77 insertions(+), 36 deletions(-) create mode 100644 apparmor.d/profiles-g-l/lsb-release diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 666387d0a..e555d3475 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -37,7 +37,7 @@ include include include - include + include include include include @@ -78,7 +78,7 @@ @{lib_dirs}/chrome-sandbox rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/xdg-desktop-menu rPx, @{bin}/xdg-email rPx, @{bin}/xdg-icon-resource rPx, @@ -202,6 +202,7 @@ owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/setgroups w, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index d988f608c..5e3bc15cb 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -65,7 +65,7 @@ @{lib_dirs}/plugin-container rPx, # Desktop integration - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/@{name}/{,**} r, /usr/share/doc/{,**} r, diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs index 7ce8961b9..a60457ec8 100644 --- a/apparmor.d/groups/apt/apt-listbugs +++ b/apparmor.d/groups/apt/apt-listbugs @@ -53,7 +53,7 @@ profile apt-listbugs @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index 35f8940ee..b42649d7c 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -22,7 +22,7 @@ profile command-not-found @{exec_path} { @{exec_path} r, @{python_path} r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPx, @{lib}/ r, diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index a8f7057e7..4660755d6 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -21,7 +21,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{exec_path} r, @{bin}/hostname ix, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index ab230a43b..e58c9d8b3 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -47,7 +47,7 @@ profile reportbug @{exec_path} { @{bin}/dlocate rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/dpkg-query rpx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{pager_path} rPx -> child-pager, @{bin}/systemctl rCx -> systemctl, @{lib}/firefox/firefox rPUx, # App allowed to open diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 651fac1ba..36e299a0c 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -47,7 +47,7 @@ profile synaptic @{exec_path} { @{bin}/dpkg rPx, @{sbin}/dpkg-preconfigure rPx, @{bin}/localepurge rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/ps rPx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index fa6929f35..0d4d2ee33 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -58,7 +58,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, - @{bin}/lsb_release Px -> lsb_release, + @{bin}/lsb_release Px, @{sbin}/dpkg-preconfigure Px, @{sbin}/on_ac_power Px, @{sbin}/sendmail Px, diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index f044b0f44..6c45cac39 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -21,7 +21,7 @@ profile grub-install @{exec_path} flags=(complain) { @{sh_path} rix, @{sbin}/efibootmgr rix, @{bin}/kmod rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/udevadm rPx, /usr/share/grub/{,**} r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 87c3d4104..1b5d26125 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -39,7 +39,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/head rix, @{bin}/id rPx, @{bin}/ls rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mount rPx, @{bin}/mountpoint rix, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 6d0ec6a72..e1037c6b7 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -19,7 +19,7 @@ profile grub-probe @{exec_path} { @{exec_path} mr, /{usr/,}{local/,}{s,}bin/zpool rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{sbin}/lvm rPx, @{bin}/udevadm rPx, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 802ba0a96..eebade917 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -33,7 +33,7 @@ profile dolphin @{exec_path} { @{lib}/libheif/*.so* mr, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/{,@{multiarch}/}utempter/utempter rPx, @{thunderbird_path} rPx, diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi index fbadf053b..e04180ff4 100644 --- a/apparmor.d/groups/kde/drkonqi +++ b/apparmor.d/groups/kde/drkonqi @@ -24,7 +24,7 @@ profile drkonqi @{exec_path} { @{exec_path} mr, @{bin}/plasmashell r, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/drkonqi/{,**} r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 5a4e130a0..4940653a3 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -46,7 +46,7 @@ profile apport-gtk @{exec_path} { @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, @{bin}/systemctl rCx -> systemctl, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index bdd2a0f54..65a19e0e0 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -30,7 +30,7 @@ profile check-new-release-gtk @{exec_path} { @{bin}/dpkg rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib}/@{python_name}/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, @{lib}/@{python_name}/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w, diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index e7d6687d2..2d3eebbc2 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -27,7 +27,7 @@ profile do-release-upgrade @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/*.csv r, /usr/share/ubuntu-release-upgrader/{,**} r, diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index 3b4280e33..d5ad6e06c 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -15,7 +15,7 @@ profile hwe-support-status @{exec_path} { @{exec_path} mr, @{bin}/dpkg rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/distro-info/{,**} r, diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index c4c795649..8d55ec0b7 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -30,7 +30,7 @@ profile software-properties-dbus @{exec_path} { @{python_path} rix, @{bin}/env rix, @{bin}/apt-key rPx, # Changing trusted keys - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/apt/apt.conf.d/10periodic w, /etc/apt/sources.list{,.save} rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 64c83f5c8..bb31d8867 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -33,7 +33,7 @@ profile software-properties-gtk @{exec_path} { @{bin}/apt-key rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/ubuntu-advantage rPx, /usr/share/distro-info/*.csv r, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 0e0dcdb0b..d69e7a4c4 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -45,7 +45,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { @{bin}/dpkg rPx -> child-dpkg, @{bin}/hwe-support-status rPx, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, @{bin}/uname rix, diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index e6a3e7152..88967baf8 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -27,7 +27,7 @@ profile update-motd-updates-available @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/find rix, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index ea6318156..6c4dc4d77 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -35,7 +35,7 @@ profile update-notifier @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/ischroot rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/pkexec rCx -> pkexec, @{bin}/snap rPUx, @{bin}/software-properties-gtk rPx, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index c4741b09a..b7a62fc82 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -90,7 +90,7 @@ profile adequate @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index a10df8394..e8a83892a 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -62,7 +62,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook index 39f30c5fe..8101b3008 100644 --- a/apparmor.d/profiles-a-f/check-support-status-hook +++ b/apparmor.d/profiles-a-f/check-support-status-hook @@ -84,7 +84,7 @@ profile check-support-status-hook @{exec_path} { include include capability dac_read_search, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 53038a6d7..ddcd99add 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -31,7 +31,7 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index b4baf1d0c..15f86bcf5 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -39,7 +39,7 @@ profile dropbox @{exec_path} { @{bin}/{,@{multiarch}-}objdump rix, @{open_path} rPx -> child-open-strict, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, owner @{HOME}/ r, owner @{config_dirs}/ rw, diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 4463ac581..366c2aed6 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -38,7 +38,7 @@ profile filezilla @{exec_path} { @{bin}/fzsftp rPx, # When using SFTP protocol @{bin}/fzputtygen rPUx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/filezilla/{,**} r, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index 97fad1f13..b63a9e5ed 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -46,7 +46,7 @@ profile hardinfo @{exec_path} { @{bin}/valgrind{,.bin} rix, @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{bin}/ccache rCx -> ccache, @{bin}/kmod rCx -> kmod, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 3fbb9b0fd..802cb85ae 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -62,7 +62,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 016dceae0..5b90dd3ef 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -34,7 +34,7 @@ profile kodi @{exec_path} { @{bin}/mv rix, @{bin}/uname rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /usr/share/kodi/{,**} r, /usr/share/publicsuffix/* r, diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release new file mode 100644 index 000000000..23bada3ec --- /dev/null +++ b/apparmor.d/profiles-g-l/lsb-release @@ -0,0 +1,40 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Note: named "lsb-release" to not conflict with upstreamed "lsb_release" that +# does attach @{bin}/lsb_release. + +abi , + +include + +@{exec_path} = @{bin}/lsb_release +profile lsb-release @{exec_path} flags=(attach_disconnected) { + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/basename rix, + @{bin}/cat rix, + @{bin}/cut rix, + @{bin}/find rix, + @{bin}/getopt rix, + @{bin}/head rix, + @{bin}/sed rix, + @{bin}/tr rix, + + #aa:only apt + @{bin}/dpkg-query px, + + /etc/ r, + /etc/*-release r, + /etc/lsb-release r, + /etc/lsb-release.d/{,*} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble index 48ed42d84..a85eb6790 100644 --- a/apparmor.d/profiles-m-r/mumble +++ b/apparmor.d/profiles-m-r/mumble @@ -30,7 +30,7 @@ profile mumble @{exec_path} { @{exec_path} mrix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{browsers_path} rPx, @{open_path} rPx -> child-open, diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 9d7663ebb..2065dd814 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -29,7 +29,7 @@ profile murmurd @{exec_path} { @{exec_path} mr, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, /etc/mumble-server.ini r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 24e0c61dd..02bf3bc56 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -34,7 +34,7 @@ profile psi @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index 1d3850ba5..a455df0e9 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -34,7 +34,7 @@ profile psi-plus @{exec_path} { @{bin}/aplay rCx -> aplay, @{bin}/gpg{,2} rPx, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{open_path} rPx -> child-open, @{lib}/firefox/firefox rPUx, From 43278aeda277619b5fe24252db8a9eea7dd8b02c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 20:36:52 +0200 Subject: [PATCH 260/798] feat(profile): rewrite the profile for hw-probe. --- apparmor.d/groups/utils/lsscsi | 24 ++++++++++++++ apparmor.d/profiles-g-l/hw-probe | 56 ++++++++++---------------------- 2 files changed, 41 insertions(+), 39 deletions(-) create mode 100644 apparmor.d/groups/utils/lsscsi diff --git a/apparmor.d/groups/utils/lsscsi b/apparmor.d/groups/utils/lsscsi new file mode 100644 index 000000000..f0e7b4df2 --- /dev/null +++ b/apparmor.d/groups/utils/lsscsi @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsscsi +profile lsscsi @{exec_path} { + include + include + + @{exec_path} mr, + + / r, + + /dev/ r, + /dev/** r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 802cb85ae..2b91fc612 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -11,7 +11,6 @@ include profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - include capability sys_admin, @@ -37,28 +36,18 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, - @{sbin}/biosdecode rPx, @{bin}/cpuid rPx, @{bin}/cpupower rPx, @{bin}/curl rCx -> curl, @{bin}/df rPx, - @{sbin}/dkms rPx, @{bin}/dmesg rPx, - @{sbin}/dmidecode rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/edid-decode rPx, - @{sbin}/ethtool rCx -> netconfig, - @{sbin}/fdisk rPx, @{bin}/glxgears rPx, @{bin}/glxinfo rPx, @{bin}/hciconfig rPx, - @{sbin}/hdparm rPx, - @{sbin}/hwinfo rPx, @{bin}/i2cdetect rPx, - @{sbin}/ifconfig rCx -> netconfig, @{bin}/inxi rPx, - @{sbin}/iw rCx -> netconfig, - @{sbin}/iwconfig rCx -> netconfig, @{bin}/journalctl rCx -> journalctl, @{bin}/killall rCx -> killall, @{bin}/kmod rCx -> kmod, @@ -66,14 +55,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, + @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @{bin}/pacman rCx -> pacman, - @{sbin}/rfkill rPx, @{bin}/rpm rCx -> rpm, @{bin}/sensors rPx, - @{sbin}/smartctl rPx, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-analyze rPx, @{bin}/udevadm rCx -> udevadm, @@ -83,12 +71,20 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/xdpyinfo rPx, @{bin}/xinput rPx, @{bin}/xrandr rPx, + @{sbin}/biosdecode rPx, + @{sbin}/dkms rPx, + @{sbin}/dmidecode rPx, + @{sbin}/fdisk rPx, + @{sbin}/hdparm rPx, + @{sbin}/hwinfo rPx, + @{sbin}/rfkill rPx, + @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, owner @{HOME}/HW_PROBE/{,**} rw, - audit owner @{tmp}/*/ rw, + owner @{tmp}/@{rand10}/ rw, owner @{tmp}/*/cpu_perf rw, @{sys}/class/drm/ r, @@ -118,6 +114,13 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } + profile curl flags=(attach_disconnected) { + include + + @{bin}/curl mr, + + include if exists + } profile pacman flags=(attach_disconnected) { include @@ -199,31 +202,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include if exists } - profile netconfig flags=(attach_disconnected) { - include - - # Not needed - deny capability net_admin, - deny capability net_raw, - - network inet dgram, - network inet6 dgram, - network ipx dgram, - network ax25 dgram, - network appletalk dgram, - network netlink raw, - - @{sbin}/iw mr, - @{sbin}/ifconfig mr, - @{sbin}/iwconfig mr, - @{sbin}/ethtool mr, - - owner @{PROC}/@{pid}/net/if_inet6 r, - owner @{PROC}/@{pid}/net/dev r, - - include if exists - } - profile systemctl flags=(attach_disconnected) { include include From f443c71c7bb2db3f66440d9d230d994dacc3df4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:05:53 +0200 Subject: [PATCH 261/798] tests: allow empty abstractions directory. --- tests/check.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 28adc7710..8b847db6f 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -390,7 +390,7 @@ check_profiles() { check_abstractions() { _msg "Checking abstractions" - mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*") + mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( abstractions equivalent @@ -408,8 +408,8 @@ check_abstractions() { wait mapfile -t files < <( - find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" - find "$APPARMORD/mappings" -type f + find "$APPARMORD/abstractions" -type f -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true + find "$APPARMORD/mappings" -type f 2>/dev/null || true ) # shellcheck disable=SC2034 jobs=0 From 1aee62f52cb02cbdb054c233a350f4f07d828e48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:07:02 +0200 Subject: [PATCH 262/798] feat(abs): mappings: add support for role from the sshd-session profile. --- apparmor.d/abstractions/mapping/sshd | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/mapping/sshd b/apparmor.d/abstractions/mapping/sshd index 97f0b077e..0f7512710 100644 --- a/apparmor.d/abstractions/mapping/sshd +++ b/apparmor.d/abstractions/mapping/sshd @@ -15,6 +15,8 @@ capability audit_write, capability chown, capability dac_read_search, + capability fowner, + capability fsetid, capability kill, capability setgid, capability setuid, @@ -25,12 +27,14 @@ # but will fall back to a non-privileged version if it fails. deny capability net_admin, + network inet stream, network inet6 stream, network netlink raw, signal receive set=exists peer=@{p_systemd_journald}, signal receive set=hup peer=@{p_systemd}, + unix bind type=stream addr=@@{udbus}/bus/sshd-session/system, unix bind type=stream addr=@@{udbus}/bus/sshd/system, dbus send bus=system path=/org/freedesktop/login1 From 0366543c39cb495e7129aee373055133b2324823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 21 Jun 2025 21:09:37 +0200 Subject: [PATCH 263/798] feat(profile): add console-setup profiles. --- apparmor.d/profiles-a-f/console-setup-cached | 36 +++++++++++++++++++ .../profiles-a-f/console-setup-keyboard | 31 ++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/console-setup-cached create mode 100644 apparmor.d/profiles-a-f/console-setup-keyboard diff --git a/apparmor.d/profiles-a-f/console-setup-cached b/apparmor.d/profiles-a-f/console-setup-cached new file mode 100644 index 000000000..332f05341 --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-cached @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = /etc/console-setup/cached_setup_font.sh /etc/console-setup/cached_setup_terminal.sh +profile console-setup-cached @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/ls ix, + @{bin}/mkdir ix, + @{bin}/setfont ix, + + /usr/share/consolefonts/{,**} r, + + @{run}/console-setup/ w, + @{run}/console-setup/font-loaded w, + + /dev/ r, + /dev/tty rw, + /dev/tty@{int} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/console-setup-keyboard b/apparmor.d/profiles-a-f/console-setup-keyboard new file mode 100644 index 000000000..1f4045e2e --- /dev/null +++ b/apparmor.d/profiles-a-f/console-setup-keyboard @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/console-setup/keyboard-setup.sh /etc/console-setup/cached_setup_keyboard.sh +profile console-setup-keyboard @{exec_path} { + include + include + + capability sys_tty_config, + + @{exec_path} mrix, + + @{sh_path} rix, + @{bin}/gzip rix, + @{bin}/kbd_mode rix, + @{bin}/loadkeys rix, + + /etc/console-setup/{,**} r, + + /dev/tty@{int} rw, + /dev/tty rw, + + include if exists +} + +# vim:syntax=apparmor From 9cb74ff384fd8bcdeade0e7eb016fabf79321651 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 2 Jul 2025 23:22:12 +0200 Subject: [PATCH 264/798] feat(abs): general update --- apparmor.d/abstractions/app-open | 2 +- apparmor.d/abstractions/app/firefox | 3 ++- apparmor.d/abstractions/bus-session | 2 +- apparmor.d/abstractions/bus/org.freedesktop.NetworkManager | 7 ++++++- apparmor.d/abstractions/disks-read | 6 ++++++ 5 files changed, 16 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index c7d2a86c8..59724f019 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -39,7 +39,7 @@ @{bin}/extension-manager Px, @{bin}/filezilla Px, @{bin}/flameshot Px, - @{bin}/gimp{,3} Px, + @{bin}/gimp{,-3.0} Px, @{bin}/gnome-calculator Px, @{bin}/gnome-disk-image-mounter Px, @{bin}/gnome-disks Px, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 5e3bc15cb..1dd15f9d8 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -99,7 +99,8 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, - owner @{tmp}/remote-settings-startup-bundle- w, + owner @{tmp}/remote-settings-startup-bundle- rw, + owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, owner @{tmp}/Temp-@{uuid}/* rwk, owner @{tmp}/tmp-*.xpi rw, diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session index 38d39a489..a1226d8e7 100644 --- a/apparmor.d/abstractions/bus-session +++ b/apparmor.d/abstractions/bus-session @@ -6,7 +6,7 @@ unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session, - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/org/freedesktop/{dbus,DBus} interface=org.freedesktop.DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 0f188e05a..78f0de9de 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -8,7 +8,7 @@ dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects + member={GetManagedObjects,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager @@ -51,6 +51,11 @@ member=Updated peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} + interface=org.freedesktop.NetworkManager.Connection.Active + member=StateChanged + peer=(name=@{busname}, label=NetworkManager), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 62e24b70d..e1bf31298 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -44,6 +44,12 @@ @{sys}/devices/virtual/block/loop@{int}/ r, @{sys}/devices/virtual/block/loop@{int}/** r, + # Xen PVH devices + @{sys}/devices/vbd-@{int}/block/** r, + + # Channel subsystem for IBM Z + @{sys}/devices/css@{int}/** r, + # LUKS/LVM (device-mapper) devices /dev/dm-@{int} rk, /dev/mapper/{,*} r, From f47babab8492b9b273da5e985f41cf2a1cddbba2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:01 +0200 Subject: [PATCH 265/798] fix(profile): pci slot adress. --- apparmor.d/abstractions/common/app | 1 + apparmor.d/groups/filesystem/udisksd | 1 + apparmor.d/profiles-s-z/zed | 1 + apparmor.d/profiles-s-z/zpool | 1 + 4 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index efb3c838b..a3fb2c5ef 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -78,6 +78,7 @@ @{sys}/bus/ r, @{sys}/bus/*/devices/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 1ff219bbe..ab3813973 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -121,6 +121,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/bus/scsi/devices/ r, @{sys}/class/ r, diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed index b131897d4..893cead5b 100644 --- a/apparmor.d/profiles-s-z/zed +++ b/apparmor.d/profiles-s-z/zed @@ -46,6 +46,7 @@ profile zed @{exec_path} { owner @{tmp}/tmp.* rw, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{sys}/module/zfs/parameters/zfs_zevent_len_max rw, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 2cb997fd7..e6033d9d2 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -31,6 +31,7 @@ profile zpool @{exec_path} { @{sys}/module/zfs/** r, @{sys}/bus/pci/slots/ r, + @{sys}/bus/pci/slots/@{int}-@{int}/address r, @{sys}/bus/pci/slots/@{int}/address r, @{PROC}/@{pids}/mountinfo r, From e5b6d5dd19e03cb488f748c84b5acb22c7e191ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 15:21:50 +0200 Subject: [PATCH 266/798] feat(profile): update nvidia tools. --- apparmor.d/profiles-m-r/nvidia-settings | 18 +++++++++++++++--- apparmor.d/profiles-m-r/nvidia-smi | 1 + 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 9e5944bff..771bbb3b6 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/nvidia-settings -profile nvidia-settings @{exec_path} { +profile nvidia-settings @{exec_path} flags=(attach_disconnected) { include include include @@ -21,8 +21,20 @@ profile nvidia-settings @{exec_path} { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - - @{PROC}/devices r, + @{sys}/devices/system/node/ r, + @{sys}/devices/system/node/node@{int}/cpumap r, + + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 + /dev/nvidia-caps/ rw, + /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 143808f76..9ea391400 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -21,6 +21,7 @@ profile nvidia-smi @{exec_path} { @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, From 223f611dfcb92f9cae02e9965491f8580b01a0ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:15 +0200 Subject: [PATCH 267/798] feat(abs): nvidia: ensure cuda is supported, cleanup common local path. --- apparmor.d/abstractions/nvidia-strict | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index ebaced47f..6fe815773 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,18 +6,21 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, /etc/vdpau_wrapper.cfg r, - owner @{HOME}/.cache/nvidia/ w, - owner @{HOME}/.cache/nvidia/GLCache/ rw, - owner @{HOME}/.cache/nvidia/GLCache/** rwk, + owner @{HOME}/.nv/ w, owner @{HOME}/.nv/ComputeCache/ w, owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + owner @{user_cache_dirs}/nvidia/ w, + owner @{user_cache_dirs}/nvidia/GLCache/ rw, + owner @{user_cache_dirs}/nvidia/GLCache/** rwk, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, From 13680be0a6a0421bdc2a59ec03284b55debd57ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:53:53 +0200 Subject: [PATCH 268/798] feat(fsp): sdu: add consoles --- apparmor.d/groups/_full/sdu | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index 80d8c1fb9..f9c50b65f 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -23,6 +23,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -108,6 +109,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/kmsg w, + deny capability net_admin, profile shell flags=(attach_disconnected,mediate_deleted,complain) { @@ -123,10 +126,10 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include include - audit capability net_admin, - owner @{run}/user/@{uid}/systemd/private rw, + deny capability net_admin, + include if exists include if exists } From 3b040aa5ca46513bd7058882c6bcde4b3f5d85dc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:54:49 +0200 Subject: [PATCH 269/798] feat(profile): improve dpkg-scripts. --- apparmor.d/groups/apt/dpkg-scripts | 4 +++- apparmor.d/groups/apt/unattended-upgrade-shutdown | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index e16d25bf2..d3994d0ec 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -11,6 +11,7 @@ profile dpkg-scripts @{exec_path} { include include include + include capability chown, capability dac_read_search, @@ -24,6 +25,7 @@ profile dpkg-scripts @{exec_path} { # Common program found in maintainer scripts @{sh_path} rix, @{coreutils_path} rix, + @{python_path} rix, @{bin}/run-parts rix, @{bin}/envsubst ix, @@ -51,8 +53,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/** PUx, @{sbin}/** PUx, @{lib}/** PUx, + /etc/** PUx, /usr/share/** PUx, - /etc/init.d/* PUx, # Maintainer's scripts can update a lot of files / r, diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index f36505e7a..1fb667fae 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -20,6 +20,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { @{bin}/ischroot Px, + @{lib}/@{python_name}/**/__pycache__/ w, + @{lib}/@{python_name}/**/__pycache__/**.pyc w, + @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + /usr/share/unattended-upgrades/{,*} r, owner /var/log/unattended-upgrades/*.log* rw, From f56163afb184d93df751f2ce571d90cd9b08ecbc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:56:24 +0200 Subject: [PATCH 270/798] feat(profile): ensure xdg portal can start any sandboxing tool. --- apparmor.d/groups/freedesktop/xdg-document-portal | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 91a203d3a..93cac619e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -39,8 +39,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/flatpak rPUx, + @{bin}/flatpak rPx, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/snap rPx, / r, owner @{att}/ r, @@ -64,6 +65,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { profile fusermount flags=(attach_disconnected) { include + include include capability dac_read_search, From 4f2abda92f0cfd1c2b412a23582c4ac253954d73 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 21:58:20 +0200 Subject: [PATCH 271/798] feat(profile): improve gnome programs. --- apparmor.d/groups/gnome/epiphany-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 3 +++ apparmor.d/groups/gnome/gnome-shell | 12 +++++++++--- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/tracker-extract | 1 + 5 files changed, 15 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider index e66450d09..2168382e0 100644 --- a/apparmor.d/groups/gnome/epiphany-search-provider +++ b/apparmor.d/groups/gnome/epiphany-search-provider @@ -29,6 +29,7 @@ profile epiphany-search-provider @{exec_path} { @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix, owner @{user_cache_dirs}/epiphany/{,**} rwk, + owner @{user_config_dirs}/epiphany/{,**} rw, owner @{user_share_dirs}/epiphany/{,**} rwk, owner @{tmp}/ContentRuleList-@{rand6} rw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 104d95fb3..7cb982ca7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -16,6 +16,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -29,6 +30,8 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index e977af95e..acae2d601 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -173,6 +173,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, + @{bin}/nvidia-smi rPx, # FIXME; for extension only + @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, #aa:exec polkit-agent-helper @@ -227,6 +229,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, owner @{gdm_cache_dirs}/libgweather/ r, + owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, + owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, @@ -234,11 +238,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_config_dirs}/pulse/ rw, owner @{gdm_config_dirs}/pulse/client.conf r, owner @{gdm_config_dirs}/pulse/cookie rwk, + owner @{gdm_local_dirs}/ w, + owner @{gdm_share_dirs}/ w, owner @{gdm_share_dirs}/applications/{,**} r, owner @{gdm_share_dirs}/gnome-shell/{,**} rw, owner @{gdm_share_dirs}/icc/ rw, - owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw, + owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{HOME}/.face r, owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r, @@ -263,7 +269,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/backgrounds/{,**} rw, owner @{user_share_dirs}/dbus-1/services/ r, - owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw, + owner @{user_share_dirs}/dbus-1/services/org.gnome.Shell.*.service{,.@{rand6}} rw, owner @{user_share_dirs}/desktop-directories/{,**} r, owner @{user_share_dirs}/gnome-shell/{,**} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, @@ -271,7 +277,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/ rw, owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw, owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, - owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w, + owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 22823753b..c399eadc7 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -15,6 +15,7 @@ profile gnome-text-editor @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.TextEditor #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 83bf18b9b..e8612f7b6 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -70,6 +70,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, + owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} r, From 705eb11510c0d692173368609b1a10f419337800 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:04:18 +0200 Subject: [PATCH 272/798] feat(profile): improve some dbus rules. --- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 4 ++++ apparmor.d/groups/gvfs/gvfsd-trash | 6 +----- apparmor.d/groups/network/mullvad-gui | 3 +++ apparmor.d/groups/ssh/sshd | 5 +++++ apparmor.d/groups/virt/cockpit-wsinstance-factory | 3 +++ apparmor.d/profiles-s-z/virt-manager | 6 ++++++ 8 files changed, 28 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index aa84eebd9..e5443f505 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -32,7 +32,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesRemoved,InterfacesAdded} peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 9af8be00a..6c61dbba4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -33,6 +33,11 @@ profile gvfsd-dnssd @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2fe0a1e2b..92d6fbf64 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -24,6 +24,10 @@ profile gvfsd-http @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=:*, label=gnome-shell), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 9acfd6c86..e13f870c7 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,6 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include + include include include include @@ -21,11 +22,6 @@ profile gvfsd-trash @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name="@{busname}", label="{gnome-shell,nautilus}"), - dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 6075f14b2..c36d34e3f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -14,6 +14,9 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include + include + include + include include network inet stream, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 75438c957..2494dc2c2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -61,6 +61,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mrix, @{bin}/@{shells} Ux, #aa:exclude RBAC diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index b14a1e36f..99db4d614 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -9,6 +9,9 @@ include @{exec_path} = @{lib}/cockpit/cockpit-wsinstance-factory profile cockpit-wsinstance-factory @{exec_path} { include + include + + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, capability net_admin, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 7c0443dae..fa17f5b1b 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,6 +12,10 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include include include include @@ -28,6 +32,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.virt-manager.virt-manager + @{exec_path} rix, @{sh_path} rix, From bfc6c51821b87fdca893c54555bf5ca5a060528b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:08:28 +0200 Subject: [PATCH 273/798] feat(profile): update some core system profiles. --- apparmor.d/profiles-a-f/dkms | 4 ++-- apparmor.d/profiles-a-f/fprintd | 3 +-- apparmor.d/profiles-a-f/fwupd | 11 +++++++---- apparmor.d/profiles-g-l/hw-probe | 16 +++++++++++----- apparmor.d/profiles-g-l/hwinfo | 6 +++++- apparmor.d/profiles-g-l/i2cdetect | 5 +++++ apparmor.d/profiles-g-l/kernel | 6 ++++-- apparmor.d/profiles-g-l/kernel-install | 3 +++ apparmor.d/profiles-m-r/pycompile | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 4 +++- 10 files changed, 42 insertions(+), 18 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 0a01e5db5..a0d5b08f9 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -30,13 +30,14 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/bc rix, @{bin}/clang-@{version} rix, @{bin}/gcc rix, + @{bin}/g++ rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, @{bin}/ld.lld rix, @{bin}/llvm-objcopy rix, - @{bin}/lsb_release rPx -> lsb_release, + @{bin}/lsb_release rPx, @{bin}/make rix, @{bin}/objcopy rix, @{bin}/pahole rix, @@ -101,7 +102,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/sh-thd.* rw, owner @{tmp}/tmp.* rw, - @{PROC}/cpuinfo r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 182d9013d..1d00dce88 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -32,8 +32,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/@{pci}/hidraw/hidraw@{int}/uevent r, - @{sys}/devices/virtual/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, include if exists } diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 961b55c97..cf5989227 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -62,12 +62,15 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /etc/machine-id r, /var/lib/dbus/machine-id r, - /boot/{,**} r, - /boot/EFI/*/.goutputstream-@{rand6} rw, - /boot/EFI/*/fw/fwupd-*.cap{,.*} rw, - /boot/EFI/*/fwupdx@{int}.efi rw, + @{efi}/{,**} r, + @{efi}/EFI/*/.goutputstream-@{rand6} rw, + @{efi}/EFI/*/fw/fwupd-*.cap{,.*} rw, + @{efi}/EFI/*/fwupdx@{int}.efi rw, @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r, + @{MOUNTDIRS}/*/{,@{efi}/} r, + @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, + /var/lib/flatpak/exports/share/mime/mime.cache r, /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe index 2b91fc612..739073201 100644 --- a/apparmor.d/profiles-g-l/hw-probe +++ b/apparmor.d/profiles-g-l/hw-probe @@ -33,6 +33,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/uname rix, + @{bin}/vulkaninfo rPUx, @{bin}/acpi rPx, @{bin}/amixer rPx, @{bin}/aplay rPx, @@ -55,7 +56,6 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{bin}/lsblk rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, - @{bin}/lsscsi rPx, @{bin}/lsusb rPx, @{bin}/memtester rPx, @{bin}/nmcli rPx, @@ -76,12 +76,15 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{sbin}/dmidecode rPx, @{sbin}/fdisk rPx, @{sbin}/hdparm rPx, + @{bin}/boltctl rPUx, @{sbin}/hwinfo rPx, @{sbin}/rfkill rPx, @{sbin}/smartctl rPx, /etc/modprobe.d/{,*.conf} r, + @{efi}/EFI/{,**} r, + owner @{HOME}/HW_PROBE/{,**} rw, owner @{tmp}/@{rand10}/ rw, @@ -107,9 +110,9 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { include include - capability sys_module, + capability syslog, - @{sys}/module/compression r, + @{sys}/module/{,**} r, include if exists } @@ -169,9 +172,12 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) { @{run}/log/ rw, /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, /{run,var}/log/journal/@{hex32}/system.journal* r, - /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, owner @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 4919d2fb2..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -28,6 +28,7 @@ profile hwinfo @{exec_path} { @{bin}/kmod rCx -> kmod, @{bin}/udevadm rCx -> udevadm, @{sbin}/acpidump rPUx, + @{bin}/lsscsi rPx, @{sbin}/dmraid rPUx, @@ -39,7 +40,7 @@ profile hwinfo @{exec_path} { @{sys}/bus/{,**/} r, @{sys}/class/*/ r, - @{sys}/devices/@{pci}/** r, + @{sys}/devices/@{pci}/{,**} r, @{sys}/devices/**/{modalias,uevent} r, @{sys}/devices/**/input/**/dev r, @{sys}/devices/virtual/net/*/{type,carrier,address} r, @@ -70,9 +71,12 @@ profile hwinfo @{exec_path} { include include + capability sys_module, + owner @{tmp}/hwinfo*.txt rw, @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/module/compression r, include if exists } diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect index 5ce4da0bb..f101c56e6 100644 --- a/apparmor.d/profiles-g-l/i2cdetect +++ b/apparmor.d/profiles-g-l/i2cdetect @@ -13,8 +13,13 @@ profile i2cdetect @{exec_path} { @{exec_path} mr, + @{sys}/class/i2c-dev/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + owner @{PROC}/@{pid}/mounts r, + /dev/i2c-@{int} rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index d375a1bdd..c3155ce75 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -34,13 +34,15 @@ profile kernel @{exec_path} { @{bin}/which{,.debianutils} rix, @{bin}/apt-config rPx, + @{bin}/bootctl rPx, @{bin}/dpkg rPx -> child-dpkg, + @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, - @{sbin}/update-alternatives rPx, + @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, + @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, - @{lib}/dkms/dkms_autoinstaller rPx, @{lib}/modules/*/updates/ w, @{lib}/modules/*/updates/dkms/ w, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 614b81aeb..96d097417 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -41,6 +41,8 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + @{efi}/@{hex32}/** rw, + owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, owner /boot/[a-f0-9]*/*/{linux,initrd} w, @@ -52,6 +54,7 @@ profile kernel-install @{exec_path} { owner @{tmp}/sh-thd.* rw, + @{PROC}/@{pid}/mountinfo r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index b684c3094..c308dcd91 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -11,7 +11,7 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include include include - # include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 9a4b5cebe..dfdd00524 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,8 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/name r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, + @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/i2c-*/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, From af8c66e9bf456a5770584bf03019548ee67d5020 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:14:25 +0200 Subject: [PATCH 274/798] feat(profile): upgrade cockpit profiles. --- apparmor.d/groups/virt/cockpit-certificate-helper | 1 + apparmor.d/groups/virt/cockpit-desktop | 2 ++ apparmor.d/groups/virt/cockpit-tls | 3 +++ apparmor.d/groups/virt/cockpit-ws | 4 +++- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper index ac9dd5f6f..303fd074c 100644 --- a/apparmor.d/groups/virt/cockpit-certificate-helper +++ b/apparmor.d/groups/virt/cockpit-certificate-helper @@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} { @{bin}/openssl rix, @{bin}/rm rix, @{bin}/sscg rix, + @{bin}/sync rix, @{bin}/tr rix, /etc/machine-id r, diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop index c2a7455ce..bb1ba03bf 100644 --- a/apparmor.d/groups/virt/cockpit-desktop +++ b/apparmor.d/groups/virt/cockpit-desktop @@ -10,6 +10,8 @@ include profile cockpit-desktop @{exec_path} { include + userns, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 0037b132c..7bf43ed4a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, + owner @{run}/cockpit/tls/{,**} rw, include if exists diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 7b0779119..8e3478072 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/cockpit/cockpit-ws -profile cockpit-ws @{exec_path} { +profile cockpit-ws @{exec_path} flags=(attach_disconnected) { include include include @@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} { /usr/share/pixmaps/{,**} r, /etc/cockpit/ws-certs.d/ r, + @{run}/cockpit/wsinstance/https@@{hex64}.sock r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/fd/ r, From c2740ffe241a13c85c53d7a8d99d4946b5509414 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 6 Jul 2025 22:15:04 +0200 Subject: [PATCH 275/798] feat(profile): xwayland: add integration with desktop local paths. --- apparmor.d/groups/freedesktop/xwayland | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 03b418684..9b329e06a 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -29,6 +29,11 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { /usr/share/fonts/{,**} r, /usr/share/ghostscript/fonts/{,**} r, + / r, + + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + owner @{tmp}/server-@{int}.xkm rwk, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, owner @{run}/user/@{uid}/server-@{int}.xkm rw, From 8042dd4a348fc3778c107d94a9ef1e70c11ec181 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:09:34 +0200 Subject: [PATCH 276/798] chore: replace make full by make fsp. --- Makefile | 8 ++++++-- docs/full-system-policy.md | 17 ++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 8bc8757bc..854d39f16 100644 --- a/Makefile +++ b/Makefile @@ -22,8 +22,12 @@ build: enforce: build @./${BUILD}/prebuild -.PHONY: full -full: build +.PHONY: fsp +fsp: build + @./${BUILD}/prebuild --full + +.PHONY: fsp-complain +fsp-complain: build @./${BUILD}/prebuild --complain --full .PHONY: install diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index c747cb739..016ed8ada 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -27,7 +27,6 @@ Particularly: - Every system application will be **blocked** if they do not have a profile. - Any non-standard system app need to be explicitly profiled and allowed to run. For instance, if you want to use your own proxy or VPN software, you need to ensure it is correctly profiled and allowed to run in the `systemd` profile. - Desktop environment must be explicitly supported, your UI will not start otherwise. Again, it is a **feature**. -- FSP mode will run unknown user application into the `default` profile. It might be enough for your application. If not you have to make a profile for it. - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected. - PID 1 is the last program that should be confined. It does not make sense to confine only PID. All other programs must be confined first. @@ -47,11 +46,11 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make full`: + In `PKGBUILD`, replace `make` by `make fsp`: ```diff - make - + make full + + make fsp ``` Then, build the package with: `make pkg` @@ -62,7 +61,7 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` @@ -73,25 +72,25 @@ Optimize=compress-fast ```make override_dh_auto_build: - make full + make fsp ``` Then, build the package with: `make dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full` + In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` ```diff - %make_build - + %make_build full + + %make_build fsp ``` Then, build the package with: `make rpm` === ":material-home: Partial Install" - Use the `make full` command to build instead of `make` + Use the `make fsp` command to build instead of `make` ## Structure @@ -149,7 +148,7 @@ In addition to the `systemd` profiles, a full system policy needs to ensure that The main fallback profile (`default`) is not intended to be used by privileged program or service. Such programs **must** have they dedicated profile and would break otherwise. -Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). +Additionally, special user access can be setup using PAM rules set such as a random shell interactively opened (as user or as root). [apparmor-wiki]: https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy [full]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/_full From 6b5fad404bc8d979371d9efc7812c4e50d82bd25 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:19:35 +0200 Subject: [PATCH 277/798] feat(profile): add free --- apparmor.d/groups/procps/free | 19 +++++++++++++++++++ tests/integration/procps/free.bats | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/free create mode 100644 tests/integration/procps/free.bats diff --git a/apparmor.d/groups/procps/free b/apparmor.d/groups/procps/free new file mode 100644 index 000000000..56075ae1c --- /dev/null +++ b/apparmor.d/groups/procps/free @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/free +profile free @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/free.bats b/tests/integration/procps/free.bats new file mode 100644 index 000000000..dcc216bfa --- /dev/null +++ b/tests/integration/procps/free.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "free: Display system memory" { + free +} + +@test "free: Display memory in GB" { + free -g +} + +@test "free: Display memory in human-readable units" { + free -h +} From 771dd9b589e15c66038a28e1d469391f25a962bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:22:26 +0200 Subject: [PATCH 278/798] feat(profile): add pidof --- apparmor.d/groups/procps/pidof | 18 ++++++++++++++++++ tests/integration/procps/pidof.bats | 19 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 apparmor.d/groups/procps/pidof create mode 100644 tests/integration/procps/pidof.bats diff --git a/apparmor.d/groups/procps/pidof b/apparmor.d/groups/procps/pidof new file mode 100644 index 000000000..3413eb6c3 --- /dev/null +++ b/apparmor.d/groups/procps/pidof @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pidof +profile pidof @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pidof.bats b/tests/integration/procps/pidof.bats new file mode 100644 index 000000000..ec20cbe86 --- /dev/null +++ b/tests/integration/procps/pidof.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pidof: List all process IDs with given name" { + pidof systemd + pidof bash +} + +@test "pidof: List a single process ID with given name" { + pidof -s bash +} + +@test "pidof: List process IDs including scripts with given name" { + pidof -x bash +} From c85ed58fa98935d9d475496f02347a2319ce4992 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:30:21 +0200 Subject: [PATCH 279/798] feat(profile): add vmstat --- apparmor.d/groups/procps/vmstat | 27 +++++++++++++++++++++++++++ tests/integration/procps/vmstat.bats | 25 +++++++++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 apparmor.d/groups/procps/vmstat create mode 100644 tests/integration/procps/vmstat.bats diff --git a/apparmor.d/groups/procps/vmstat b/apparmor.d/groups/procps/vmstat new file mode 100644 index 000000000..1276222a2 --- /dev/null +++ b/apparmor.d/groups/procps/vmstat @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/vmstat +profile vmstat @{exec_path} { + include + include + + @{exec_path} mr, + + @{sys}/block/ r, + @{sys}/devices/system/node/ r, + + @{PROC}/diskstats r, + @{PROC}/slabinfo r, + @{PROC}/uptime r, + @{PROC}/vmstat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/vmstat.bats b/tests/integration/procps/vmstat.bats new file mode 100644 index 000000000..e5900a324 --- /dev/null +++ b/tests/integration/procps/vmstat.bats @@ -0,0 +1,25 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "vmstat: Display virtual memory statistics" { + vmstat + vmstat --active + vmstat --forks +} + +@test "vmstat: Display disk statistics" { + vmstat --disk + vmstat --disk-sum +} + +@test "vmstat: Display slabinfo" { + sudo vmstat --slabs +} + +@test "vmstat: Display reports every second for 3 times" { + vmstat 1 3 +} From e6939f4968d50bff639882e5bc34d81ea462ff4e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:37:07 +0200 Subject: [PATCH 280/798] feat(profile): add pgrep. --- apparmor.d/groups/procps/pgrep | 22 ++++++++++++++++++++++ tests/integration/procps/pgrep.bats | 19 +++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 apparmor.d/groups/procps/pgrep create mode 100644 tests/integration/procps/pgrep.bats diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep new file mode 100644 index 000000000..950aeb99e --- /dev/null +++ b/apparmor.d/groups/procps/pgrep @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pgrep +profile pgrep @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{PROC}/tty/drivers r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/procps/pgrep.bats b/tests/integration/procps/pgrep.bats new file mode 100644 index 000000000..9fd6b92f8 --- /dev/null +++ b/tests/integration/procps/pgrep.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pgrep: Return PIDs of any running processes with a matching command string" { + pgrep systemd +} + +@test "pgrep: Search for processes including their command-line options" { + pgrep --full 'systemd' +} + +@test "pgrep: Search for processes run by a specific user" { + pgrep --euid root systemd-udevd +} + From e30372b729467fdb4aeafd6be6c206354b4077d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:52:29 +0200 Subject: [PATCH 281/798] ci: use fsp instead of full command. --- .github/workflows/main.yml | 2 +- .gitlab-ci.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index cac8fce43..973287e72 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index f697637fa..8adab16ab 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -117,7 +117,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules + - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules opensuse: stage: build From 277bd7f46aa43ad90ca8242cfb823e4ef3f68044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 7 Jul 2025 00:53:37 +0200 Subject: [PATCH 282/798] feat(profile): ensure gtk-query-immodule is not version dependent. --- apparmor.d/groups/pacman/pacman | 2 +- apparmor.d/profiles-g-l/gtk-query-immodules | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index e9f3bf807..ff43e2196 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -71,7 +71,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{bin}/gio-querymodules rPx, @{bin}/glib-compile-schemas rPx, @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-{2,3}.0 rPx, + @{bin}/gtk-query-immodules-* rPx, @{bin}/gtk{,4}-update-icon-cache rPx, @{sbin}/iconvconfig rix, @{bin}/install-catalog rPx, diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules index 509769698..e6d37db44 100644 --- a/apparmor.d/profiles-g-l/gtk-query-immodules +++ b/apparmor.d/profiles-g-l/gtk-query-immodules @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* +@{exec_path} = @{bin}/gtk-query-immodules-* @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-* profile gtk-query-immodules @{exec_path} { include include From e6b044376f7ef7f2a6850bf0461927b5432eeb0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:14:24 +0200 Subject: [PATCH 283/798] fix(profile): update archlinux-keyring requirements. fix #784 --- apparmor.d/groups/gpg/gpg | 5 ++--- apparmor.d/groups/pacman/pacman-key | 3 ++- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 247c6e4ac..f05f6492e 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -33,9 +33,8 @@ profile gpg @{exec_path} { /etc/inputrc r, #aa:only pacman - /etc/pacman.d/gnupg/gpg.conf r, - /etc/pacman.d/gnupg/pubring.gpg r, - /etc/pacman.d/gnupg/trustdb.gpg r, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index a5cee6fa9..9e3bde188 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -34,7 +34,8 @@ profile pacman-key @{exec_path} { /usr/share/pacman/keyrings/{,*} r, /usr/share/terminfo/** r, - /etc/pacman.d/gnupg/* rw, + /etc/pacman.d/gnupg/ rw, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, /dev/tty rw, From 51cb732ecaeb6e2c7cf7c9f936c4c26c9b9bf561 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:17:13 +0200 Subject: [PATCH 284/798] fix(profile): ensure hyprland can integrate with wine/proton fix #783 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c06671b34..9f2e7583d 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -14,6 +14,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_ptrace, From b754c1134c8be44034893bb4accee769dcc4ea63 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:37:49 +0200 Subject: [PATCH 285/798] fix(profile) wechat profile permissions fix #772 --- apparmor.d/profiles-s-z/wechat | 0 apparmor.d/profiles-s-z/wechat-appimage | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat mode change 100755 => 100644 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat old mode 100755 new mode 100644 diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100755 new mode 100644 From d6f4ff57b65bc641c96775c38aa7bbce55f4aff6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:47:39 +0200 Subject: [PATCH 286/798] fix: linter check. --- apparmor.d/groups/gpg/gpg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index f05f6492e..1a3f7f4d9 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -34,7 +34,7 @@ profile gpg @{exec_path} { #aa:only pacman /etc/pacman.d/gnupg/ rw, - /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, + /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt owner /etc/apt/keyrings/ rw, From 1b1a4c11ac22ab1aba9fd4bbff3619593a2454b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:51:18 +0200 Subject: [PATCH 287/798] feat(profile): gpg: improve integration with access to gpg-agent. --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 1a3f7f4d9..7ebb9e3a4 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -68,6 +68,7 @@ profile gpg @{exec_path} { owner /tmp/@{int}@{int} rw, owner @{run}/user/@{uid}/gnupg/d.*/ rw, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From e9fbc3503636273f0d36697a38f4f061049a38d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:52:26 +0200 Subject: [PATCH 288/798] feat(profile): minor sshd improvement. --- apparmor.d/groups/ssh/sshd-auth | 2 ++ apparmor.d/groups/ssh/sshd-session | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/ssh/sshd-auth b/apparmor.d/groups/ssh/sshd-auth index cb4defc0f..c1601b813 100644 --- a/apparmor.d/groups/ssh/sshd-auth +++ b/apparmor.d/groups/ssh/sshd-auth @@ -24,6 +24,8 @@ profile sshd-auth @{exec_path} { @{exec_path} mr, @{sbin}/sshd.hmac r, + /etc/gss/mech.d/{,*} r, + include if exists } diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e74696334..5f09af5cc 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -47,6 +47,11 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { member={CreateSession,ReleaseSession,CreateSessionWithPIDFD} peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=system path=/org/freedesktop/home1 + interface=org.freedesktop.home1.Manager + member=GetUserRecordByName + peer=(name=org.freedesktop.home1, label="@{p_systemd_homed}"), + @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC From 51560bbbf562a7e47ffe4776a1092e3aa78709ec Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:53:29 +0200 Subject: [PATCH 289/798] feat(profile): update mullvad. --- apparmor.d/groups/network/mullvad-daemon | 13 +++++++++---- apparmor.d/groups/network/mullvad-gui | 2 ++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 6c4c41e6c..9573d7044 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -10,6 +10,7 @@ include @{exec_path} += /opt/Mullvad*/resources/mullvad-daemon profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { include + include include capability dac_override, @@ -39,7 +40,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { "/opt/Mullvad VPN/resources/*.so*" mr, "/opt/Mullvad VPN/resources/*" r, - /etc/mullvad-vpn/{,*} r, + /etc/mullvad-vpn/ rw, + /etc/mullvad-vpn/* r, /etc/mullvad-vpn/@{uuid} rw, /etc/mullvad-vpn/*.json rw, @{etc_rw}/resolv.conf rw, @@ -49,16 +51,19 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { owner /var/log/mullvad-vpn/{,*} rw, owner /var/log/private/mullvad-vpn/*.log rw, + owner @{tmp}/@{uuid} rw, + owner @{tmp}/talpid-openvpn-@{uuid} rw, + @{run}/NetworkManager/resolv.conf r, owner @{run}/mullvad-vpn rw, @{sys}/fs/cgroup/net_cls/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w, @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, + @{sys}/fs/cgroup/system.slice/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, - owner @{tmp}/@{uuid} rw, - owner @{tmp}/talpid-openvpn-@{uuid} rw, - + @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index c36d34e3f..ae9b4cb7f 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -37,6 +37,8 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/mullvad-vpn rw, + /dev/tty rw, deny @{user_share_dirs}/gvfs-metadata/* r, From 35ae596fd98800f52057f338f214f736aad094e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 10 Jul 2025 00:56:31 +0200 Subject: [PATCH 290/798] feat(profile): general update on some core profiles. --- apparmor.d/profiles-a-f/dkms | 5 +++-- apparmor.d/profiles-g-l/gimp | 4 ++++ apparmor.d/profiles-g-l/libreoffice | 3 ++- apparmor.d/profiles-m-r/initramfs-hooks | 6 +++--- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/nvidia-smi | 2 +- apparmor.d/profiles-m-r/ollama | 7 +++++++ apparmor.d/profiles-m-r/power-profiles-daemon | 3 +++ apparmor.d/profiles-s-z/speech-dispatcher | 6 +++++- apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/update-shells | 4 +++- apparmor.d/profiles-s-z/virt-manager | 1 + apparmor.d/profiles-s-z/whoopsie | 2 ++ 13 files changed, 36 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index a0d5b08f9..5a0885143 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -29,8 +29,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/as rix, @{bin}/bc rix, @{bin}/clang-@{version} rix, - @{bin}/gcc rix, @{bin}/g++ rix, + @{bin}/gcc rix, @{bin}/getconf rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @@ -44,8 +44,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/readelf rix, @{bin}/rpm rPUx, @{bin}/strip rix, - @{sbin}/update-secureboot-policy rPUx, + @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/update-secureboot-policy rPUx, @{lib}/gcc/@{multiarch}/@{version}/* rix, @{lib}/linux-kbuild-*/scripts/** rix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index b335650d8..67b625d62 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -28,6 +28,7 @@ profile gimp @{exec_path} { @{python_path} rix, @{bin}/env rix, + @{bin}/gimp-debug-tool-3.0 rix, @{bin}/gimp-script-fu-interpreter-* rix, @{bin}/gjs-console rix, @{bin}/lua rix, @@ -41,6 +42,7 @@ profile gimp @{exec_path} { /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, + /usr/share/poppler/{,**} r, /usr/share/xml/iso-codes/{,**} r, /etc/fstab r, @@ -68,6 +70,8 @@ profile gimp @{exec_path} { owner @{tmp}/gimp/{,**} rw, + @{run}/mount/utab r, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index b21642cf8..4bed50f13 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -81,6 +81,7 @@ profile libreoffice @{exec_path} { /etc/papersize r, /etc/xdg/* r, + /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, @@ -93,7 +94,7 @@ profile libreoffice @{exec_path} { owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, - owner @{tmp}/ r, + @{tmp}/ r, owner @{tmp}/.java_pid@{int}{,.tmp} rw, owner @{tmp}/@{hex} rw, owner @{tmp}/@{rand6} rwk, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index aeb125ef2..5896df049 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -25,10 +25,10 @@ profile initramfs-hooks @{exec_path} { @{lib}/klibc/bin/fstype ix, /usr/share/mdadm/mkconf Px, - @{bin}/* r, - @{sbin}/* r, + @{bin}/* mr, + @{sbin}/* mr, @{lib}/ r, - @{lib}/** r, + @{lib}/** mr, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 8139ac68e..c922942ec 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -19,6 +19,7 @@ profile mdadm-mkconf @{exec_path} { @{sbin}/mdadm Px, /etc/default/mdadm r, + /etc/mdadm/mdadm.conf r, / r, diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 9ea391400..1d6d62e2b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -25,7 +25,7 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, - /dev/nvidia-caps/nvidia-cap@{int} r, + /dev/nvidia-caps/nvidia-cap@{int} rw, /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools r, diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 7b5521802..73447e33e 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -38,8 +38,15 @@ profile ollama @{exec_path} flags=(attach_disconnected) { owner @{tmp}/ollama@{int}/{,**} rw, owner @{tmp}/ollama@{int}/runners/{,**} mr, + @{sys}/devices/@{pci}/drm/card@{int}/ r, + @{sys}/devices/@{pci}/drm/card@{int}/*/ r, + @{sys}/devices/@{pci}/mem_info_vram_total r, + @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 43f27b2fc..636f41754 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -30,10 +30,13 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{sys}/bus/ r, @{sys}/bus/platform/devices/ r, @{sys}/class/ r, + @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher index 652a7d9ed..0267d6889 100644 --- a/apparmor.d/profiles-s-z/speech-dispatcher +++ b/apparmor.d/profiles-s-z/speech-dispatcher @@ -20,16 +20,20 @@ profile speech-dispatcher @{exec_path} { @{exec_path} mr, @{sh_path} ix, + @{lib}/speech-dispatcher-modules/* ix, @{lib}/speech-dispatcher/** r, @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix, /etc/machine-id r, /etc/speech-dispatcher/{,**} r, + owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner @{run}/user/@{uid}/speech-dispatcher/ rw, owner @{run}/user/@{uid}/speech-dispatcher/** rwk, - owner @{user_config_dirs}/speech-dispatcher/{,**} r, + owner /dev/shm/sem.@{rand6} rw, + owner /dev/shm/sem.speechd-modules-dummy-@{int} rwl -> /dev/shm/sem.@{rand6}, include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 679a0fd32..5c79d0efe 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/terminator profile terminator @{exec_path} flags=(attach_disconnected) { include + include include include include diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 46b6699c8..5922c1a14 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -17,12 +17,14 @@ profile update-shells @{exec_path} { @{bin}/chmod ix, @{bin}/chown ix, @{bin}/dirname ix, - @{bin}/dpkg-realpath ix, + @{bin}/dpkg-realpath rix, @{bin}/mv ix, @{bin}/sync ix, + @{bin}/readlink ix, /usr/share/debianutils/shells r, /usr/share/debianutils/shells.d/{,**} r, + /usr/share/dpkg/sh/dpkg-error.sh r, /etc/shells r, /etc/shells.tmp w, diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index fa17f5b1b..aed85abe3 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -84,6 +84,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 16a0e5a5e..0c03f4a76 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -25,6 +25,8 @@ profile whoopsie @{exec_path} { owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, + @{sys}/devices/virtual/dmi/id/product_uuid r, + include if exists } From 06d23ac72cc646cee3ea0e5417f0b50e3092b1ef Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 2 Jul 2025 05:29:55 +0200 Subject: [PATCH 291/798] Fix strawberry profile --- apparmor.d/profiles-s-z/strawberry | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 84bbcf1f2..611c8462d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -69,8 +69,8 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, owner @{tmp}/etilqs_@{sqlhex} rw, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w, - owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk, + owner @{tmp}/kdsingleapp-*-strawberry w, + owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int}, owner @{tmp}/strawberry*[0-9] w, From e92f2fb453ea53d4a6da31bc61f95466e2be47a4 Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 29 Jun 2025 19:35:08 +0200 Subject: [PATCH 292/798] ouch: allow listing archive contents --- apparmor.d/profiles-m-r/ouch | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch index a5b62ca93..d0bb4a1ed 100644 --- a/apparmor.d/profiles-m-r/ouch +++ b/apparmor.d/profiles-m-r/ouch @@ -17,11 +17,16 @@ profile ouch @{exec_path} { owner @{HOME}/.tmp@{rand6}/{,**} rw, owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw, + owner /tmp/ w, + owner /tmp/.tmp@{rand6}/{,**} rw, + owner /tmp/.tmp-ouch@{rand6}/{,**} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From 2e9d450fde3d0499762d5961f4f881e81decb105 Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 17:58:52 +0800 Subject: [PATCH 293/798] Fix tlp start issue --- apparmor.d/profiles-s-z/tlp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 9faea6e3e..7c0a3d2c8 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -16,6 +16,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability sys_nice, @@ -48,6 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, @@ -104,7 +106,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { include include - @{run}/tlp/lock_tlp rw, + @{run}/tlp/lock_tlp rw, # file_inherit include if exists } From d855eeccd746b8ecaeaf3cc7f144715909d5136f Mon Sep 17 00:00:00 2001 From: EricLin0509 Date: Mon, 23 Jun 2025 18:01:31 +0800 Subject: [PATCH 294/798] Not use tabs --- apparmor.d/profiles-s-z/tlp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 7c0a3d2c8..3eb0800f9 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -49,7 +49,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{bin}/tr rix, @{bin}/udevadm rCx -> udevadm, @{bin}/uname rix, - @{bin}/timeout rix, + @{bin}/timeout rix, /usr/share/tlp/tlp-readconfs rix, / r, From 97d5fe3f6865217f16d05876235ce68b4572312d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 11 Jul 2025 19:37:40 +0200 Subject: [PATCH 295/798] feat(abs): user-read/write: allow files directly on the home directory. --- apparmor.d/abstractions/user-read-strict | 1 + apparmor.d/abstractions/user-write-strict | 1 + 2 files changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict index f7eb186b5..9626bb0bc 100644 --- a/apparmor.d/abstractions/user-read-strict +++ b/apparmor.d/abstractions/user-read-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* rk, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} rk, diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict index 026825b27..88d52203e 100644 --- a/apparmor.d/abstractions/user-write-strict +++ b/apparmor.d/abstractions/user-write-strict @@ -8,6 +8,7 @@ abi , owner @{HOME}/ r, + owner @{HOME}/[^.]* wl, owner @{MOUNTS}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} wl, From a79e46acdd3768be0ab4f58ac026057a41274ad7 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:27:18 +0200 Subject: [PATCH 296/798] add profile for whois --- apparmor.d/profiles-s-z/whois | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 apparmor.d/profiles-s-z/whois diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois new file mode 100644 index 000000000..8353f81d0 --- /dev/null +++ b/apparmor.d/profiles-s-z/whois @@ -0,0 +1,27 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/whois +profile whois @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + /etc/whois.conf r, + + include if exists +} + +# vim:syntax=apparmor From 8fc70859aaef7cc20181ac6d115a6ff8ca5a9162 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 18 Jun 2025 22:35:59 +0200 Subject: [PATCH 297/798] fix include --- apparmor.d/profiles-s-z/whois | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/whois b/apparmor.d/profiles-s-z/whois index 8353f81d0..a1549db03 100644 --- a/apparmor.d/profiles-s-z/whois +++ b/apparmor.d/profiles-s-z/whois @@ -21,7 +21,7 @@ profile whois @{exec_path} { /etc/whois.conf r, - include if exists + include if exists } # vim:syntax=apparmor From 2c1d235ef02b11750dd5cc812e24dfc188b173f7 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:27:14 +0200 Subject: [PATCH 298/798] Hardening kioworker with reagrd to ps See #711 --- apparmor.d/groups/kde/kioworker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 1d091fd09..61e910c88 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -38,7 +38,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rPUx, + @{bin}/gs rix, #aa:exec kio_http_cache_cleaner From cdb64e14bab522751c7cec2b51cdbdb1ebadf05e Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 16 Jul 2025 18:37:52 +0200 Subject: [PATCH 299/798] add texstudio --- apparmor.d/profiles-s-z/texstudio | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 apparmor.d/profiles-s-z/texstudio diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio new file mode 100644 index 000000000..836a9a6ab --- /dev/null +++ b/apparmor.d/profiles-s-z/texstudio @@ -0,0 +1,48 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/texstudio +profile texstudio @{exec_path} { + include + include + include + include + include + include + include + + @{exec_path} mr, + + @{bin}/pdflatex ix, + @{bin}/pdftex ix, + @{bin}/kpsewhich ix, + @{bin}/gsettings ix, + @{bin}/which ix, + + /usr/share/texmf-dist/{,**} r, + /usr/share/doc/texstudio/{,**} r, + /usr/share/hunspell/{,**} r, + /usr/share/texstudio/{,**} r, + /usr/share/poppler/{,**} r, + + /etc/texmf/{,**} r, + /etc/machine-id r, + + /var/lib/texmf/{,**} r, + + owner @{user_config_dirs}/texstudio/{,**} rwlk, + owner /tmp/qtsingleapp-TeXstu-** rw, + owner /tmp/qtsingleapp-TeXstu-**-lockfile rwk, + + ## silencer + deny owner /usr/share/hunspell/en_US-large.ign w, + + include if exists +} + +# vim:syntax=apparmor From d120792297b4902b1bc4fb640833c2c619f77796 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:27:21 +0200 Subject: [PATCH 300/798] fix ci --- apparmor.d/profiles-s-z/texstudio | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 836a9a6ab..4a42a8eff 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -15,14 +15,14 @@ profile texstudio @{exec_path} { include include include - + @{exec_path} mr, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, @{bin}/gsettings ix, - @{bin}/which ix, + @{bin}/which{,.debianutils} ix, /usr/share/texmf-dist/{,**} r, /usr/share/doc/texstudio/{,**} r, From 7b6f2353fdbf4f7fce1ef27c1e25d4aa9f3b6bb3 Mon Sep 17 00:00:00 2001 From: valoq Date: Fri, 18 Jul 2025 11:29:42 +0200 Subject: [PATCH 301/798] remove white space --- apparmor.d/profiles-s-z/texstudio | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 4a42a8eff..52e9e53e6 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -41,7 +41,7 @@ profile texstudio @{exec_path} { ## silencer deny owner /usr/share/hunspell/en_US-large.ign w, - + include if exists } From 7a47914542ce3e45e85e759f1e38a9cdee244a00 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:07:33 +0200 Subject: [PATCH 302/798] tests: add test file for whois. --- tests/integration/whois.bats | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 tests/integration/whois.bats diff --git a/tests/integration/whois.bats b/tests/integration/whois.bats new file mode 100644 index 000000000..fd1cba5fa --- /dev/null +++ b/tests/integration/whois.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load common + +@test "whois: Get information about a domain name" { + whois google.fr +} + +@test "whois: Get information about an IP address" { + whois 8.8.8.8 +} + +@test "whois: Get abuse contact for an IP address" { + whois -b 8.8.8.8 +} + From 8020c2c63d0c578e147b8ee9230010dc4aca44a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:09:41 +0200 Subject: [PATCH 303/798] feat(profile): update pacman profiles. --- apparmor.d/groups/pacman/makepkg | 5 +++-- apparmor.d/groups/pacman/paccache | 1 + apparmor.d/groups/pacman/pacman | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 30650d80c..583d0b9c0 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -11,6 +11,7 @@ profile makepkg @{exec_path} { include include include + include include include include @@ -72,8 +73,8 @@ profile makepkg @{exec_path} { owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index f537afdb3..8bf1aed6a 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -36,6 +36,7 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /etc/pacman.conf r, /etc/pacman.d/{,**} r, + /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**, /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index ff43e2196..01543d63f 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -187,7 +187,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) { include if exists } - profile systemctl { + profile systemctl flags=(attach_disconnected) { include include From 03b174a2d42c6d36e3f979a92e35f06f1f6b1f5c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:11:18 +0200 Subject: [PATCH 304/798] feat(profile): simplify modprobe-nvidia. --- apparmor.d/groups/children/child-modprobe-nvidia | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 9b331a8ce..61191fe9d 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -20,7 +20,6 @@ include profile child-modprobe-nvidia flags=(attach_disconnected) { include include - include capability chown, capability fsetid, @@ -35,8 +34,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/sys/kernel/modprobe r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, From 881402dc2166b735712e40134558568512059ee8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:17:26 +0200 Subject: [PATCH 305/798] feat(profile): improve some systemd profiles. --- apparmor.d/groups/systemd/systemd-coredump | 2 +- apparmor.d/groups/systemd/systemd-machined | 22 ++++++++++++++++++- .../systemd/systemd-tty-ask-password-agent | 3 ++- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 52efea3db..2f6d81fdb 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, - owner @{HOME}/**.so r, + owner @{HOME}/**.so* r, /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b37f2300b..b9244ece6 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -10,6 +10,7 @@ include profile systemd-machined @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { capability kill, capability mknod, capability setgid, + capability setuid, capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + signal send set=rtmin+6 peer=systemd-nspawn, + + ptrace read peer=systemd-nspawn, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @{exec_path} mr, - /var/lib/machines/{,**} rw, /etc/machine-id r, + / r, + @{att}/ r, + + owner /var/lib/machines/ rw, + owner /var/lib/machines/** rwk, + + owner @{run}/systemd/nspawn/ w, + owner @{run}/systemd/nspawn/locks/ w, + owner @{run}/systemd/nspawn/locks/** rwk, + @{run}/systemd/machine/{,**} rw, @{run}/systemd/machines/{,**} rw, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/gid_map r, + @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, /dev/ptmx rw, /dev/pts/@{int} rw, + /dev/pts/ptmx rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index 30d30b295..b318bf3dd 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} { capability net_admin, capability sys_resource, + signal receive set=(term cont winch) peer=@{p_logrotate}, signal receive set=(term cont winch) peer=*//systemctl, signal receive set=(term cont winch) peer=deb-systemd-invoke, signal receive set=(term cont winch) peer=default, - signal receive set=(term cont winch) peer=@{p_logrotate}, + signal receive set=(term cont winch) peer=machinectl, signal receive set=(term cont winch) peer=makepkg//sudo, signal receive set=(term cont winch) peer=role_*, signal receive set=(term cont winch) peer=rpm, From c6030de00ae7566cd0267d2a10bfa6d00858a41a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 12 Jul 2025 20:49:34 +0200 Subject: [PATCH 306/798] build: add just command for local and dev install. --- Justfile | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/Justfile b/Justfile index 109cfed3b..7753ad2d1 100644 --- a/Justfile +++ b/Justfile @@ -95,7 +95,7 @@ fsp-complain: build fsp-debug: build @./{{build}}/prebuild --complain --full --debug -[group('build')] +[group('install')] [doc('Install prebuild profiles')] install: #!/usr/bin/env bash @@ -123,6 +123,35 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +[group('install')] +[doc('Locally install prebuild profiles')] +local +args: + #!/usr/bin/env bash + set -eu -o pipefail + install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log + mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n") + for file in "${abs[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file" + done; + mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n") + for file in "${tunables[@]}"; do + install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" + done; + echo "Warning: profile dependencies fallback to unconfined." + for file in {{args}}; do + grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true + sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" + install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" + done; + systemctl restart apparmor || sudo journalctl -xeu apparmor.service + +[group('install')] +[doc('Prebuild, install, and load a dev profile')] +dev name: + go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` + sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} + sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service + [group('packages')] [doc('Build & install apparmor.d on Arch based systems')] pkg: From 72b136578dd1e5db2efa5b60790fcafd679dd72a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:12:46 +0200 Subject: [PATCH 307/798] fix(profile): ensure wc is in pacman-hook-perl fix #786 --- apparmor.d/groups/pacman/pacman-hook-perl | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl index 07539ae95..aa2be8b09 100644 --- a/apparmor.d/groups/pacman/pacman-hook-perl +++ b/apparmor.d/groups/pacman/pacman-hook-perl @@ -20,6 +20,7 @@ profile pacman-hook-perl @{exec_path} { @{bin}/find rix, @{bin}/pacman rPx, @{bin}/sed rix, + @{bin}/wc rix, /dev/tty rw, /dev/tty@{int} rw, From 38b165ff319da0177f2fc983921fd6c80bbe360e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:13:50 +0200 Subject: [PATCH 308/798] feat(profile): minor apt improvement. --- apparmor.d/groups/apt/apt | 1 + apparmor.d/groups/apt/apt-methods-sqv | 1 + apparmor.d/groups/apt/dpkg-scripts | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 5be4284f9..9bdabb1c2 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -64,6 +64,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/cat rix, @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/id rix, diff --git a/apparmor.d/groups/apt/apt-methods-sqv b/apparmor.d/groups/apt/apt-methods-sqv index 416328cd4..0dcd7da0d 100644 --- a/apparmor.d/groups/apt/apt-methods-sqv +++ b/apparmor.d/groups/apt/apt-methods-sqv @@ -18,6 +18,7 @@ profile apt-methods-sqv @{exec_path} { capability setuid, signal receive set=int peer=apt, + signal receive set=int peer=packagekitd, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index d3994d0ec..44e4790c4 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -65,6 +65,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, + @{lib}/modules/*/.fresh-install w, /etc/ r, /etc/** rw, From d9d762aaaa939e29048ea75715a71f6f96f675af Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:16:29 +0200 Subject: [PATCH 309/798] fix(profile): systemd-coredump: also allow sbin --- apparmor.d/groups/systemd/systemd-coredump | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2f6d81fdb..2bd25ec16 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -33,6 +33,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{lib}/** r, / r, @{bin}/* r, + @{sbin}/* r, /opt/** r, @{user_lib_dirs}/** r, From 2f1022dc8de00f29472a0fe1c5c8ed8bd7ed8c78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:19:29 +0200 Subject: [PATCH 310/798] feat(profile): general minor update to profiles. --- apparmor.d/profiles-a-f/alacarte | 7 ++++++- apparmor.d/profiles-a-f/birdtray | 2 +- apparmor.d/profiles-a-f/code-extension-git-askpass | 4 ++-- apparmor.d/profiles-a-f/dkms | 1 + apparmor.d/profiles-g-l/git | 3 ++- apparmor.d/profiles-m-r/needrestart-restart | 1 + apparmor.d/profiles-m-r/pass | 2 +- apparmor.d/profiles-s-z/wechat | 2 +- apparmor.d/profiles-s-z/wechat-appimage | 3 ++- apparmor.d/profiles-s-z/wechat-universal | 4 ++-- 10 files changed, 19 insertions(+), 10 deletions(-) diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index eed67619d..700c6d517 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/alacarte -profile alacarte @{exec_path} { +profile alacarte @{exec_path} flags=(attach_disconnected) { include include include @@ -30,6 +30,11 @@ profile alacarte @{exec_path} { owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray index c63a8de7c..771560c6b 100644 --- a/apparmor.d/profiles-a-f/birdtray +++ b/apparmor.d/profiles-a-f/birdtray @@ -40,7 +40,7 @@ profile birdtray @{exec_path} { owner @{HOME}/.thunderbird/*.*/{Imap,}Mail/**/*.msf r, owner @{user_config_dirs}/ulduzsoft/ rw, - owner @{user_config_dirs}/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*, + owner @{user_config_dirs}/ulduzsoft/* rwkl -> @{user_config_dirs}/ulduzsoft/*, owner @{user_config_dirs}/birdtray-config.json rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/birdtray-config.json.* rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass index 5a31889b9..674432b2e 100644 --- a/apparmor.d/profiles-a-f/code-extension-git-askpass +++ b/apparmor.d/profiles-a-f/code-extension-git-askpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh +@{exec_path} = @{lib}/code/extensions/git/dist/askpass.sh @{lib}/code/extensions/git/dist/ssh-askpass.sh profile code-extension-git-askpass @{exec_path} { include @@ -23,7 +23,7 @@ profile code-extension-git-askpass @{exec_path} { /usr/share/terminfo/** r, - owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 5a0885143..7c594c900 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -32,6 +32,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{bin}/g++ rix, @{bin}/gcc rix, @{bin}/getconf rix, + @{bin}/hostname rix, @{bin}/kill rix, @{bin}/kmod rCx -> kmod, @{bin}/ld rix, diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 457e79d2a..a0ea6393e 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -133,7 +133,8 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, - + @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart index b9e648602..964ff1a74 100644 --- a/apparmor.d/profiles-m-r/needrestart-restart +++ b/apparmor.d/profiles-m-r/needrestart-restart @@ -13,6 +13,7 @@ profile needrestart-restart @{exec_path} { @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, + @{sh_path} r, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 096f0316a..7e432a838 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -40,7 +40,7 @@ profile pass @{exec_path} { @{bin}/tr ix, @{bin}/tree ix, @{bin}/tty ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/git Cx -> git, @{bin}/gpg{2,} Cx -> gpg, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index b7ad3a2e8..cb554fc6b 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -14,9 +14,9 @@ include @{exec_path} = @{lib_dirs}/wechat profile wechat @{exec_path} flags=(attach_disconnected) { include - include include include + include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 55155f2b8..9f8c20338 100644 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -14,10 +14,11 @@ include @{exec_path} = @{bin}/wechat @{lib_dirs}/wechat-appimage.Appimage /tmp/.mount_wechat??????/user/bin/wechat profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 21e1eee10..cd8958e8e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -14,10 +14,10 @@ include @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat profile wechat-universal @{exec_path} flags=(attach_disconnected) { include - include include - include include + include + include include network netlink raw, From f183ae709f4ffeea0443145cfcaf45d34d1dac62 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 18 Jul 2025 00:23:37 +0200 Subject: [PATCH 311/798] chore: fix linter issue. --- apparmor.d/profiles-g-l/git | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index a0ea6393e..c9373c7ae 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -134,7 +134,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{bin}/ssh mr, @{bin}/ksshaskpass ix, @{lib}/code/extensions/git/dist/ssh-askpass.sh Px, - + @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, From 033354314f0e98b9f9e00ce240a634b42d731b9c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:54:02 +0200 Subject: [PATCH 312/798] doc: minor documentation update. --- docs/configuration.md | 2 +- docs/development/roadmap.md | 8 ++++---- docs/development/vm.md | 31 +++++++++++++++++++++++-------- docs/full-system-policy.md | 10 ++++++++++ 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index fd8a5d38c..5e1c7992f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -41,7 +41,7 @@ You can extend any profile with your own rules by creating a file in the `/etc/a **Example** -By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`: +By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behavior by creating a local profile addition file for `nautilus`: 1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 75cbcdd10..b42467e3d 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -22,13 +22,13 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [ ] The apt/dpkg profiles needs to be reworked + - [x] The apt/dpkg profiles needs to be reworked - [ ] Build system - [ ] Continuous release on the main branch, ~2 releases per week - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - - [ ] Add a `just` target to install the profiles in the right place + - [x] Add a `just` target to install the profiles in the right place - [ ] Fully drop the Makefile in favor of `just` ## Next features @@ -41,9 +41,9 @@ This is the current list of features that must be implemented to get to a stable - [ ] Fully rewrite the way user data is allowed / denied. The current implementation requires too much configuration to be usable by everyone. - [ ] Add a prompt listener to handle the user data access. -- [ ] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** +- [x] **[Full System Policy](https://github.com/roddhjav/apparmor.d/issues/252)** - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - - [ ] Remove the `default` profile + - [x] Remove the `default` profile ## Done diff --git a/docs/development/vm.md b/docs/development/vm.md index 66630022e..1edddba76 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -14,22 +14,42 @@ $ just ``` Available recipes: help # Show this help message + clean # Remove all build artifacts + + [build] build # Build the go programs enforce # Prebuild the profiles in enforced mode complain # Prebuild the profiles in complain mode fsp # Prebuild the profiles in FSP mode - install # Install the profiles + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) + + [install] + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile + + [packages] pkg # Build & install apparmor.d on Arch based systems dpkg # Build & install apparmor.d on Debian based systems rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container + + [tests] tests # Run the unit tests + init dist flavor # Install dependencies for the bats integration tests + integration dist flavor # Run the integration tests on the machine + + [linter] lint # Run the linters check # Run style checks on the profiles + + [docs] man # Generate the man pages docs # Build the documentation serve # Serve the documentation - clean # Remove all build artifacts - package dist # Build the package in a clean OCI container + + [vm] img dist flavor # Build the VM image create dist flavor # Create the machine up dist flavor # Start a machine @@ -40,13 +60,8 @@ Available recipes: list # List the machines images # List the VM images available # List the VM images that can be created - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine - get_ip dist flavor - get_osinfo dist See https://apparmor.pujol.io/development/ for more information. - ``` ## Requirements diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index 016ed8ada..b523a1c38 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -137,6 +137,16 @@ To work as intended, userland services started by `systemd --user` **should** ha @{lib}/foo rPx -> systemd//&foo, ``` +### Role Based Access Control (RBAC) + +In FSP, interactive shell from the user must be confined. This is done through [pam_apparmor](https://gitlab.com/apparmor/apparmor/-/wikis/pam_apparmor). It provides [Role-based access controls (RBAC)](https://en.wikipedia.org/wiki/Role-based_access_control) that can restrict interactive shell to well-defined role. The role needs to be defined. This project ship with a default set of roles, but you can create your own. The default roles are: + +- **`user`**: This is the default role. It is used for any user that does not have a specific role defined. It has access to the user home directory and other sensitive files. + +- **`admin`**: This role is used for any user that has administrative access. It has access to the system files and directories, but not to the user home directory. + +- **`system`**: This role is used for any user that has system access. It has access to the system files and directories, but not to the user home directory. + ### Fallback In addition to the `systemd` profiles, a full system policy needs to ensure that no programs run in an unconfined state at any time. The fallback profiles consist of a set generic specialized profiles: From ee328ecea8e2b7f071ee25380cb28dd62ca50c98 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 19 Jul 2025 17:58:06 +0200 Subject: [PATCH 313/798] fix(profile): ensure gpg has access to pacman public keyring. #788 --- apparmor.d/groups/gpg/gpg | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 7ebb9e3a4..6a01796ff 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, From bba6f253adda95e072e9b92095f2913738d2abcf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:22:29 +0200 Subject: [PATCH 314/798] doc: add link to the last talk. --- README.md | 4 ++++ docs/overview.md | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/README.md b/README.md index ddb1e79b3..c1c7726c5 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ## Installation Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install) diff --git a/docs/overview.md b/docs/overview.md index fb6712a14..20a5a454f 100644 --- a/docs/overview.md +++ b/docs/overview.md @@ -43,6 +43,10 @@ Building the largest set of AppArmor profiles: - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))* - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))* +Lessons learned while making an AppArmor Play machine: + +- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))* + ### Chat A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org From cf76e2e71411238a48de625334fc8092fc5f9492 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 13:35:53 +0200 Subject: [PATCH 315/798] build(arch): sync pkgbuild with the with aur version. --- PKGBUILD | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index b48e55153..dfbb46735 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -8,9 +8,9 @@ pkgver=0.001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') -url="https://github.com/roddhjav/$pkgname" +url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') -depends=('apparmor') +depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') conflicts=("$pkgname-git") From 101248b37e235d9176918fc99b23fe370b773ffb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:06:58 +0200 Subject: [PATCH 316/798] feat(profile): minor profile update. --- apparmor.d/abstractions/bus/org.freedesktop.systemd1 | 5 +++++ apparmor.d/groups/freedesktop/wireplumber | 2 +- apparmor.d/groups/gnome/gnome-session-check | 5 +++++ apparmor.d/groups/network/dhcpcd | 2 ++ apparmor.d/groups/snap/snapd | 1 + apparmor.d/groups/ssh/sshd | 1 + .../groups/systemd-generators/systemd-generator-import | 4 ++-- apparmor.d/groups/ubuntu/apport | 6 ++++-- apparmor.d/groups/ubuntu/package-system-locked | 2 +- apparmor.d/groups/utils/who | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + 11 files changed, 25 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 46297b484..341cf58ce 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -11,6 +11,11 @@ member={GetUnit,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=ListUnitsByPatterns + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,StartUnit,StartTransientUnit} diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 0925bad91..debf19f25 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -52,7 +52,7 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} r, + /dev/shm/lttng-ust-wait-@{int} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check index 2a0b4965f..44755aef2 100644 --- a/apparmor.d/groups/gnome/gnome-session-check +++ b/apparmor.d/groups/gnome/gnome-session-check @@ -10,12 +10,17 @@ include profile gnome-session-check @{exec_path} { include include + include @{exec_path} mr, @{lib}/gnome-session-check-accelerated-gl-helper ix, @{lib}/gnome-session-check-accelerated-gles-helper ix, + /usr/share/gnome-session/hardware-compatibility r, + + @{PROC}/cmdline r, + include if exists } diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 7f47b9975..51cf215f9 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -40,6 +40,8 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{lib}/dhcpcd/dhcpcd-run-hooks rix, + /usr/share/dhcpcd/{,**} r, + /etc/dhcpcd.conf r, /etc/resolv.conf rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 1add6c1c4..5f0885693 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -110,6 +110,7 @@ profile snapd @{exec_path} { /etc/modprobe.d/{,**/} r, /etc/modules-load.d/{,**/} r, /etc/modules-load.d/*snap* rw, + /etc/polkit-1/rules.d/{,**/} r, /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 2494dc2c2..63f2c1370 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -32,6 +32,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { capability dac_override, capability dac_read_search, capability fowner, + capability fsetid, capability kill, capability net_bind_service, capability setgid, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import index 36ff4e5ff..de3753aaf 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-import +++ b/apparmor.d/groups/systemd-generators/systemd-generator-import @@ -16,13 +16,13 @@ profile systemd-generator-import @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + @{PROC}/@{pid}/cgroup r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, - / r, - /dev/kmsg w, include if exists diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 8219ef185..9f3fd2999 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> child-dpkg, - @{bin}/dpkg-divert rPx -> child-dpkg-divert, + @{bin}/dpkg rPx -> &child-dpkg, + @{bin}/dpkg-divert rPx -> &child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -37,6 +37,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{etc_ro}/login.defs r, /etc/apport/report-ignore/{,**} r, + /etc/dpkg/dpkg.cfg r, + /etc/dpkg/dpkg.cfg.d/{,**} r, /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked index 7398fc404..8cf3ed885 100644 --- a/apparmor.d/groups/ubuntu/package-system-locked +++ b/apparmor.d/groups/ubuntu/package-system-locked @@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) { network inet dgram, network inet6 dgram, - mqueue r type=posix /, + mqueue (read,getattr) type=posix /, ptrace (read), diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index 3da07f89d..fd49b2bec 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -18,6 +18,8 @@ profile who @{exec_path} { @{exec_path} mr, + @{run}/systemd/sessions/* r, + deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index a0d636883..c90e80af9 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -86,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper), unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), unix (send, receive) type=stream addr=none peer=(label=unconfined), + unix (send, receive) type=stream addr=none peer=(label=virt-manager), # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, From f364ab5e48296838ce76e2d6368435caf5a6ea5e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:13:40 +0200 Subject: [PATCH 317/798] feat(profile): firefox: improve crashreporter. --- apparmor.d/groups/browsers/firefox-crashhelper | 2 +- apparmor.d/groups/browsers/firefox-crashreporter | 11 ++++++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55443a330..55af7c2e2 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -12,7 +12,7 @@ include @{cache_dirs} = @{user_cache_dirs}/mozilla/ @{exec_path} = @{lib_dirs}/crashhelper -profile firefox-crashhelper @{exec_path} { +profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter index 1c418eef4..8feccaa93 100644 --- a/apparmor.d/groups/browsers/firefox-crashreporter +++ b/apparmor.d/groups/browsers/firefox-crashreporter @@ -28,22 +28,23 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{bin}/curl rix, @{bin}/mv rix, @{lib_dirs}/minidump-analyzer rPx, - @{bin}/mv rix, - owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw, owner @{config_dirs}/firefox/*.*/crashes/{,**} rw, owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw, owner @{config_dirs}/firefox/*.*/extensions/*.xpi r, owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw, owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r, + owner @{config_dirs}/firefox/*.*/prefs.js r, + owner @{config_dirs}/firefox/*.*/storage-sync-v2.sqlite-shm r, owner @{config_dirs}/firefox/*.*/storage/default/* r, + owner @{config_dirs}/firefox/Profile*/*.sqlite-shm r, owner @{cache_dirs}/firefox/*.*/** r, @@ -54,10 +55,14 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) { owner /dev/shm/org.mozilla.ipc.@{int}.@{int} r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/mountinfo r, /dev/dri/card@{int} rw, /dev/dri/renderD128 rw, + /dev/nvidia@{int} r, + /dev/nvidiactl r, # Silencer deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From cba7355142b9bc0a20adae21f129a47e100baa92 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:14:30 +0200 Subject: [PATCH 318/798] feat(abs): update nvidia GLCache. --- apparmor.d/abstractions/nvidia-strict | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 6fe815773..c3aa8e805 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -18,6 +18,8 @@ owner @{HOME}/.nv/ComputeCache/** rw, owner @{HOME}/.nv/ComputeCache/index rwk, owner @{HOME}/.nv/nvidia-application-profiles-* r, + + @{user_cache_dirs}/nvidia/GLCache/@{hex32}/ rw, owner @{user_cache_dirs}/nvidia/ w, owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, From e490a11c1a2ecfadd2cbc0759d77f4706bc2ee61 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:25:41 +0200 Subject: [PATCH 319/798] feat(profile): add hwclock. --- apparmor.d/groups/utils/hwclock | 30 ++++++++++++++++++++++++++++ tests/integration/utils/hwclock.bats | 6 +++--- tests/requirements.sh | 3 ++- 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 apparmor.d/groups/utils/hwclock diff --git a/apparmor.d/groups/utils/hwclock b/apparmor.d/groups/utils/hwclock new file mode 100644 index 000000000..d1433a605 --- /dev/null +++ b/apparmor.d/groups/utils/hwclock @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/hwclock +profile hwclock @{exec_path} { + include + include + + capability audit_write, + capability sys_time, + + network netlink raw, + + @{exec_path} mr, + + /etc/adjtime rw, + + @{sys}/devices/pnp@{int}/*/rtc/rtc@{int}/{,*} r, + + /dev/rtc@{int} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 88c981c31..4a1bc0f83 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - hwclock + sudo hwclock } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - hwclock --systohc + sudo hwclock --systohc } @test "hwclock: Write the current hardware clock time to the software clock" { - hwclock --hctosys + sudo hwclock --hctosys } diff --git a/tests/requirements.sh b/tests/requirements.sh index 52d7cb36b..085ad8c7c 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -21,7 +21,8 @@ debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak + cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ + util-linux-extra ;; opensuse*) ;; From d4d4f3ae4b4ad994ea633dbebd4b879f8a69621a Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 27 Jul 2025 17:13:11 +0200 Subject: [PATCH 320/798] add xournalpp --- apparmor.d/profiles-s-z/xournalpp | 44 +++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-s-z/xournalpp diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp new file mode 100644 index 000000000..7d74ce7da --- /dev/null +++ b/apparmor.d/profiles-s-z/xournalpp @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xournalpp +profile xournalpp @{exec_path} { + include + include + include + include + include + include + include + include + include + + @{exec_path} mr, + + /usr/share/xournalpp/** r, + + /etc/machine-id r, + /etc/pipewire/jack.conf.d/ r, + + owner @{user_config_dirs}/xournalpp/** rw, + owner @{user_cache_dirs}/xournalpp/** rw, + + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + + include if exists +} + +# vim:syntax=apparmor From fc421183a024cb3abb4c3343ed7a1954f53e4511 Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 29 Jul 2025 14:19:17 +0200 Subject: [PATCH 321/798] xournalpp improvements --- apparmor.d/profiles-s-z/xournalpp | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 7d74ce7da..6442fe8b9 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -8,11 +8,10 @@ include @{exec_path} = @{bin}/xournalpp profile xournalpp @{exec_path} { - include include + include include include - include include include include @@ -20,16 +19,15 @@ profile xournalpp @{exec_path} { @{exec_path} mr, + @{open_path} rPx -> child-open-browsers, + /usr/share/xournalpp/** r, /etc/machine-id r, /etc/pipewire/jack.conf.d/ r, - owner @{user_config_dirs}/xournalpp/** rw, - owner @{user_cache_dirs}/xournalpp/** rw, - - /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + owner @{user_config_dirs}/xournalpp/{,**} rw, + owner @{user_cache_dirs}/xournalpp/{,**} rw, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @@ -38,6 +36,9 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, + /dev/snd/controlC@{int} w, + /dev/snd/pcmC@{rand4} rw, + include if exists } From 9e4db4373e89361b65c2009245b3242087eb830d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:22:28 -0600 Subject: [PATCH 322/798] Add support for MD RAID devices to the disk-read/write abstractions (#796) --- apparmor.d/abstractions/disks-read | 6 ++++++ apparmor.d/abstractions/disks-write | 3 +++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e1bf31298..872b0c552 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -81,6 +81,11 @@ # CD-ROM /dev/sr@{int} rk, + # MD RAID devices + /dev/md@{int} rk, + @{sys}/devices/virtual/block/md@{int}/ r, + @{sys}/devices/virtual/block/md@{int}/** r, + # Lookup block device by major:minor numbers # See: https://apparmor.pujol.io/development/internal/#udev-rules @@ -91,6 +96,7 @@ @{run}/udev/data/b2:@{int} r, # for /dev/fd* @{run}/udev/data/b7:@{int} r, # for /dev/loop* @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b9:@{int} r, # for /dev/md* @{run}/udev/data/b11:@{int} r, # for /dev/sr* @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write index ce0a05dd5..a52518042 100644 --- a/apparmor.d/abstractions/disks-write +++ b/apparmor.d/abstractions/disks-write @@ -41,6 +41,9 @@ # CD-ROM /dev/sr@{int} w, + # MD RAID devices + /dev/md@{int} w, + include if exists # vim:syntax=apparmor From 8b280b5ef02803eaaf1aeb82173170f0dfe861fd Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 31 Jul 2025 09:00:05 -0600 Subject: [PATCH 323/798] Allow sbctl to parse DMI data This path is hard coded in "dmi/dmi.go" --- apparmor.d/profiles-s-z/sbctl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index 9dbbf0933..ef007a32c 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -26,6 +26,8 @@ profile sbctl @{exec_path} { @{lib}/fwupd/efi/{,**} rw, @{lib}/systemd/boot/efi/systemd-boot*.efi.signed rw, + @{sys}/devices/virtual/dmi/id/* r, + @{sys}/firmware/efi/efivars/db-@{uuid} rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/firmware/efi/efivars/PK-@{uuid} rw, From ed06dac70239aa8f4eca700ae79c87fe9aa6ef49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:45:44 +0200 Subject: [PATCH 324/798] feat(profile): add lsipc --- apparmor.d/groups/utils/lsipc | 33 ++++++++++++++++++++++++++++++ tests/integration/utils/lsipc.bats | 16 +++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/groups/utils/lsipc create mode 100644 tests/integration/utils/lsipc.bats diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc new file mode 100644 index 000000000..12c8d333c --- /dev/null +++ b/apparmor.d/groups/utils/lsipc @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsipc +profile lsipc @{exec_path} { + include + include + + @{exec_path} mr, + + @{PROC}/sys/fs/mqueue/msg_max r, + @{PROC}/sys/fs/mqueue/msgsize_max r, + @{PROC}/sys/fs/mqueue/queues_max r, + @{PROC}/sys/kernel/msgmax r, + @{PROC}/sys/kernel/msgmnb r, + @{PROC}/sys/kernel/msgmni r, + @{PROC}/sys/kernel/sem r, + @{PROC}/sys/kernel/shmall r, + @{PROC}/sys/kernel/shmmax r, + @{PROC}/sys/kernel/shmmni r, + @{PROC}/sysvipc/msg r, + @{PROC}/sysvipc/sem r, + @{PROC}/sysvipc/shm r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsipc.bats b/tests/integration/utils/lsipc.bats new file mode 100644 index 000000000..a18126982 --- /dev/null +++ b/tests/integration/utils/lsipc.bats @@ -0,0 +1,16 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsipc: Show information about all active IPC facilities" { + lsipc +} + +@test "lsipc: Show information about active shared memory segments, message queues or sempahore sets" { + lsipc --shmems + lsipc --queues + lsipc --semaphores +} From f516e1140a200f13506be2f8720640ef45f1f9cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:46:22 +0200 Subject: [PATCH 325/798] feat(profile): add lsfd --- apparmor.d/groups/utils/lsfd | 59 +++++++++++++++++++++++++++++++ tests/integration/utils/lsfd.bats | 19 ++++++++++ 2 files changed, 78 insertions(+) create mode 100644 apparmor.d/groups/utils/lsfd create mode 100644 tests/integration/utils/lsfd.bats diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd new file mode 100644 index 000000000..6b30f63a9 --- /dev/null +++ b/apparmor.d/groups/utils/lsfd @@ -0,0 +1,59 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsfd +profile lsfd @{exec_path} flags=(attach_disconnected) { + include + include + + capability checkpoint_restore, + capability dac_read_search, + capability sys_admin, + capability sys_ptrace, + capability sys_resource, + capability syslog, + + network netlink dgram, + network netlink raw, + + ptrace read, + ptrace trace, + + mqueue (read create delete getattr) type=posix /.lsfd-mqueue-nodev-test:@{int}, + + @{exec_path} mr, + + / r, + @{att}/ r, + + owner @{att}/.lsfd-mqueue-nodev-test:@{int} rw, + + @{run}/ r, + @{run}/netns/ r, + + @{sys}/kernel/cpu_byteorder r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, + owner @{PROC}/@{pid}/syscall r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsfd.bats b/tests/integration/utils/lsfd.bats new file mode 100644 index 000000000..bf0c4de0c --- /dev/null +++ b/tests/integration/utils/lsfd.bats @@ -0,0 +1,19 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsfd: List all open file descriptors" { + lsfd +} + +@test "lsfd: List all files kept open by a specific program" { + sudo lsfd --filter 'PID == 1' +} + +@test "lsfd: List open IPv4 or IPv6 sockets" { + sudo lsfd -i4 + sudo lsfd -i6 +} From 926a6fdcb9047ff8e8c1d9e7b1b309ee09fee1a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:55:36 +0200 Subject: [PATCH 326/798] feat(profile): add lslocks --- apparmor.d/groups/utils/lslocks | 33 ++++++++++++++++++++++++++++ tests/integration/utils/lslocks.bats | 22 +++++++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 apparmor.d/groups/utils/lslocks create mode 100644 tests/integration/utils/lslocks.bats diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks new file mode 100644 index 000000000..5fbcdbc8f --- /dev/null +++ b/apparmor.d/groups/utils/lslocks @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslocks +profile lslocks @{exec_path} flags=(attach_disconnected) { + include + + capability dac_read_search, + capability sys_ptrace, + + ptrace read, + + @{exec_path} mr, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/locks r, + owner @{PROC}/@{pid}/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslocks.bats b/tests/integration/utils/lslocks.bats new file mode 100644 index 000000000..042834cae --- /dev/null +++ b/tests/integration/utils/lslocks.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslocks: List all local system locks" { + sudo lslocks +} + +@test "lslocks: List locks producing a raw output (no columns), and without column headers" { + sudo lslocks --raw --noheadings +} + +@test "lslocks: List locks by PID input" { + sudo lslocks --pid "$(sudo lslocks --raw --noheadings --output PID | head -1)" +} + +@test "lslocks: List locks with JSON output to stdout" { + lslocks --json +} From 8b03cff0cfc824a0c1ecd0f8df1b8c715bb2f969 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 14:58:57 +0200 Subject: [PATCH 327/798] feat(profile): add lslogins. --- apparmor.d/groups/utils/lslogins | 33 +++++++++++++++++++++++++++ tests/integration/utils/lslogins.bats | 27 ++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 apparmor.d/groups/utils/lslogins create mode 100644 tests/integration/utils/lslogins.bats diff --git a/apparmor.d/groups/utils/lslogins b/apparmor.d/groups/utils/lslogins new file mode 100644 index 000000000..7393b47c0 --- /dev/null +++ b/apparmor.d/groups/utils/lslogins @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lslogins +profile lslogins @{exec_path} { + include + include + include + + @{exec_path} mr, + + /etc/.pwd.lock w, + /etc/.pwd.lock wk, + /etc/login.defs r, + /etc/shadow r, + + /var/log/lastlog r, + /var/log/wtmp rk, + + @{run}/systemd/userdb/ r, + + @{PROC}/ r, + @{PROC}/sys/kernel/random/boot_id r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lslogins.bats b/tests/integration/utils/lslogins.bats new file mode 100644 index 000000000..aa2df69b4 --- /dev/null +++ b/tests/integration/utils/lslogins.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lslogins: Display users in the system" { + lslogins + sudo lslogins +} + +@test "lslogins: Display user accounts" { + lslogins --user-accs +} + +@test "lslogins: Display last logins" { + lslogins --last +} + +@test "lslogins: Display system accounts" { + lslogins --system-accs +} + +@test "lslogins: Display supplementary groups" { + lslogins --supp-groups +} From 4f265c6d58a21c8dc98f2f65403d189cc24dddbe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 15:04:37 +0200 Subject: [PATCH 328/798] feat(profile): add lsns. --- apparmor.d/groups/utils/lsns | 42 +++++++++++++++++++++++++++++++ tests/integration/utils/lsns.bats | 31 +++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 apparmor.d/groups/utils/lsns create mode 100644 tests/integration/utils/lsns.bats diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns new file mode 100644 index 000000000..3d4d42efc --- /dev/null +++ b/apparmor.d/groups/utils/lsns @@ -0,0 +1,42 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/lsns +profile lsns @{exec_path} flags=(attach_disconnected) { + include + include + include + + capability net_admin, + capability sys_ptrace, + capability dac_read_search, + + network, + + ptrace read, + ptrace trace, + + @{exec_path} mr, + + @{att}/ r, + + @{run}/*/netns/** r, + @{run}/*/ns/** r, + + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/mountinfo r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/tests/integration/utils/lsns.bats b/tests/integration/utils/lsns.bats new file mode 100644 index 000000000..c7e6563e2 --- /dev/null +++ b/tests/integration/utils/lsns.bats @@ -0,0 +1,31 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "lsns: List all namespaces" { + lsns + sudo lsns +} + +@test "lsns: List namespaces in JSON format" { + sudo lsns --json +} + +@test "lsns: List namespaces associated with the specified process" { + sudo lsns --task 1 +} + +@test "lsns: List the specified type of namespaces only" { + sudo lsns --type mnt + sudo lsns --type net + sudo lsns --type ipc + sudo lsns --type user + sudo lsns --type pid + sudo lsns --type uts + sudo lsns --type cgroup + sudo lsns --type time +} + From fd0092d431103e5be29ac9060e1400204d57ece3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 20 Jul 2025 16:34:49 +0200 Subject: [PATCH 329/798] fix(profile): fix issues raised in tests. --- apparmor.d/groups/utils/lslocks | 2 ++ apparmor.d/groups/utils/lsns | 2 ++ apparmor.d/profiles-m-r/initramfs-hooks | 2 ++ apparmor.d/profiles-m-r/initramfs-scripts | 1 + apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 2 ++ 6 files changed, 10 insertions(+) diff --git a/apparmor.d/groups/utils/lslocks b/apparmor.d/groups/utils/lslocks index 5fbcdbc8f..44d2e1d01 100644 --- a/apparmor.d/groups/utils/lslocks +++ b/apparmor.d/groups/utils/lslocks @@ -17,6 +17,8 @@ profile lslocks @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/comm r, diff --git a/apparmor.d/groups/utils/lsns b/apparmor.d/groups/utils/lsns index 3d4d42efc..7fbf56896 100644 --- a/apparmor.d/groups/utils/lsns +++ b/apparmor.d/groups/utils/lsns @@ -28,6 +28,8 @@ profile lsns @{exec_path} flags=(attach_disconnected) { @{run}/*/netns/** r, @{run}/*/ns/** r, + @{sys}/devices/**/block/** r, + @{PROC}/ r, @{PROC}/@{pid}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 5896df049..15f8f66d6 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/hooks/** /etc/initramfs-tools/hooks/** profile initramfs-hooks @{exec_path} { include + include include @{exec_path} mr, @@ -70,6 +71,7 @@ profile initramfs-hooks @{exec_path} { profile ldd { include + include include @{bin}/ldd mr, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 485520ca0..4d38ab9c1 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/initramfs-tools/scripts/** /etc/initramfs-tools/scripts/** profile initramfs-scripts @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index c922942ec..489068ec8 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -9,6 +9,7 @@ include @{exec_path} = /usr/share/mdadm/mkconf profile mdadm-mkconf @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index f37029627..e67bb55fe 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -88,6 +88,7 @@ profile mkinitramfs @{exec_path} { owner /boot/initrd.img-*.new rw, /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6} rw, owner /var/tmp/mkinitramfs_@{rand6}/ rw, @@ -98,6 +99,7 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, From c09b5d85a46b391ad8ee9768f43839cb9a1c584a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:21:49 +0200 Subject: [PATCH 330/798] feat(profile): update systemd profiles. --- Justfile | 71 +++++++++++++------ apparmor.d/groups/systemd/bootctl | 7 +- apparmor.d/groups/systemd/busctl | 7 ++ apparmor.d/groups/systemd/journalctl | 3 + apparmor.d/groups/systemd/networkctl | 3 + apparmor.d/groups/systemd/systemd-localed | 4 +- apparmor.d/groups/systemd/systemd-machined | 3 + apparmor.d/groups/systemd/systemd-networkd | 4 ++ .../groups/systemd/systemd-nsresourcework | 2 + apparmor.d/groups/systemd/systemd-userwork | 1 + apparmor.d/groups/systemd/userdbctl | 3 +- 11 files changed, 80 insertions(+), 28 deletions(-) diff --git a/Justfile b/Justfile index 7753ad2d1..f9ce13c36 100644 --- a/Justfile +++ b/Justfile @@ -2,18 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: -# just -# just img ubuntu24 server -# just vm ubuntu24 server -# just up ubuntu24 server -# just ssh ubuntu24 server -# just halt ubuntu24 server -# just destroy ubuntu24 server -# just list -# just images -# just available -# just clean +# Usage: `just` +# See https://apparmor.pujol.io/development/ for more information. # Build setings destdir := "/" @@ -125,7 +115,7 @@ install: [group('install')] [doc('Locally install prebuild profiles')] -local +args: +local +names: #!/usr/bin/env bash set -eu -o pipefail install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log @@ -138,7 +128,7 @@ local +args: install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file" done; echo "Warning: profile dependencies fallback to unconfined." - for file in {{args}}; do + for file in {{names}}; do grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file" install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file" @@ -336,15 +326,52 @@ available: [group('tests')] -[doc('Run the integration tests on the machine')] -integration dist flavor: - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - cp -rf /home/user/Projects/apparmor.d/tests/integration/ /home/user/Projects - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/user/Projects/apparmor.d - @ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \ - @bats --recursive --timing --print-output-on-failure Projects/integration/ +[doc('Install dependencies for the integration tests')] +init: + @bash tests/requirements.sh +[group('tests')] +[doc('Run the integration tests')] +integration: + bats --recursive --pretty --timing --print-output-on-failure tests/integration + +[group('tests')] +[doc('Install dependencies for the integration tests (machine)')] +tests-init dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init + +[group('tests')] +[doc('Synchronize the integration tests (machine)')] +tests-sync dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ + +[group('tests')] +[doc('Re-synchronize the integration tests (machine)')] +tests-resync dist flavor: (tests-mount dist flavor) \ + (tests-sync dist flavor) \ + (tests-umount dist flavor) + +[group('tests')] +[doc('Unmout the integration tests (machine)')] +tests-umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo umount /home/{{username}}/Projects/apparmor.d + +[group('tests')] +[doc('Run the integration tests (machine)')] +tests-run dist flavor name="": + ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + TERM=xterm \ + bats --recursive --pretty --timing --print-output-on-failure \ + /home/{{username}}/Projects/tests/integration/{{name}} + +[group('tests')] +[doc('Mount integration tests (machine)')] +tests-mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 [private] get_ip dist flavor: diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index f7d001c70..47e8737fe 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + capability linux_immutable, capability mknod, capability net_admin, capability sys_resource, @@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r, - @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r, - @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r, + @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, + @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw, @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, @@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r, @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw, - @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r, + @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw, @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index c31b28836..04ed76e72 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) { member={GetConnectionCredentials,ListNames,ListActivatableNames} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system + interface=org.freedesktop.DBus.Introspectable + member=Introspect, + dbus send bus=system + interface=org.freedesktop.DBus.Properties + member={GetAll,Get}, + @{exec_path} mr, @{pager_path} rPx -> child-pager, diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl index ef62e37cd..c852b3756 100644 --- a/apparmor.d/groups/systemd/journalctl +++ b/apparmor.d/groups/systemd/journalctl @@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/* r, + @{sbin}/* r, + /var/lib/dbus/machine-id r, /etc/machine-id r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 5b4b3e6b5..0fd89c199 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -11,6 +11,7 @@ include profile networkctl @{exec_path} flags=(attach_disconnected) { include include + include capability net_admin, capability sys_module, @@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/netif/io.systemd.Network rw, + @{run}/systemd/netif/links/ r, @{run}/systemd/netif/leases/@{int} r, @{run}/systemd/netif/links/@{int} r, @{run}/systemd/netif/state r, @@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{PROC}/1/cgroup r, @{PROC}/cmdline r, + @{PROC}/sys/fs/nr_open r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index 104a141ce..c15eaf5b2 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { /etc/default/locale rw, /etc/locale.conf rw, /etc/vconsole.conf rw, - /etc/X11/xorg.conf.d/ r, - /etc/X11/xorg.conf.d/.#*.confd* rw, + /etc/X11/xorg.conf.d/ rw, + /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, /etc/X11/xorg.conf.d/*.conf rw, @{att}/@{run}/systemd/notify rw, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index b9244ece6..520080082 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { ptrace read peer=systemd-nspawn, + unix type=stream addr=@@{udbus}/bus/systemd-machine/system, + #aa:dbus own bus=system name=org.freedesktop.machine1 #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { /dev/ptmx rw, /dev/pts/@{int} rw, /dev/pts/ptmx rw, + /dev/vsock r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index df1e74048..5105c69b8 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify rw, @{run}/mount/utab r, + @{run}/systemd/resolve/resolv.conf r, owner @{att}/var/lib/systemd/network/ r, + owner /var/lib/systemd/network/ rw, + owner /var/lib/systemd/network/** rwk, + @{run}/systemd/network/ r, @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, diff --git a/apparmor.d/groups/systemd/systemd-nsresourcework b/apparmor.d/groups/systemd/systemd-nsresourcework index 734717c44..5b8d53398 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourcework +++ b/apparmor.d/groups/systemd/systemd-nsresourcework @@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} { @{exec_path} mr, + @{run}/systemd/nsresource/registry/ r, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 29641fd74..2521c655e 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/gshadow r, /etc/machine-id r, /etc/shadow r, diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index 97625db38..fa7c13297 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/userdbctl -profile userdbctl @{exec_path} { +profile userdbctl @{exec_path} flags=(attach_disconnected) { include include include @@ -29,6 +29,7 @@ profile userdbctl @{exec_path} { @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, + owner @{PROC}/@{pid}/setgroups r, owner @{PROC}/@{pid}/uid_map r, include if exists From a731badeff2b0723aad5b5dba309a2cc2018ca35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:24:15 +0200 Subject: [PATCH 331/798] feat(profile): improvement raised by unit tests. --- apparmor.d/groups/ubuntu/apport | 10 +++++++ apparmor.d/groups/utils/fstrim | 2 ++ apparmor.d/groups/utils/uuidd | 6 +++- apparmor.d/groups/utils/zramctl | 4 ++- apparmor.d/profiles-g-l/kdump-config | 15 +++++++--- apparmor.d/profiles-g-l/kernel-postinst-kdump | 28 +++++++++++++++++-- apparmor.d/profiles-m-r/initramfs-hooks | 5 ++-- apparmor.d/profiles-m-r/mdadm-mkconf | 1 + apparmor.d/profiles-m-r/mkinitramfs | 24 ++++++++-------- apparmor.d/profiles-m-r/needrestart | 1 + apparmor.d/profiles-s-z/tlp | 3 ++ 11 files changed, 77 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 9f3fd2999..fbc433c05 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) { owner /var/cache/apt/pkgcache.bin.@{rand6} rw, owner /var/log/apport.log rw, + /{run,var}/log/journal/ r, + /{run,var}/log/journal/@{hex32}/ r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, + @{run}/apport.lock rwk, + @{run}/log/journal/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/environ r, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index a6ada04d5..250794671 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { /boot/efi/ r, /var/ r, + @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/utils/uuidd b/apparmor.d/groups/utils/uuidd index 787914537..52f52b4a2 100644 --- a/apparmor.d/groups/utils/uuidd +++ b/apparmor.d/groups/utils/uuidd @@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { include include + capability dac_override, + network inet dgram, @{exec_path} mr, @@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) { owner /var/lib/libuuid/clock.txt rwk, owner /var/lib/libuuid/clock-cont.txt rwk, - @{run}/uuidd/request rw, @{att}/@{run}/uuidd/request rw, + @{run}/uuidd/request rw, + @{run}/uuidd/uuidd.pid rwk, + include if exists } diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index 91697be73..a5fa2eb75 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,8 +13,10 @@ profile zramctl @{exec_path} { @{exec_path} mr, + @{sys}/devices/virtual/block/zram{int}/disksize w, + @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, - @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r, + @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index f8b75f742..b6f915024 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/{,e}grep ix, @{bin}/basename ix, @{bin}/cat ix, @{bin}/cmp ix, @@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { @{bin}/file ix, @{bin}/find ix, @{bin}/flock ix, - @{bin}/{,e}grep ix, @{bin}/hexdump ix, @{bin}/ln ix, @{bin}/logger ix, @{bin}/plymouth Px, @{bin}/readlink ix, @{bin}/rev ix, + @{bin}/rm ix, @{bin}/run-parts ix, @{bin}/sed ix, @{bin}/systemctl Cx -> systemctl, @@ -48,9 +49,15 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { / r, @{efi}/ r, - /var/crash/kdump_lock wk, - /var/crash/kexec_cmd w, - owner /var/lib/kdump/{,**} rw, + /var/crash/kdump_lock wk, + /var/crash/kexec_cmd w, + /var/lib/kdump/{,**} rw, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, + owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index e1358ec29..4790c5cb7 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} { @{exec_path} mr, + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, + @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/{m,g,}awk rix, + @{bin}/kmod rCx -> kmod, + @{bin}/ischroot rPx, + @{bin}/linux-version rPx, + @{bin}/mkdir rix, + @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @{bin}/sync rix, + @{bin}/cut rix, @{sbin}/mkinitramfs rPx, - owner /var/lib/kdump/* w, + / r, + + /etc/initramfs-tools/conf.d/{,**} r, + /etc/initramfs-tools/initramfs.conf r, + + owner /var/lib/kdump/** rw, + + owner /tmp/tmp.@{rand10}/ rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, @@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + profile kmod { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 15f8f66d6..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, - @{sbin}/blkid Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, + @{sbin}/blkid Px, /usr/share/mdadm/mkconf Px, @{bin}/* mr, diff --git a/apparmor.d/profiles-m-r/mdadm-mkconf b/apparmor.d/profiles-m-r/mdadm-mkconf index 489068ec8..120138905 100644 --- a/apparmor.d/profiles-m-r/mdadm-mkconf +++ b/apparmor.d/profiles-m-r/mdadm-mkconf @@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} { / r, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index e67bb55fe..df76eb4ad 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} { @{bin}/rmdir rix, @{bin}/sed rix, @{bin}/sort rix, + @{bin}/stat rix, @{bin}/touch rix, @{bin}/tr rix, @{bin}/tsort rix, + @{bin}/uname rix, @{bin}/uniq rix, @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, + @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, @{bin}/find rCx -> find, @@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} { owner /boot/config-* r, owner /boot/initrd.img-*.new rw, + owner /var/lib/kdump/initramfs-tools/** rw, + owner /var/lib/kdump/initrd.* rw, + /var/tmp/ r, /var/tmp/mkinitramfs_@{rand6}/** w, /var/tmp/modules_@{rand6} rw, @@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, + @{sys}/bus/ r, + @{sys}/bus/*/drivers/ r, @{sys}/devices/platform/ r, @{sys}/devices/platform/**/ r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @{PROC}/modules r, owner @{PROC}/@{pid}/fd/ r, @@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} { @{sh_path} rix, @{sbin}/ldconfig.real rix, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r, - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r, - - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw, - owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw, - - owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw, - - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw, + owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, include if exists } diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index f9e2c6ebc..ceac5436b 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 3eb0800f9..0dccf1a23 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+platform:* r, @{sys}/bus/pci/devices/ r, + @{sys}/bus/pci/drivers/*/ r, + @{sys}/bus/platform/devices/ r, @{sys}/class/drm/ r, @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/**/net/**/uevent r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw, + @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/net/**/uevent r, @{sys}/firmware/acpi/platform_profile* rw, From 0c2385fef902c6838a69a83953b70bd5b5beaf64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:25:28 +0200 Subject: [PATCH 332/798] tests: update tests dependencies. --- tests/requirements.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/requirements.sh b/tests/requirements.sh index 085ad8c7c..efc357ad4 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -16,13 +16,16 @@ DISTRIBUTION="$(_lsb_release)" case "$DISTRIBUTION" in arch) + sudo pacman -Syu --noconfirm \ + bats bats-support \ + pacman-contrib tlp flatpak networkmanager ;; debian | ubuntu | whonix) sudo apt update -y sudo apt install -y \ bats bats-support \ - cpuid dfc systemd-userdbd systemd-homed tlp network-manager flatpak \ - util-linux-extra + cpuid dfc systemd-boot systemd-userdbd systemd-homed systemd-container tlp \ + network-manager systemd-container flatpak util-linux-extra ;; opensuse*) ;; From d579b330117b5e11d42b11a87f9e342e1b0b609a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:32:27 +0200 Subject: [PATCH 333/798] tests: add a few integration tests. --- tests/integration/apt/apt.bats | 18 +++++++++-- tests/integration/apt/dpkg-query.bats | 27 ++++++++++++++++ tests/integration/apt/dpkg-reconfigure.bats | 12 ++++++++ tests/integration/pacman/paccache.bats | 22 +++++++++++++ tests/integration/pacman/pacman-key.bats | 34 +++++++++++++++++++++ tests/integration/pacman/pacman.bats | 34 +++++++++++++++++++++ tests/integration/procps/sysctl.bats | 4 +-- tests/integration/procps/uptime.bats | 18 +++++++++++ tests/integration/systemd/bootctl.bats | 22 +++++++++++++ tests/integration/systemd/busctl.bats | 27 ++++++++++++++++ tests/integration/systemd/homectl.bats | 2 +- tests/integration/systemd/journalctl.bats | 30 ++++++++++++++++++ tests/integration/systemd/localectl.bats | 23 ++++++++++++++ tests/integration/systemd/machinectl.bats | 26 ++++++++++++++++ tests/integration/systemd/networkctl.bats | 18 +++++++++++ tests/integration/utils/fstrim.bats | 14 +++++++++ 16 files changed, 325 insertions(+), 6 deletions(-) create mode 100644 tests/integration/apt/dpkg-query.bats create mode 100644 tests/integration/apt/dpkg-reconfigure.bats create mode 100644 tests/integration/pacman/paccache.bats create mode 100644 tests/integration/pacman/pacman-key.bats create mode 100644 tests/integration/pacman/pacman.bats create mode 100644 tests/integration/procps/uptime.bats create mode 100644 tests/integration/systemd/bootctl.bats create mode 100644 tests/integration/systemd/busctl.bats create mode 100644 tests/integration/systemd/journalctl.bats create mode 100644 tests/integration/systemd/localectl.bats create mode 100644 tests/integration/systemd/machinectl.bats create mode 100644 tests/integration/systemd/networkctl.bats create mode 100644 tests/integration/utils/fstrim.bats diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index a436f6e9f..4be0edd8d 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -25,14 +25,26 @@ setup_file() { sudo apt install -y pass } -@test "apt: Remove a package (using 'purge' instead also removes its configuration files)" { - sudo apt remove -y pass +@test "apt: Remove a package and its configuration files" { + sudo apt purge -y pass } @test "apt: Upgrade all installed packages to their newest available versions" { sudo apt upgrade -y } +@test "apt: Upgrade installed packages, but remove obsolete packages and install additional packages to meet new dependencies" { + sudo apt dist-upgrade -y +} + +@test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { + sudo apt autoclean +} + +@test "apt: Remove all packages that are no longer needed" { + sudo apt autoremove +} + @test "apt: List all packages" { apt list } @@ -41,6 +53,6 @@ setup_file() { apt list --installed } -@test "apt-moo: Print a cow easter egg" { +@test "apt: Print a cow easter egg" { apt moo } diff --git a/tests/integration/apt/dpkg-query.bats b/tests/integration/apt/dpkg-query.bats new file mode 100644 index 000000000..39259e0a0 --- /dev/null +++ b/tests/integration/apt/dpkg-query.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-query: List all installed packages" { + dpkg-query --list +} + +@test "dpkg-query: List installed packages matching a pattern" { + dpkg-query --list 'libc6*' +} + +@test "dpkg-query: List all files installed by a package" { + dpkg-query --listfiles libc6 +} + +@test "dpkg-query: Show information about a package" { + dpkg-query --status libc6 +} + +@test "dpkg-query: Search for packages that own files matching a pattern" { + dpkg-query --search /etc/ld.so.conf.d +} + diff --git a/tests/integration/apt/dpkg-reconfigure.bats b/tests/integration/apt/dpkg-reconfigure.bats new file mode 100644 index 000000000..f6aec98ea --- /dev/null +++ b/tests/integration/apt/dpkg-reconfigure.bats @@ -0,0 +1,12 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "dpkg-reconfigure: Reconfigure one or more packages" { + sudo apt install -y pass + sudo dpkg-reconfigure pass +} + diff --git a/tests/integration/pacman/paccache.bats b/tests/integration/pacman/paccache.bats new file mode 100644 index 000000000..b2e1369e2 --- /dev/null +++ b/tests/integration/pacman/paccache.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "paccache: Perform a dry-run and show the number of candidate packages for deletion" { + sudo paccache -d +} + +@test "paccache: Move candidate packages to a directory instead of deleting them" { + sudo paccache -m "$USER_BUILD_DIRS" +} + +@test "paccache: Remove all but the 3 most recent package versions from the `pacman` cache" { + sudo paccache -r +} + +@test "paccache: Set the number of package versions to keep" { + sudo paccache -rk 3 +} diff --git a/tests/integration/pacman/pacman-key.bats b/tests/integration/pacman/pacman-key.bats new file mode 100644 index 000000000..82e34a379 --- /dev/null +++ b/tests/integration/pacman/pacman-key.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman-key: Initialize the 'pacman' keyring" { + sudo pacman-key --init +} + +@test "pacman-key: Add the default Arch Linux keys" { + sudo pacman-key --populate +} + +@test "pacman-key: List keys from the public keyring" { + pacman-key --list-keys +} + +@test "pacman-key: Receive a key from a key server" { + sudo pacman-key --recv-keys 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Print the fingerprint of a specific key" { + pacman-key --finger 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Sign an imported key locally" { + sudo pacman-key --lsign-key 06A26D531D56C42D66805049C5469996F0DF68EC +} + +@test "pacman-key: Remove a specific key" { + sudo pacman-key --delete 06A26D531D56C42D66805049C5469996F0DF68EC +} diff --git a/tests/integration/pacman/pacman.bats b/tests/integration/pacman/pacman.bats new file mode 100644 index 000000000..575a65bc1 --- /dev/null +++ b/tests/integration/pacman/pacman.bats @@ -0,0 +1,34 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "pacman: Synchronize and update all packages" { + sudo pacman -Syu --noconfirm +} + +@test "pacman: Install a new package" { + sudo pacman -S --noconfirm pass pass-otp +} + +@test "pacman: Remove a package and its dependencies" { + sudo pacman -Rs --noconfirm pass-otp +} + +@test "pacman: List installed packages and versions" { + pacman -Q +} + +@test "pacman: List only the explicitly installed packages and versions" { + pacman -Qe +} + +@test "pacman: List orphan packages (installed as dependencies but not actually required by any package)" { + pacman -Qtdq +} + +@test "pacman: Empty the entire 'pacman' cache" { + sudo pacman -Scc --noconfirm +} diff --git a/tests/integration/procps/sysctl.bats b/tests/integration/procps/sysctl.bats index 2f284070a..66720c434 100644 --- a/tests/integration/procps/sysctl.bats +++ b/tests/integration/procps/sysctl.bats @@ -21,6 +21,6 @@ load ../common sysctl fs.file-max } -@test "sysctl: Apply changes from `/etc/sysctl.conf`" { - sysctl -p +@test "sysctl: Apply changes from '/etc/sysctl.conf'" { + sudo sysctl -p } diff --git a/tests/integration/procps/uptime.bats b/tests/integration/procps/uptime.bats new file mode 100644 index 000000000..7d9361d5a --- /dev/null +++ b/tests/integration/procps/uptime.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "uptime: Print current time, uptime, number of logged-in users and other information" { + uptime +} + +@test "uptime: Show only the amount of time the system has been booted for" { + uptime --pretty +} + +@test "uptime: Print the date and time the system booted up at" { + uptime --since +} diff --git a/tests/integration/systemd/bootctl.bats b/tests/integration/systemd/bootctl.bats new file mode 100644 index 000000000..2dfb39a7f --- /dev/null +++ b/tests/integration/systemd/bootctl.bats @@ -0,0 +1,22 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "bootctl: Show information about the system firmware and the bootloaders" { + sudo bootctl status +} + +@test "bootctl: Show all available bootloader entries" { + sudo bootctl list +} + +@test "bootctl: Install 'systemd-boot' into the EFI system partition" { + sudo bootctl install +} + +@test "bootctl: Remove all installed versions of 'systemd-boot' from the EFI system partition" { + sudo bootctl remove +} diff --git a/tests/integration/systemd/busctl.bats b/tests/integration/systemd/busctl.bats new file mode 100644 index 000000000..ef3e973e9 --- /dev/null +++ b/tests/integration/systemd/busctl.bats @@ -0,0 +1,27 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "busctl: Show all peers on the bus, by their service names" { + busctl list +} + +@test "busctl: Show process information and credentials of a bus service, a process, or the owner of the bus (if no parameter is specified)" { + busctl status 1 + busctl status org.freedesktop.DBus +} + +@test "busctl: Show an object tree of one or more services (or all services if no service is specified)" { + busctl tree org.freedesktop.DBus +} + +@test "busctl: Show interfaces, methods, properties and signals of the specified object on the specified service" { + busctl introspect org.freedesktop.login1 /org/freedesktop/login1 +} + +@test "busctl: Retrieve the current value of one or more object properties" { + busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager Docked +} diff --git a/tests/integration/systemd/homectl.bats b/tests/integration/systemd/homectl.bats index 0bdd625c4..bb3b38227 100644 --- a/tests/integration/systemd/homectl.bats +++ b/tests/integration/systemd/homectl.bats @@ -16,7 +16,7 @@ setup_file() { } @test "homectl: Create a user account and their associated home directory" { - sudo homectl create user2 + printf "user2\nuser2" | sudo homectl create user2 } @test "homectl: List user accounts and their associated home directories" { diff --git a/tests/integration/systemd/journalctl.bats b/tests/integration/systemd/journalctl.bats new file mode 100644 index 000000000..9eeb7c9fe --- /dev/null +++ b/tests/integration/systemd/journalctl.bats @@ -0,0 +1,30 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "journalctl: Show all messages with priority level 3 (errors) from this boot" { + sudo journalctl -b --priority=3 +} + +@test "journalctl: Show only the last N lines of the journal" { + sudo journalctl --lines 100 +} + +@test "journalctl: Show all messages by a specific [u]nit" { + sudo journalctl --unit apparmor.service +} + +@test "journalctl: Show all messages by a specific process" { + sudo journalctl _PID=1 +} + +@test "journalctl: Show all messages by a specific executable" { + sudo journalctl /usr/bin/bootctl +} + +@test "journalctl: Delete journal logs which are older than 10 seconds" { + sudo journalctl --vacuum-time=10s +} diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats new file mode 100644 index 000000000..5d82683a2 --- /dev/null +++ b/tests/integration/systemd/localectl.bats @@ -0,0 +1,23 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "localectl: Show the current settings of the system locale and keyboard mapping" { + localectl +} + +@test "localectl: List available locales" { + localectl list-locales +} + +@test "localectl: Set a system locale variable" { + sudo localectl set-locale LANG=en_US.UTF-8 +} + +@test "localectl: Set the system keyboard mapping for the console and X11" { + sudo localectl set-keymap uk +} + diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats new file mode 100644 index 000000000..d9ba38444 --- /dev/null +++ b/tests/integration/systemd/machinectl.bats @@ -0,0 +1,26 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "importctl: Import an image as a machine" { + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble +} + +@test "machinectl: Display a list of available images" { + sudo machinectl list-images +} + +@test "machinectl: Start a machine as a service using systemd-nspawn" { + sudo machinectl start noble +} + +@test "machinectl: Display a list of running machines" { + sudo machinectl list +} + +@test "machinectl: Stop a running machine" { + sudo machinectl stop noble +} diff --git a/tests/integration/systemd/networkctl.bats b/tests/integration/systemd/networkctl.bats new file mode 100644 index 000000000..81418ba01 --- /dev/null +++ b/tests/integration/systemd/networkctl.bats @@ -0,0 +1,18 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "networkctl: List existing links with their status" { + sudo networkctl list +} + +@test "networkctl: Show an overall network status" { + sudo networkctl status +} + +@test "networkctl: Reload configuration files (.netdev and .network)" { + sudo networkctl reload +} diff --git a/tests/integration/utils/fstrim.bats b/tests/integration/utils/fstrim.bats new file mode 100644 index 000000000..dff1083e2 --- /dev/null +++ b/tests/integration/utils/fstrim.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +load ../common + +@test "fstrim: Trim unused blocks on all mounted partitions that support it" { + sudo fstrim --all +} + +@test "fstrim: Trim unused blocks on a specified partition" { + sudo fstrim --verbose / +} From ac3e0fea59923648b75f46684702632d5d29bf80 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 00:34:31 +0200 Subject: [PATCH 334/798] fix: profile compilation issue. --- apparmor.d/groups/utils/zramctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/utils/zramctl b/apparmor.d/groups/utils/zramctl index a5fa2eb75..29428a96f 100644 --- a/apparmor.d/groups/utils/zramctl +++ b/apparmor.d/groups/utils/zramctl @@ -13,13 +13,13 @@ profile zramctl @{exec_path} { @{exec_path} mr, - @{sys}/devices/virtual/block/zram{int}/disksize w, - @{sys}/devices/virtual/block/zram{int}/reset w, @{sys}/devices/virtual/block/zram@{int}/ r, @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw, @{sys}/devices/virtual/block/zram@{int}/disksize r, + @{sys}/devices/virtual/block/zram@{int}/disksize w, @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r, @{sys}/devices/virtual/block/zram@{int}/mm_stat r, + @{sys}/devices/virtual/block/zram@{int}/reset w, @{PROC}/swaps r, owner @{PROC}/@{pid}/mounts r, From b878ce1ea23b6287ea6875e7aced36d13a10104c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 01:04:37 +0200 Subject: [PATCH 335/798] chore: fix linter issues. --- apparmor.d/profiles-g-l/kernel-postinst-kdump | 4 ++-- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/needrestart | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 4790c5cb7..50606695a 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -18,7 +18,7 @@ profile kernel-postinst-kdump @{exec_path} { @{bin}/cp rix, @{bin}/du rix, @{bin}/find rix, - @{bin}/kmod rCx -> kmod, + @{bin}/kmod rCx -> kmod, @{bin}/ischroot rPx, @{bin}/linux-version rPx, @{bin}/mkdir rix, @@ -49,7 +49,7 @@ profile kernel-postinst-kdump @{exec_path} { include include - include if exists + include if exists } include if exists diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..18610de27 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{bin}/update-alternatives Px, + @{sbin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index ceac5436b..5a65b40a9 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -23,7 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{bin}/dpkg-query rpx, @{bin}/fail2ban-server rPx, - @{bin}/stty rix, + @{bin}/stty rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/udevadm rCx -> udevadm, From f6914a87302f9026215234ea36d6dfcf10d6607e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:17:03 +0200 Subject: [PATCH 336/798] fix(profile): various fixes from issue raised by the CI. --- apparmor.d/groups/apt/dpkg-script-systemd | 7 ++++++- apparmor.d/groups/systemd/bootctl | 1 + apparmor.d/groups/systemd/localectl | 4 ++++ apparmor.d/groups/systemd/systemd-localed | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 1 + apparmor.d/groups/virt/dockerd | 1 + apparmor.d/profiles-g-l/kernel-install | 1 + 7 files changed, 18 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd index 722e72c53..6c76e6f70 100644 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ b/apparmor.d/groups/apt/dpkg-script-systemd @@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{coreutils_path} rix, @@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} { @{bin}/dpkg-divert Px, @{bin}/dpkg-maintscript-helper Px, @{bin}/journalctl Px, - @{bin}/kernel-install Px, + @{bin}/kernel-install mrPx, @{bin}/systemctl Cx -> systemctl, @{bin}/systemd-machine-id-setup Px, @{bin}/systemd-sysusers Px, @@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} { /etc/pam.d/sed@{rand6} rw, /etc/pam.d/common-password rw, + @{efi}/ r, + /var/lib/systemd/{,*} rw, /var/log/journal/ rw, profile dpkg { include + include include capability dac_read_search, diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl index 47e8737fe..70a91197f 100644 --- a/apparmor.d/groups/systemd/bootctl +++ b/apparmor.d/groups/systemd/bootctl @@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) { capability linux_immutable, capability mknod, capability net_admin, + capability sys_rawio, capability sys_resource, signal send peer=child-pager, diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index f9a3625ef..0d46dbfed 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -17,6 +17,10 @@ profile localectl @{exec_path} { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.locale1), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index c15eaf5b2..e98bef009 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system, #aa:dbus own bus=system name=org.freedesktop.locale1 + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=Reload + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index 20e940b1d..f9fad3693 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @{att}/@{run}/systemd/userdb/io.systemd.Home rw, + @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index abd6c90ec..c21fa2788 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, + @{bin}/runc rUx, #aa:lint ignore @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index 96d097417..be5d877a9 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -14,6 +14,7 @@ profile kernel-install @{exec_path} { include include + capability sys_rawio, capability sys_resource, ptrace read peer=@{p_systemd}, From b2910ae59329af14143c384c307cbe7f42a47665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 22:22:13 +0200 Subject: [PATCH 337/798] tests(check): add support for '#aa:lint ignore' inline directive to disable linting. --- pkg/prebuild/directive/core.go | 3 +++ tests/check.sh | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go index 6138eec0c..cde9470dc 100644 --- a/pkg/prebuild/directive/core.go +++ b/pkg/prebuild/directive/core.go @@ -106,6 +106,9 @@ func Run(file *paths.Path, profile string) (string, error) { opt := NewOption(file, match) drtv, ok := Directives[opt.Name] if !ok { + if opt.Name == "lint" { + continue + } return "", fmt.Errorf("unknown directive '%s' in %s", opt.Name, opt.File) } profile, err = drtv.Apply(opt, profile) diff --git a/tests/check.sh b/tests/check.sh index 8b847db6f..39d7f8158 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -51,12 +51,24 @@ _wait() { fi } +readonly _IGNORE_LINT="#aa:lint ignore" +_ignore_lint() { + local line="$1" + if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + return 0 + fi + return 1 +} + _check() { local file="$1" local line_number=0 while IFS= read -r line; do line_number=$((line_number + 1)) + if _ignore_lint "$line"; then + continue + fi # Rules checks _check_abstractions @@ -339,7 +351,10 @@ check_sbin() { jobs=0 for name in "${sbin[@]}"; do ( - mapfile -t files < <(grep --line-number --recursive -E "(^|[[:space:]])@{bin}/$name([[:space:]]|$)" apparmor.d | cut -d: -f1,2) + mapfile -t files < <( + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + cut -d: -f1,2 + ) for file in "${files[@]}"; do _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done From ef9b93b866109751be1f00d308190dd923e06698 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:00:48 +0200 Subject: [PATCH 338/798] tests(check): enable more linter rule. --- tests/check.sh | 58 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 39d7f8158..708b2fe99 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -75,6 +75,8 @@ _check() { _check_directory_mark _check_equivalent _check_too_wide + _check_transition + _check_useless # Guidelines check _check_abi @@ -137,6 +139,7 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue + [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi @@ -172,6 +175,55 @@ _check_too_wide() { done } +readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' + chgrp chmod chown cp find head install link ln ls mkdir mktemp mv rm rmdir + sed shred stat tail tee test timeout touch truncate unlink +) +readonly TRANSITION_MUST_PC=( # Must transition to 'Px' + ischroot +) +readonly TRANSITION_MUST_C=( # Must transition to 'Cx' + sysctl kmod pgrep pkexec sudo systemctl udevadm + fusermount fusermount3 fusermount{,3} + nvim vim sensible-editor +) +_check_transition() { + _is_enabled transition || return 0 + for prgmname in "${!TRANSITION_MUST_CI[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_PC[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + _err security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" + fi + done + for prgmname in "${!TRANSITION_MUST_C[@]}"; do + if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + _warn security "$file:$line_number" \ + "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" + fi + done +} + +readonly USELESS=( + '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' + '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' + '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + '/usr/share/locale/' +) +_check_useless() { + _is_enabled useless || return 0 + for rule in "${!USELESS[@]}"; do + if [[ "$line" == *"${USELESS[$rule]}"* ]]; then + _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -388,7 +440,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent useless transition abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -408,7 +460,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -429,7 +481,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions equivalent + abstractions directory_mark equivalent too_wide header tabs trailing indentation vim ) for file in "${files[@]}"; do From 85383ed361d80027f1527891dda1463a4e112cfc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:08:55 +0200 Subject: [PATCH 339/798] fix: newly detected linter issues. --- apparmor.d/abstractions/common/app | 6 +++--- apparmor.d/groups/browsers/epiphany | 1 - apparmor.d/groups/gpg/scdaemon | 2 +- apparmor.d/profiles-a-f/adequate | 2 -- apparmor.d/profiles-g-l/kernel-install | 3 +++ 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a3fb2c5ef..15b730fb2 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,11 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, - owner /dev/shm/** rwlk -> /dev/shm/**, + owner @{tmp}/** rmwk, #aa:lint ignore + owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 636bbf9d3..86b293e8d 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -51,7 +51,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { owner @{tmp}/WebKit-Media-@{rand6} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, - @{sys}/firmware/acpi/pm_profile r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 5d2cafd95..729455f7f 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -25,7 +25,7 @@ profile scdaemon @{exec_path} { owner /etc/pacman.d/gnupg/S.scdaemon rw, owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r, - owner @{HOME}/@{XDG_GPG_DIR}common.conf r, + owner @{HOME}/@{XDG_GPG_DIR}/common.conf r, owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw, owner @{run}/user/@{uid}/gnupg/S.scdaemon rw, diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index b7a62fc82..da8f64bc2 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -54,14 +54,12 @@ profile adequate @{exec_path} flags=(complain) { @{bin}/* mr, /usr/games/* mr, - @{lib}{,x}/** mr, @{lib}/@{multiarch}/** mr, /usr/share/** r, /opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} mr, @{lib}/@{multiarch}/ld-*.so rix, - @{lib}{,x}32/ld-*.so rix, include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index be5d877a9..bd1438f96 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -42,7 +42,10 @@ profile kernel-install @{exec_path} { @{lib}/modules/*/modules.* w, + / r, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, owner /boot/{vmlinuz,initrd.img}-* r, owner /boot/[a-f0-9]*/*/ rw, From f1a96db3172334c50303024aeb07fbd6f821ce18 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:11:20 +0200 Subject: [PATCH 340/798] feat(profile): add missing update-alternatives & mdadm profiles. --- apparmor.d/profiles-a-f/dracut-install | 26 +++++++++++++++++ apparmor.d/profiles-m-r/mdadm | 39 ++++++++++++++++++++++++++ dists/flags/main.flags | 2 ++ 3 files changed, 67 insertions(+) create mode 100644 apparmor.d/profiles-a-f/dracut-install create mode 100644 apparmor.d/profiles-m-r/mdadm diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install new file mode 100644 index 000000000..2000635d3 --- /dev/null +++ b/apparmor.d/profiles-a-f/dracut-install @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/dracut/dracut-install +profile dracut-install @{exec_path} { + include + + @{exec_path} mr, + + /etc/modprobe.d/{,**} r, + + @{sys}/devices/platform/{,**/} r, + @{sys}/devices/platform/**/modalias r, + @{sys}/module/compression r, + + @{PROC}/cmdline r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm new file mode 100644 index 000000000..7601f16df --- /dev/null +++ b/apparmor.d/profiles-m-r/mdadm @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{sbin}/mdadm +profile mdadm @{exec_path} { + include + include + + capability sys_admin, + + mqueue (read getattr) type=posix /, + + @{exec_path} mr, + + @{run}/initctl r, + + /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, + + @{sys}/bus/pci/drivers/*/ r, + @{sys}/devices/@{pci}/class r, + @{sys}/devices/@{pci}/device r, + @{sys}/devices/@{pci}/vendor r, + + @{PROC}/@{pid}/fd/ r, + @{PROC}/cmdline r, + @{PROC}/kcore r, + @{PROC}/partitions r, + + /dev/**/ r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 71670d4d7..3aeab3192 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -90,6 +90,7 @@ dpkg-script-kmod complain dpkg-script-linux complain dpkg-script-systemd complain dpkg-scripts complain +dracut-install complain drkonqi complain drkonqi-coredump-cleanup complain drkonqi-coredump-processor complain @@ -232,6 +233,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain +mdadm complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain From 8f7e373f6270b172ffdd09b325c4228952cdcb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 21 Jul 2025 23:21:53 +0200 Subject: [PATCH 341/798] fix: update-alternatives is **not** installed in sbin. --- apparmor.d/profiles-a-f/adequate | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/initramfs-scripts | 2 +- apparmor.d/profiles-s-z/update-alternatives | 2 +- tests/sbin.list | 1 - 6 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate index da8f64bc2..7025f9787 100644 --- a/apparmor.d/profiles-a-f/adequate +++ b/apparmor.d/profiles-a-f/adequate @@ -34,7 +34,7 @@ profile adequate @{exec_path} flags=(complain) { # shared object file): ignored. @{bin}/dpkg-query rpx, # - @{sbin}/update-alternatives rPx, + @{bin}/update-alternatives rPx, /var/lib/adequate/pending rwk, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c3155ce75..b718f7d18 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -38,9 +38,9 @@ profile kernel @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/kernel-install rPx, @{bin}/systemd-detect-virt rPx, + @{bin}/update-alternatives rPx, @{lib}/dkms/dkms_autoinstaller rPx, @{sbin}/dkms rPx, - @{sbin}/update-alternatives rPx, @{sbin}/update-grub rPx, @{sbin}/update-initramfs rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 18610de27..14a83ffbb 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -20,7 +20,7 @@ profile initramfs-hooks @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, diff --git a/apparmor.d/profiles-m-r/initramfs-scripts b/apparmor.d/profiles-m-r/initramfs-scripts index 4d38ab9c1..d280c145a 100644 --- a/apparmor.d/profiles-m-r/initramfs-scripts +++ b/apparmor.d/profiles-m-r/initramfs-scripts @@ -21,7 +21,7 @@ profile initramfs-scripts @{exec_path} { @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @{bin}/plymouth Px, - @{sbin}/update-alternatives Px, + @{bin}/update-alternatives Px, @{lib}/dracut/dracut-install Px, @{lib}/initramfs-tools/bin/busybox Px, /usr/share/mdadm/mkconf Px, diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives index 68ddb97a5..8f08b74fa 100644 --- a/apparmor.d/profiles-s-z/update-alternatives +++ b/apparmor.d/profiles-s-z/update-alternatives @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{sbin}/update-alternatives +@{exec_path} = @{bin}/update-alternatives profile update-alternatives @{exec_path} { include include diff --git a/tests/sbin.list b/tests/sbin.list index 1d0eb5b97..a8b439478 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -766,7 +766,6 @@ unix_chkpwd unix_update unix2_chkpwd uobjnew -update-alternatives update-ca-certificates update-catalog update-cracklib From 18212c9ff7a0fe96d3ae6299d76503ca3a32dad2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:03:06 +0200 Subject: [PATCH 342/798] tests: re-enable apt tests. --- tests/integration/apt/apt.bats | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/tests/integration/apt/apt.bats b/tests/integration/apt/apt.bats index 4be0edd8d..3f13d4ea4 100644 --- a/tests/integration/apt/apt.bats +++ b/tests/integration/apt/apt.bats @@ -5,10 +5,6 @@ load ../common -setup_file() { - skip -} - @test "apt: Update the list of available packages and versions" { sudo apt update } @@ -38,11 +34,11 @@ setup_file() { } @test "apt: Clean the local repository - removing package files (.deb) from interrupted downloads that can no longer be downloaded" { - sudo apt autoclean + sudo apt autoclean -y } @test "apt: Remove all packages that are no longer needed" { - sudo apt autoremove + sudo apt autoremove -y } @test "apt: List all packages" { From 5a08ffc9ba485878eba448366459f2ef55625274 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 00:19:35 +0200 Subject: [PATCH 343/798] fix(profile): apply fixes raised by tests --- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- apparmor.d/abstractions/common/electron | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 7 ++++++- .../groups/systemd/systemd-machine-id-setup | 1 + apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/groups/ubuntu/update-notifier-crash | 15 +++++++++++++-- apparmor.d/profiles-a-f/dracut-install | 1 + apparmor.d/profiles-m-r/mdadm | 1 + 9 files changed, 29 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b002d6fa4..b683cf128 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -26,6 +26,11 @@ member={ItemNew,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), + dbus receive bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=StateChanged + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 341cf58ce..4fb1764bc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -8,7 +8,7 @@ dbus send bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager - member={GetUnit,StartUnit,StartTransientUnit} + member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), dbus send bus=system path=/org/freedesktop/systemd1 diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 8134f8681..6216ec939 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -75,6 +75,7 @@ @{PROC}/ r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/sys/fs/inotify/max_user_watches r, @{PROC}/sys/kernel/yama/ptrace_scope r, owner @{PROC}/@{pid}/cgroup r, @@ -88,7 +89,6 @@ owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/task/@{tid}/status r, owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 641862965..b2ae65450 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -12,14 +12,19 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include + include + include @{exec_path} mr, + @{bin}/xdg-user-dirs-update Px, + owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, + owner @{tmp}/dirs-@{rand6} rw, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index f3f27b523..c791e6375 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -31,6 +31,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { /etc/machine-id rw, /var/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/1/environ r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 6c4dc4d77..361290980 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -85,7 +85,6 @@ profile update-notifier @{exec_path} { profile systemctl { include include - include dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index dee094aa1..d65c77a08 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -9,17 +9,28 @@ include @{exec_path} = @{lib}/update-notifier/update-notifier-crash profile update-notifier-crash @{exec_path} { include + include @{exec_path} mr, - @{bin}/systemctl Cx -> systemctl, - + @{bin}/{,e}grep ix, + @{bin}/groups Px, + @{bin}/systemctl Cx -> systemctl, + @{bin}/which{,.debianutils} ix, + @{sh_path} mr, /usr/share/apport/apport-checkreports Px, + owner @{HOME}/ r, + profile systemctl { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + include if exists } diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 2000635d3..6deb06eb6 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/dracut/dracut-install profile dracut-install @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 7601f16df..15adcb9e6 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -9,6 +9,7 @@ include @{exec_path} = @{sbin}/mdadm profile mdadm @{exec_path} { include + include include capability sys_admin, From 4a3a98c77d3fefb403a1bb775bca51a088006451 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 18:46:17 +0200 Subject: [PATCH 344/798] fix(profile): fixes for issues raised by newly enabled tests. --- apparmor.d/groups/apt/dpkg-preconfigure | 1 + apparmor.d/groups/apt/dpkg-script-linux | 12 +++++++++++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/network/netplan-generate | 1 + apparmor.d/profiles-s-z/ucf | 12 ++---------- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 716cd1dc8..66131c6e7 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,6 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, + @{bin}/which{,.debianutils} ix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index d6a8db473..24c6c74df 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -19,11 +19,14 @@ profile dpkg-script-linux @{exec_path} { @{bin}/run-parts ix, @{bin}/stty ix, + @{bin}/deb-systemd-helper Px, + @{bin}/deb-systemd-invoke Px, + @{bin}/dpkg-maintscript-helper Px, @{bin}/dpkg-trigger Px, @{bin}/kmod Px, @{bin}/linux-check-removal Px, @{bin}/linux-update-symlinks Px, - @{bin}/dpkg-maintscript-helper Px, + @{bin}/systemctl Cx -> systemctl, /usr/share/{update,reboot}-notifier/notify-reboot-required Px, /etc/kernel/{,header_}postinst.d/* Px, @@ -36,6 +39,13 @@ profile dpkg-script-linux @{exec_path} { @{lib}/linux/triggers/* w, @{lib}/modules/*/.fresh-install w, + profile systemctl { + include + include + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 44e4790c4..5743ab904 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -80,6 +80,7 @@ profile dpkg-scripts @{exec_path} { /tmp/tmp.@{rand10} rw, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/mountinfo r, profile bus { include diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 64f8399e1..74ed20aaf 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/netplan/generate profile netplan-generate @{exec_path} flags=(attach_disconnected) { include + include include capability chown, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 3c3374d85..9e459f261 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} { include + include include include @@ -17,11 +18,11 @@ profile ucf @{exec_path} { @{sh_path} rix, @{bin}/{,e}grep rix, + @{bin}/{m,g,}awk rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, - @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @@ -39,8 +40,6 @@ profile ucf @{exec_path} { @{bin}/dpkg-divert rPx, @{pager_path} rCx -> child-pager, - /usr/share/debconf/frontend Cx -> debconf, - # For md5sum /usr/share/** r, @@ -57,13 +56,6 @@ profile ucf @{exec_path} { deny capability sys_admin, # optional: no audit - profile debconf { - include - include - - include if exists - } - include if exists } From 7d2229cd05134f491a671f4f2e61b9216dc07420 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:18:00 +0200 Subject: [PATCH 345/798] build: fully replace make by just. --- .github/workflows/main.yml | 17 +-- .gitlab-ci.yml | 11 +- Justfile | 6 +- Makefile | 100 ------------------ debian/apparmor.d.hide | 2 +- debian/control | 1 + debian/rules | 8 +- dists/apparmor.d.spec | 5 +- dists/build.sh | 2 +- dists/ignore/main.ignore | 2 +- docs/development/build.md | 2 +- docs/development/roadmap.md | 2 +- docs/development/tests.md | 6 +- docs/development/workflow.md | 14 +-- docs/enforce.md | 44 ++++---- docs/full-system-policy.md | 42 ++++---- docs/install.md | 19 ++-- tests/check.sh | 2 +- .../cloud-init/archlinux-cosmic.user-data.yml | 1 + tests/cloud-init/archlinux-xfce.user-data.yml | 1 + tests/cloud-init/opensuse.yml | 2 +- tests/packer/src/aa-update | 6 +- 22 files changed, 113 insertions(+), 182 deletions(-) delete mode 100644 Makefile diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 973287e72..a3d7b3266 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -9,9 +9,14 @@ jobs: - name: Check out repository code uses: actions/checkout@v4 + - name: Install linter dependencies + run: | + sudo apt-get update -q + sudo apt-get install -y just + - name: Run basic profile linter check run: | - make check + just check build: runs-on: ${{ matrix.os }} @@ -32,13 +37,13 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils + auditd apparmor-profiles apparmor-utils just sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package run: | if [[ ${{ matrix.mode }} == full-system-policy ]]; then - echo -e "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + sed -e "s/just complain/just fsp-complain/" -i debian/rules fi if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then # Test with Re-attach disconnected path @@ -95,7 +100,7 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support + bats bats-support just - name: Install apparmor.d run: | @@ -127,12 +132,12 @@ jobs: - name: Install integration dependencies run: | - bash tests/requirements.sh + just init find /usr/sbin/ -type f - name: Run the integration tests run: | - make integration + just integration - name: Show final AppArmor logs if: always() diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8adab16ab..7b4c13519 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -66,7 +66,7 @@ check: stage: test image: registry.gitlab.com/roddhjav/builders/archlinux script: - - make check + - just check # Package Build # ------------- @@ -84,13 +84,12 @@ archlinux: debian: stage: build - image: registry.gitlab.com/roddhjav/builders/debian:12 + image: registry.gitlab.com/roddhjav/builders/debian:trixie script: - sudo chown -R build:build /builds/ - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev lsb-release - - sudo apt-get install -y -t bookworm-backports golang-go + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -105,7 +104,7 @@ ubuntu: script: - git config --global --add safe.directory $CI_PROJECT_DIR - mkdir -p "$PKGDEST" - - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release + - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl - bash dists/build.sh dpkg artifacts: expire_in: 1 day @@ -117,7 +116,7 @@ whonix: variables: DISTRIBUTION: whonix before_script: - - echo "\noverride_dh_auto_build:\n\tmake fsp" >> debian/rules + - sed -e "s/just complain/just fsp-complain/" -i debian/rules opensuse: stage: build diff --git a/Justfile b/Justfile index f9ce13c36..7a84af1be 100644 --- a/Justfile +++ b/Justfile @@ -157,7 +157,7 @@ dpkg: [doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm - @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm + @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm [group('tests')] [doc('Run the unit tests')] @@ -213,8 +213,8 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist =~ debian([0-9]+) ]]; then - version="${BASH_REMATCH[1]}" + elif [[ $dist == debian ]]; then + version="trixie" dist="debian" fi bash dists/docker.sh $dist $version diff --git a/Makefile b/Makefile deleted file mode 100644 index 854d39f16..000000000 --- a/Makefile +++ /dev/null @@ -1,100 +0,0 @@ -#!/usr/bin/make -f -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2022-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -DESTDIR ?= / -BUILD ?= .build -PKGDEST ?= ${PWD}/.pkg -PKGNAME := apparmor.d -PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*))) - -.PHONY: all -all: build - @./${BUILD}/prebuild --complain - -.PHONY: build -build: - @go build -o ${BUILD}/ ./cmd/aa-log - @go build -o ${BUILD}/ ./cmd/prebuild - -.PHONY: enforce -enforce: build - @./${BUILD}/prebuild - -.PHONY: fsp -fsp: build - @./${BUILD}/prebuild --full - -.PHONY: fsp-complain -fsp-complain: build - @./${BUILD}/prebuild --complain --full - -.PHONY: install -install: - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \ - mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \ - cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @for file in ${BUILD}/systemd/system/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \ - done; - @for file in ${BUILD}/systemd/user/*; do \ - service="$$(basename "$$file")"; \ - install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \ - done - - -.PHONY: $(PROFILES) -$(PROFILES): - @install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log - @for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \ - done; - @for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \ - install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \ - done; - @echo "Warning: profile dependencies fallback to unconfined." - @for file in ${@}; do \ - grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \ - sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \ - install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \ - done; - @systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: dev -name ?= -dev: - @go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name}) - @sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name} - @sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service - -.PHONY: pkg -pkg: - @makepkg --syncdeps --install --cleanbuild --force --noconfirm - -.PHONY: dpkg -dpkg: - @bash dists/build.sh dpkg - @sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb - -.PHONY: rpm -rpm: - @bash dists/build.sh rpm - @sudo rpm -ivh --force ${PKGDEST}/${PKGNAME}-*.rpm - -.PHONY: check -check: - @bash tests/check.sh - -.PHONY: integration -integration: - @bats --recursive --timing --print-output-on-failure tests/integration/ diff --git a/debian/apparmor.d.hide b/debian/apparmor.d.hide index 20725a133..8fc1d019d 100644 --- a/debian/apparmor.d.hide +++ b/debian/apparmor.d.hide @@ -1 +1 @@ -# This file is generated by "make", all edit will be lost. +# This file is generated by "just", all edit will be lost. diff --git a/debian/control b/debian/control index 7f2028b0e..56ad928ba 100644 --- a/debian/control +++ b/debian/control @@ -6,6 +6,7 @@ Build-Depends: debhelper (>= 13.4), debhelper-compat (= 13), golang-any, config-package-dev, + just, Homepage: https://github.com/roddhjav/apparmor.d Vcs-Browser: https://github.com/roddhjav/apparmor.d Vcs-Git: https://github.com/roddhjav/apparmor.d.git diff --git a/debian/rules b/debian/rules index a30a693df..d78e652ca 100755 --- a/debian/rules +++ b/debian/rules @@ -9,5 +9,9 @@ # golang/1.19 compresses debug symbols itself. override_dh_dwz: -# do not run 'make check' by default as it can be long for dev package -override_dh_auto_test: +override_dh_auto_build: + just complain + +override_dh_auto_install: + just destdir="${CURDIR}/debian/apparmor.d" install + diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index 339d88036..bf97705a6 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -15,6 +15,7 @@ URL: https://github.com/roddhjav/apparmor.d Source0: %{name}-%{version}.tar.gz Requires: apparmor-profiles BuildRequires: distribution-release +BuildRequires: just BuildRequires: golang-packaging BuildRequires: apparmor-profiles @@ -25,10 +26,10 @@ AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most %autosetup %build -%make_build +just complain %install -%make_install +just destdir="%{buildroot}" install %posttrans rm -f /var/cache/apparmor/* 2>/dev/null diff --git a/dists/build.sh b/dists/build.sh index 1f2e204c2..9b9f9e765 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -3,7 +3,7 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make [ dpkg | pkg | rpm ] +# Usage: just [ dpkg | pkg | rpm ] set -eu -o pipefail diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore index 3cccf4c05..0665edf85 100644 --- a/dists/ignore/main.ignore +++ b/dists/ignore/main.ignore @@ -2,7 +2,7 @@ # File format: one ignore by line, it can be a profile name or a directory to ignore # Contains profiles and configuration for full system confinement, only included -# when built with 'make full' +# when built with 'just fsp' apparmor.d/groups/_full # Provided by other packages diff --git a/docs/development/build.md b/docs/development/build.md index 5145a8416..eaa2487a2 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -2,7 +2,7 @@ title: Building the profiles --- -The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `make`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. +The profiles in `apparmor.d` must not be used directly. They need to be prebuilt (by running `just complain`). This page documents all possibles prebuild tasks. It is not intended to be read by end user, and it is only targeted at developers and maintainers. The build system is fully configurable, general usage can be seen with: ```sh diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index b42467e3d..2585208e5 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -29,7 +29,7 @@ This is the current list of features that must be implemented to get to a stable - [ ] Provide packages repo for ubuntu/debian - [ ] Provide complain/enforced packages version - [x] Add a `just` target to install the profiles in the right place - - [ ] Fully drop the Makefile in favor of `just` + - [x] Fully drop the Makefile in favor of `just` ## Next features diff --git a/docs/development/tests.md b/docs/development/tests.md index df614b4fe..4bf421d92 100644 --- a/docs/development/tests.md +++ b/docs/development/tests.md @@ -6,12 +6,12 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo **Current** -- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `make` +- [x] **[Build:](https://gitlab.com/roddhjav/apparmor.d/-/pipelines)** `just complain` - Build the profiles for all supported distributions. - All CI jobs validate the profiles syntax and ensure they can be safely loaded into a kernel. - Ensure the profile entry point (`@{exec_path}`) is defined. -- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `make check` checks basic style of profiles: +- [x] **[Checks:](https://github.com/roddhjav/apparmor.d/blob/main/tests/check.sh)** `just check` checks basic style of profiles: - Ensure apparmor.d header & licence - Ensure 2 spaces indentation - Ensure local include for profile and subprofiles @@ -19,7 +19,7 @@ Misconfigured AppArmor profiles is one of the most effective ways to break someo - Ensure modern profile naming - Ensure `vim:syntax=apparmor` -- [x] **[Integration Tests:](integration.md)** `just integration ` +- [x] **[Integration Tests:](integration.md)** `just test-run ` - Run simple CLI commands to ensure no logs are raised. - Uses the [bats](https://github.com/bats-core/bats-core) test system. - Run in the Github Action as well as in all local [test VM](vm.md). diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 7737e3775..786d77c93 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -57,7 +57,7 @@ profile foo @{exec_path} { ## Development Install -It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). +It is not recommended installing the full project *"manually"* (with `just complain`, `sudo just install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`). Instead, install an individual profile or the development package, the following way. @@ -66,25 +66,25 @@ Instead, install an individual profile or the development package, the following === ":material-arch: Archlinux" ```sh - make pkg + just pkg ``` === ":material-ubuntu: Ubuntu" ```sh - make dpkg + just dpkg ``` === ":material-debian: Debian" ```sh - make dpkg + just dpkg ``` === ":simple-suse: openSUSE" ```sh - make rpm + just rpm ``` === ":material-docker: Docker" @@ -102,7 +102,7 @@ Instead, install an individual profile or the development package, the following **Format** ```sh -make dev name= +just dev ``` **Exampe** @@ -110,7 +110,7 @@ make dev name= : Testing the profile `pass` ``` - make dev name=pass + just dev pass ``` This: diff --git a/docs/enforce.md b/docs/enforce.md index 692cbd1e3..51eec0980 100644 --- a/docs/enforce.md +++ b/docs/enforce.md @@ -13,50 +13,56 @@ The default package configuration installs all profiles in *complain* mode. This === ":material-arch: Archlinux" - In the `PKGBUILD`, replace `make` by `make enforce`: + In the `PKGBUILD`, replace `just complain` by `just enforce`: ```diff - - make DISTRIBUTION=arch - + make enforce DISTRIBUTION=arch + - just complain + + just enforce ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just enforce`: - ```make - override_dh_auto_build: - make enforce + ```diff + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just enforce ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce` + In `dists/apparmor.d.spec`, replace `just complain` by `just enforce`: ```diff - - %make_build - + %make_build enforce + %build + - just complain + %build + + just enforce ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make enforce` command to build instead of `make` + Use the `just enforce` command to build instead of `just complain` [aur]: https://aur.archlinux.org/packages/apparmor.d-git diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md index b523a1c38..a5ac57f11 100644 --- a/docs/full-system-policy.md +++ b/docs/full-system-policy.md @@ -35,7 +35,7 @@ Particularly: ## Installation -This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. +This feature is only enabled when the project is built with `just fsp`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes. In `/etc/apparmor/parser.conf` ensure you have: ``` @@ -46,51 +46,57 @@ Optimize=compress-fast === ":material-arch: Archlinux" - In `PKGBUILD`, replace `make` by `make fsp`: + In `PKGBUILD`, replace `just complain` by `just fsp-complain`: ```diff - - make - + make fsp + - just complain + + just fsp-complain ``` - Then, build the package with: `make pkg` + Then, build the package with: `just pkg` === ":material-ubuntu: Ubuntu" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":material-debian: Debian" - In `debian/rules`, add the following lines: + In `debian/rules`, replace `just complain` by `just fsp-complain`: ```make - override_dh_auto_build: - make fsp + override_dh_auto_build: + - just complain + override_dh_auto_build: + + just fsp-complain ``` - Then, build the package with: `make dpkg` + Then, build the package with: `just dpkg` === ":simple-suse: openSUSE" - In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build fsp` + In `dists/apparmor.d.spec`, replace `just complain` by `just fsp-complain`: ```diff - - %make_build - + %make_build fsp + %build + - just complain + %build + + just fsp-complain ``` - Then, build the package with: `make rpm` + Then, build the package with: `just rpm` === ":material-home: Partial Install" - Use the `make fsp` command to build instead of `make` + Use the `just fsp-complain` command to build instead of `just complain` ## Structure diff --git a/docs/install.md b/docs/install.md index a18185fbf..416ad0f15 100644 --- a/docs/install.md +++ b/docs/install.md @@ -84,7 +84,7 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! warning @@ -110,19 +110,26 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf If you have `devscripts` installed, you can use the one liner: ```sh - make dpkg + just dpkg ``` !!! note - You may need golang from the backports repository to build: + **Debian 12 user will need to:** + 1. Install Golang from the backports repository: ```sh echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list sudo apt update sudo apt install -t bookworm-backports golang-go ``` + 2. Install [just](https://github.com/casey/just) locally, and ignore the dependence. E.g: + ```sh + pipx install rust-just + sed '/just/d' -i debian/control + ``` + !!! warning **Beware**: do not install a `.deb` made for Ubuntu on Debian as the packages are different. @@ -144,15 +151,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed. ```sh - make - sudo make profile-names... + just complain + sudo just local profile-names... ``` !!! warning Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77)) - For instance, `sudo make pass` gives: + For instance, `sudo just local pass` gives: ```sh Warning: profile dependencies fallback to unconfined. @{bin}/wl-{copy,paste} rPx, diff --git a/tests/check.sh b/tests/check.sh index 708b2fe99..f00d8aec1 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -3,7 +3,7 @@ # Copyright (C) 2024-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Usage: make check +# Usage: just check # shellcheck disable=SC2044 set -eu -o pipefail diff --git a/tests/cloud-init/archlinux-cosmic.user-data.yml b/tests/cloud-init/archlinux-cosmic.user-data.yml index be623e625..9ed6c1d92 100644 --- a/tests/cloud-init/archlinux-cosmic.user-data.yml +++ b/tests/cloud-init/archlinux-cosmic.user-data.yml @@ -10,6 +10,7 @@ packages: # Install usefull core packages - bash-completion + - just - git - htop - man diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 54329bfb8..5bab9bf08 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -11,6 +11,7 @@ packages: # Install usefull core packages - bash-completion - git + - just - htop - man - pass diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 1adf2b6eb..57c633678 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -9,7 +9,7 @@ core-packages: &core-packages - go - golang-packaging - htop - - make + - just - rpmbuild - rsync - vim diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update index 48267d2f0..bdbd6ed00 100644 --- a/tests/packer/src/aa-update +++ b/tests/packer/src/aa-update @@ -13,15 +13,15 @@ DISTRIBUTION="$(_lsb_release)" cd "$HOME/Projects/apparmor.d" case "$DISTRIBUTION" in arch) - make pkg + just pkg ;; debian | ubuntu | whonix) sudo rm -rf debian/.debhelper/ - make dpkg + just dpkg sudo rm -rf debian/.debhelper/ ;; opensuse*) - make rpm + just rpm ;; *) ;; esac From 94bae18c2cabb0bfc88fb13fd3db794032e817ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:31:14 +0200 Subject: [PATCH 346/798] build: justfile: simplify test orchestration. --- Justfile | 31 +++++++------- docs/development/integration.md | 36 +++++++++++++++-- docs/development/vm.md | 72 ++++++++++++++++++--------------- docs/install.md | 1 + 4 files changed, 87 insertions(+), 53 deletions(-) diff --git a/Justfile b/Justfile index 7a84af1be..13a4a2d9e 100644 --- a/Justfile +++ b/Justfile @@ -284,6 +284,18 @@ destroy dist flavor: ssh dist flavor: @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` +[group('vm')] +[doc('Mount the shared directory on the machine')] +mount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' + +[group('vm')] +[doc('Unmout the shared directory on the machine')] +umount dist flavor: + @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' + [group('vm')] [doc('List the machines')] list: @@ -324,7 +336,6 @@ available: } ' - [group('tests')] [doc('Install dependencies for the integration tests')] init: @@ -349,30 +360,18 @@ tests-sync dist flavor: [group('tests')] [doc('Re-synchronize the integration tests (machine)')] -tests-resync dist flavor: (tests-mount dist flavor) \ +tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ - (tests-umount dist flavor) - -[group('tests')] -[doc('Unmout the integration tests (machine)')] -tests-umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo umount /home/{{username}}/Projects/apparmor.d + (umount dist flavor) [group('tests')] [doc('Run the integration tests (machine)')] -tests-run dist flavor name="": +tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[group('tests')] -[doc('Mount integration tests (machine)')] -tests-mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4 - [private] get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ diff --git a/docs/development/integration.md b/docs/development/integration.md index de60c8c47..b5c740f78 100644 --- a/docs/development/integration.md +++ b/docs/development/integration.md @@ -14,15 +14,43 @@ Although the integration test suite is intended to be run in a [Development VM]( ## Getting started -Prepare the test environment: +**Prepare the test environment:** ```sh just img -just vm +just create ``` -Run the integration tests on the test VM: +Example: ```sh -just integration +just img ubuntu25 desktop +just create ubuntu25 desktop +``` + +**Install dependencies for the integration tests** +```sh +just tests-init +``` + +Example: +```sh +just tests-init ubuntu25 desktop +``` + +**Run the integration tests** + +It: synchronizes the tests, unmount the shared directory, then run the tests. +```sh +just tests-run +``` + +Example: +```sh +just tests-run ubuntu25 desktop +``` + +Partial tests can also be run. For example the following command will only run the tests in the `tests/integration/apt` directory on the `ubuntu25` `desktop` machine: +```sh +just tests-run ubuntu25 desktop apt ``` ## Create integration tests diff --git a/docs/development/vm.md b/docs/development/vm.md index 1edddba76..1091f7d5e 100644 --- a/docs/development/vm.md +++ b/docs/development/vm.md @@ -13,53 +13,59 @@ $ just ``` Available recipes: - help # Show this help message - clean # Remove all build artifacts + help # Show this help message + clean # Remove all build artifacts [build] - build # Build the go programs - enforce # Prebuild the profiles in enforced mode - complain # Prebuild the profiles in complain mode - fsp # Prebuild the profiles in FSP mode - fsp-complain # Prebuild the profiles in FSP mode (complain) - fsp-debug # Prebuild the profiles in FSP mode (debug) + build # Build the go programs + enforce # Prebuild the profiles in enforced mode + complain # Prebuild the profiles in complain mode + fsp # Prebuild the profiles in FSP mode + fsp-complain # Prebuild the profiles in FSP mode (complain) + fsp-debug # Prebuild the profiles in FSP mode (debug) [install] - install # Install prebuild profiles - local +names # Locally install prebuild profiles - dev name # Prebuild, install, and load a dev profile + install # Install prebuild profiles + local +names # Locally install prebuild profiles + dev name # Prebuild, install, and load a dev profile [packages] - pkg # Build & install apparmor.d on Arch based systems - dpkg # Build & install apparmor.d on Debian based systems - rpm # Build & install apparmor.d on OpenSUSE based systems - package dist # Build the package in a clean OCI container + pkg # Build & install apparmor.d on Arch based systems + dpkg # Build & install apparmor.d on Debian based systems + rpm # Build & install apparmor.d on OpenSUSE based systems + package dist # Build the package in a clean OCI container [tests] - tests # Run the unit tests - init dist flavor # Install dependencies for the bats integration tests - integration dist flavor # Run the integration tests on the machine + tests # Run the unit tests + init # Install dependencies for the integration tests + integration # Run the integration tests + tests-init dist flavor # Install dependencies for the integration tests (machine) + tests-sync dist flavor # Synchronize the integration tests (machine) + tests-resync dist flavor # Re-synchronize the integration tests (machine) + tests-run dist flavor name="" # Run the integration tests (machine) [linter] - lint # Run the linters - check # Run style checks on the profiles + lint # Run the linters + check # Run style checks on the profiles [docs] - man # Generate the man pages - docs # Build the documentation - serve # Serve the documentation + man # Generate the man pages + docs # Build the documentation + serve # Serve the documentation [vm] - img dist flavor # Build the VM image - create dist flavor # Create the machine - up dist flavor # Start a machine - halt dist flavor # Stops the machine - reboot dist flavor # Reboot the machine - destroy dist flavor # Destroy the machine - ssh dist flavor # Connect to the machine - list # List the machines - images # List the VM images - available # List the VM images that can be created + img dist flavor # Build the VM image + create dist flavor # Create the machine + up dist flavor # Start a machine + halt dist flavor # Stops the machine + reboot dist flavor # Reboot the machine + destroy dist flavor # Destroy the machine + ssh dist flavor # Connect to the machine + mount dist flavor # Mount the shared directory on the machine + umount dist flavor # Unmout the shared directory on the machine + list # List the machines + images # List the VM images + available # List the VM images that can be created See https://apparmor.pujol.io/development/ for more information. ``` diff --git a/docs/install.md b/docs/install.md index 416ad0f15..ee18e7819 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,6 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 +* [just](https://github.com/casey/just) ## Configure AppArmor From 5adc29087031c8f63930434d5e50a1fca5670089 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:54:40 +0200 Subject: [PATCH 347/798] fix(profile): fixes some issues raised by tests. --- apparmor.d/abstractions/base.d/complete | 1 + apparmor.d/groups/utils/lsfd | 38 ++++++++++++++++--------- apparmor.d/groups/utils/lsipc | 2 ++ apparmor.d/profiles-m-r/mkinitramfs | 16 +++++------ 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ecfe09bb5..ad3945eb9 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -10,6 +10,7 @@ # Allow to receive some signals from new well-known profiles signal (receive) peer=btop, signal (receive) peer=htop, + signal (receive) peer=pkill, signal (receive) peer=sudo, signal (receive) peer=top, signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 6b30f63a9..96e497ea6 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -11,15 +11,25 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { include include + capability bpf, capability checkpoint_restore, capability dac_read_search, + capability net_admin, capability sys_admin, + capability sys_chroot, capability sys_ptrace, capability sys_resource, capability syslog, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 raw, + network inet6 stream, + network inet6 stream, network netlink dgram, network netlink raw, + network packet dgram, ptrace read, ptrace trace, @@ -38,20 +48,20 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, - @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/devices r, - @{PROC}/misc r, - @{PROC}/partitions r, - @{PROC}/tty/drivers r, - owner @{PROC}/@{pid}/syscall r, + @{PROC}/ r, + @{PROC}/@{pid}/ r, + @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/net/* r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/syscall r, + @{PROC}/@{pid}/task/ r, + @{PROC}/devices r, + @{PROC}/misc r, + @{PROC}/partitions r, + @{PROC}/tty/drivers r, include if exists } diff --git a/apparmor.d/groups/utils/lsipc b/apparmor.d/groups/utils/lsipc index 12c8d333c..7677a8a03 100644 --- a/apparmor.d/groups/utils/lsipc +++ b/apparmor.d/groups/utils/lsipc @@ -27,6 +27,8 @@ profile lsipc @{exec_path} { @{PROC}/sysvipc/sem r, @{PROC}/sysvipc/shm r, + /dev/mqueue/ r, + include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index df76eb4ad..a7f046c55 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -93,14 +93,14 @@ profile mkinitramfs @{exec_path} { owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, - /var/tmp/ r, - /var/tmp/mkinitramfs_@{rand6}/** w, - /var/tmp/modules_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6} rw, - owner /var/tmp/mkinitramfs_@{rand6}/ rw, - owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, - owner /var/tmp/mkinitramfs-@{rand6} rw, - owner /var/tmp/mkinitramfs-*_@{rand6} rw, + /var/tmp/ r, + /var/tmp/mkinitramfs_@{rand6}/** w, + /var/tmp/modules_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6} rw, + /var/tmp/mkinitramfs_@{rand6}/ rw, + /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, + /var/tmp/mkinitramfs-@{rand6} rw, + /var/tmp/mkinitramfs-*_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, From cd15178c81789c4bd65cc2c370d9a3ed893186a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 22 Jul 2025 23:55:46 +0200 Subject: [PATCH 348/798] tests(check): globally ignore check in commented lines. --- tests/check.sh | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index f00d8aec1..977846e62 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -70,6 +70,18 @@ _check() { continue fi + # Style check + if [[ $line_number -lt 10 ]]; then + _check_header + fi + _check_tabs + _check_trailing + _check_indentation + _check_vim + + # The following checks do not apply to comment lines + [[ "$line" =~ ^[[:space:]]*# ]] && continue + # Rules checks _check_abstractions _check_directory_mark @@ -84,15 +96,6 @@ _check() { _check_profile _check_subprofiles - # Style check - if [[ $line_number -lt 10 ]]; then - _check_header - fi - _check_tabs - _check_trailing - _check_indentation - _check_vim - done <"$file" # Results @@ -139,7 +142,6 @@ _check_directory_mark() { for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue - [[ "$line" =~ ^[[:space:]]*# ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi From 2721cf6253dda72a37ab644ac78ca338496f3636 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 00:59:12 +0200 Subject: [PATCH 349/798] build: ensure just compatibility with ubuntu 24.04 --- .github/workflows/main.yml | 12 ++++++++---- .gitlab-ci.yml | 2 +- docs/install.md | 11 ++++++++++- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a3d7b3266..bcb817338 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -11,8 +11,8 @@ jobs: - name: Install linter dependencies run: | - sudo apt-get update -q - sudo apt-get install -y just + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run basic profile linter check run: | @@ -37,7 +37,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ devscripts debhelper config-package-dev \ - auditd apparmor-profiles apparmor-utils just + auditd apparmor-profiles apparmor-utils + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real - name: Build the apparmor.d package @@ -100,7 +102,9 @@ jobs: sudo apt-get update -q sudo apt-get install -y \ apparmor-profiles apparmor-utils \ - bats bats-support just + bats bats-support + pipx install rust-just + echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Install apparmor.d run: | diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 7b4c13519..c07695b25 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -146,7 +146,7 @@ preprocess-archlinux: preprocess-debian: stage: preprocess - image: debian + image: debian:trixie dependencies: - debian script: diff --git a/docs/install.md b/docs/install.md index ee18e7819..a56599c22 100644 --- a/docs/install.md +++ b/docs/install.md @@ -37,7 +37,7 @@ The following desktop environments are supported: **Build dependency** * Go >= 1.23 -* [just](https://github.com/casey/just) +* [just](https://github.com/casey/just) >= 1.40.0 ## Configure AppArmor @@ -88,6 +88,15 @@ echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf just dpkg ``` + !!! note + + **Ubuntu 24.04 user will need to:** + + Install [just](https://github.com/casey/just). E.g: + ```sh + pipx install rust-just + ``` + !!! warning **Beware**: do not install a `.deb` made for Debian on Ubuntu as the packages are different. From 3db6d073599294d278b3b21c4a7304e5e754a6cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 23 Jul 2025 01:03:40 +0200 Subject: [PATCH 350/798] fix(test): running integration tests in ci. --- Justfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Justfile b/Justfile index 13a4a2d9e..db23ad587 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - bats --recursive --pretty --timing --print-output-on-failure tests/integration + TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] @@ -368,7 +368,6 @@ tests-resync dist flavor: (mount dist flavor) \ [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ - TERM=xterm \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} From 9c55d62b85c4d806b33813993d5831c8c3d3b72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 25 Jul 2025 00:56:31 +0200 Subject: [PATCH 351/798] fix: small ci fixes. --- Justfile | 2 +- apparmor.d/groups/apt/dpkg-preconfigure | 2 +- apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 6 ++---- apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 ++ apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/ucfr | 7 ++++--- 7 files changed, 13 insertions(+), 10 deletions(-) diff --git a/Justfile b/Justfile index db23ad587..e640a5a98 100644 --- a/Justfile +++ b/Justfile @@ -344,7 +344,7 @@ init: [group('tests')] [doc('Run the integration tests')] integration: - TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration + bats --recursive --timing --print-output-on-failure tests/integration [group('tests')] [doc('Install dependencies for the integration tests (machine)')] diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure index 66131c6e7..2e32af979 100644 --- a/apparmor.d/groups/apt/dpkg-preconfigure +++ b/apparmor.d/groups/apt/dpkg-preconfigure @@ -36,7 +36,7 @@ profile dpkg-preconfigure @{exec_path} { @{bin}/stty ix, @{bin}/tr ix, @{bin}/uniq ix, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{bin}/apt-extracttemplates Px, @{bin}/dpkg Px -> child-dpkg, diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index 24c6c74df..b294b928b 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -43,6 +43,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability net_admin, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 5743ab904..b262040f7 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -62,10 +62,8 @@ profile dpkg-scripts @{exec_path} { @{bin}/ r, @{bin}/* w, @{lib}/ r, - @{lib}/@{python_name}/**/__pycache__/ w, - @{lib}/@{python_name}/**/__pycache__/**.pyc w, - @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w, - @{lib}/modules/*/.fresh-install w, + @{lib}/** w, + /opt/*/** rw, /etc/ r, /etc/** rw, diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache index b1a6779ae..b709511e2 100644 --- a/apparmor.d/profiles-g-l/gtk-update-icon-cache +++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache @@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) { include include + capability fowner, + @{exec_path} mr, @{system_share_dirs}/icons/{,**/} r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 9e459f261..59f2d40aa 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -14,7 +14,7 @@ profile ucf @{exec_path} { include include - @{exec_path} r, + @{exec_path} rix, @{sh_path} rix, @{bin}/{,e}grep rix, diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr index add5c5b64..4cc149a28 100644 --- a/apparmor.d/profiles-s-z/ucfr +++ b/apparmor.d/profiles-s-z/ucfr @@ -9,18 +9,19 @@ include @{exec_path} = @{bin}/ucfr profile ucfr @{exec_path} { include + include @{exec_path} mr, @{sh_path} r, - @{bin}/basename ix, + @{bin}/{,e}grep ix, @{bin}/{m,g,}awk ix, + @{bin}/basename ix, + @{bin}/dirname ix, @{bin}/getopt ix, - @{bin}/{,e}grep ix, @{bin}/id ix, @{bin}/readlink ix, @{bin}/sed ix, - @{bin}/dirname ix, /usr/share/ucf/{,**} r, From 031e1b2b0764c5a81d67f10295405a454a7e641f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 16:54:02 +0200 Subject: [PATCH 352/798] feat: apply new linter recommendations. --- apparmor.d/abstractions/app/open | 2 +- apparmor.d/abstractions/ibus.d/complete | 4 ++-- apparmor.d/groups/cron/cron-debtags | 4 ++-- apparmor.d/groups/filesystem/udiskie-info | 3 ++- apparmor.d/groups/filesystem/udiskie-mount | 3 ++- apparmor.d/groups/filesystem/udiskie-umount | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 6 +++--- apparmor.d/groups/gpg/gpgsm | 4 ++-- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/network/mullvad-daemon | 2 +- apparmor.d/groups/pacman/archlinux-java | 2 +- apparmor.d/groups/pacman/paccache | 2 +- apparmor.d/groups/pacman/pacman-hook-dconf | 2 +- apparmor.d/groups/pacman/pacman-hook-depmod | 4 ++-- apparmor.d/groups/pacman/pacman-hook-fontconfig | 2 +- apparmor.d/groups/pacman/pacman-hook-gio | 4 ++-- apparmor.d/groups/pacman/pacman-hook-gtk | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 +- apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove | 2 +- apparmor.d/groups/pacman/pacman-key | 4 ++-- apparmor.d/groups/procps/sysctl | 2 +- apparmor.d/groups/systemd/systemd-binfmt | 3 ++- apparmor.d/groups/systemd/systemd-sysctl | 2 +- apparmor.d/groups/systemd/systemd-sysusers | 2 +- apparmor.d/groups/systemd/systemd-tmpfiles | 4 ++-- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/esm_cache | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/containerd-shim-runc-v2 | 4 ++-- apparmor.d/groups/virt/dockerd | 4 ++-- apparmor.d/profiles-a-f/aspell | 2 +- apparmor.d/profiles-a-f/aspell-autobuildhash | 4 ++-- apparmor.d/profiles-g-l/gajim | 2 +- apparmor.d/profiles-g-l/gpu-manager | 2 +- apparmor.d/profiles-g-l/hardinfo | 7 +++---- apparmor.d/profiles-g-l/hwinfo | 4 ++-- apparmor.d/profiles-g-l/ip | 4 ++-- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 5 +++-- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 6 +++--- apparmor.d/profiles-m-r/pcb-gtk | 2 +- apparmor.d/profiles-m-r/resolvconf | 2 +- 43 files changed, 67 insertions(+), 63 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 2a43affcf..9d0da2199 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -36,7 +36,7 @@ /etc/xdg/menus/ r, - owner @{run}/user//@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 5c53b9fa1..8132d38a9 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -15,11 +15,11 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", + addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags index 3e6c182a7..ea9086948 100644 --- a/apparmor.d/groups/cron/cron-debtags +++ b/apparmor.d/groups/cron/cron-debtags @@ -12,9 +12,9 @@ profile cron-debtags @{exec_path} { include @{exec_path} r, - @{sh_path} rix, - /usr/bin/debtags rPx, + @{sh_path} rix, + @{bin}/debtags rPx, include if exists } diff --git a/apparmor.d/groups/filesystem/udiskie-info b/apparmor.d/groups/filesystem/udiskie-info index 0b39fd3dc..b59b91472 100644 --- a/apparmor.d/groups/filesystem/udiskie-info +++ b/apparmor.d/groups/filesystem/udiskie-info @@ -15,7 +15,8 @@ profile udiskie-info @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-mount b/apparmor.d/groups/filesystem/udiskie-mount index 0513a8c35..3ec9e422a 100644 --- a/apparmor.d/groups/filesystem/udiskie-mount +++ b/apparmor.d/groups/filesystem/udiskie-mount @@ -15,7 +15,8 @@ profile udiskie-mount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/filesystem/udiskie-umount b/apparmor.d/groups/filesystem/udiskie-umount index cf147b875..01271bdc6 100644 --- a/apparmor.d/groups/filesystem/udiskie-umount +++ b/apparmor.d/groups/filesystem/udiskie-umount @@ -15,7 +15,8 @@ profile udiskie-umount @{exec_path} { @{exec_path} r, @{python_path} r, - /usr/bin/ r, + @{bin}/ r, + @{sbin}/ r, owner @{user_config_dirs}/udiskie/ r, owner @{user_config_dirs}/udiskie/config.yml r, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index a5dac16fa..2e4a44c4e 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -100,9 +100,9 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { owner /.fscrypt/protectors/@{hex16} r, /home/ r, - /home/.fscrypt/policies/ r, - owner /home/.fscrypt/policies/@{hex32} r, - owner /home/.fscrypt/protectors/@{hex16}.link r, + /home/.fscrypt/policies/ r, #aa:lint ignore + owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore + owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm index bfa71cf53..2ef1a9d4a 100644 --- a/apparmor.d/groups/gpg/gpgsm +++ b/apparmor.d/groups/gpg/gpgsm @@ -23,11 +23,11 @@ profile gpgsm @{exec_path} { /etc/gcrypt/hwf.deny r, - deny /usr/bin/.gnupg/ w, + owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**, - owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**, + deny @{bin}/.gnupg/ w, include if exists } diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index ba7956438..e671d32fb 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -26,7 +26,7 @@ profile grub-multi-install @{exec_path} { @{bin}/udevadm rPx, /usr/share/debconf/frontend rix, - /usr/lib/terminfo/x/xterm-256color r, + @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, /boot/grub/grub.cfg rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 396f256cc..143df5c9e 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -114,7 +114,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{etc_ro}/sddm/Xsession rPx, @{etc_ro}/X11/xdm/Xsession rPx, - /usr/etc/X11/xdm/Xsetup rix, + @{etc_ro}/X11/xdm/Xsetup rix, /usr/share/sddm/scripts/wayland-session rix, /usr/share/sddm/scripts/Xsession rix, /usr/share/sddm/scripts/Xsetup rix, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 9573d7044..735154b7e 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -30,7 +30,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { network netlink raw, network netlink dgram, - mount fstype=cgroup -> /sys/fs/cgroup/net_cls/, + mount fstype=cgroup -> @{sys}/fs/cgroup/net_cls/, @{exec_path} mr, diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java index fe83e168d..38cd95d0a 100644 --- a/apparmor.d/groups/pacman/archlinux-java +++ b/apparmor.d/groups/pacman/archlinux-java @@ -14,8 +14,8 @@ profile archlinux-java @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/dirname rix, @{bin}/find rix, @{bin}/id rix, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8bf1aed6a..8331951e7 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -16,8 +16,8 @@ profile paccache @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, - @{bin}/bash rix, @{bin}/cat rix, @{bin}/gettext rix, @{bin}/gpg{,2} rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf index b5a330d75..c49eb08e9 100644 --- a/apparmor.d/groups/pacman/pacman-hook-dconf +++ b/apparmor.d/groups/pacman/pacman-hook-dconf @@ -14,7 +14,7 @@ profile pacman-hook-dconf @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/dconf rPx, diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod index ce41d6ae8..0dae14351 100644 --- a/apparmor.d/groups/pacman/pacman-hook-depmod +++ b/apparmor.d/groups/pacman/pacman-hook-depmod @@ -14,13 +14,13 @@ profile pacman-hook-depmod @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/kmod rPx, @{bin}/rm rix, @{bin}/rmdir rix, - /usr/lib/modules/*/{,**} rw, + @{lib}/modules/*/{,**} rw, /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig index de0d33e16..3b29e01ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-fontconfig +++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig @@ -14,7 +14,7 @@ profile pacman-hook-fontconfig @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/ln rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio index 5aa612a3c..17218158e 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gio +++ b/apparmor.d/groups/pacman/pacman-hook-gio @@ -14,14 +14,14 @@ profile pacman-hook-gio @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rmdir rix, @{bin}/gio-querymodules rPx, @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} rw, @{lib}/gtk-{3,4}.0/**/*/ rw, - /usr/lib/gio/modules/ rw, + @{lib}/gio/modules/ rw, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk index ce7b931ca..e6aa28627 100644 --- a/apparmor.d/groups/pacman/pacman-hook-gtk +++ b/apparmor.d/groups/pacman/pacman-hook-gtk @@ -14,7 +14,7 @@ profile pacman-hook-gtk @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/rm rix, @{bin}/rmdir rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index a9bf40360..68c958f4b 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -16,7 +16,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/compgen rix, @{bin}/env rix, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index 7c0006153..d30cf1342 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -15,7 +15,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { @{exec_path} mr, - @{bin}/bash rix, + @{sh_path} rix, @{bin}/cmp rix, @{bin}/mv rix, @{bin}/rm rix, diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key index 9e3bde188..1e1204c27 100644 --- a/apparmor.d/groups/pacman/pacman-key +++ b/apparmor.d/groups/pacman/pacman-key @@ -16,9 +16,9 @@ profile pacman-key @{exec_path} { @{exec_path} mr, + @{sh_path} rix, @{bin}/{m,g,}awk rix, @{bin}/basename rix, - @{bin}/bash rix, @{bin}/chmod rix, @{bin}/gettext rix, @{bin}/gpg{,2} rCx -> &gpg, @@ -60,7 +60,7 @@ profile pacman-key @{exec_path} { /etc/pacman.d/gnupg/ rw, /etc/pacman.d/gnupg/** rwkl, - @{HOME}/.gnupg/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/procps/sysctl b/apparmor.d/groups/procps/sysctl index 3131befeb..9275c7054 100644 --- a/apparmor.d/groups/procps/sysctl +++ b/apparmor.d/groups/procps/sysctl @@ -22,7 +22,7 @@ profile sysctl @{exec_path} { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, /etc/ufw/sysctl.conf r, # Add support for ufw diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt index d34bbe4cb..5e3406ea9 100644 --- a/apparmor.d/groups/systemd/systemd-binfmt +++ b/apparmor.d/groups/systemd/systemd-binfmt @@ -16,11 +16,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/* r, + @{sbin}/* r, # Config file locations /etc/binfmt.d/{,*.conf} r, @{run}/binfmt.d/{,*.conf} r, - /usr/lib/binfmt.d/{,*.conf} r, + @{lib}/binfmt.d/{,*.conf} r, @{PROC}/sys/fs/binfmt_misc/register w, @{PROC}/sys/fs/binfmt_misc/status w, diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl index 454105011..87e0ede5c 100644 --- a/apparmor.d/groups/systemd/systemd-sysctl +++ b/apparmor.d/groups/systemd/systemd-sysctl @@ -25,7 +25,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) { @{run}/sysctl.d/{,*.conf} r, /etc/sysctl.conf r, /etc/sysctl.d/{,*.conf} r, - /usr/lib/sysctl.d/{,*.conf} r, + @{lib}/sysctl.d/{,*.conf} r, @{PROC}/sys/** rw, diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 254faeca0..2d250f63c 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -25,7 +25,7 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/sysusers.d/{,*.conf} r, @{run}/sysusers.d/{,*.conf} r, - /usr/lib/sysusers.d/{,*.conf} r, + @{lib}/sysusers.d/{,*.conf} r, # Where the users can be created, /home/{,*} rw, diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles index e37073f47..0e1e404ab 100644 --- a/apparmor.d/groups/systemd/systemd-tmpfiles +++ b/apparmor.d/groups/systemd/systemd-tmpfiles @@ -30,7 +30,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { # Config file locations /etc/tmpfiles.d/{,*.conf} r, @{run}/tmpfiles.d/{,*.conf} r, - /usr/lib/tmpfiles.d/{,*.conf} r, + @{lib}/tmpfiles.d/{,*.conf} r, @{user_config_dirs}/user-tmpfiles.d/{,*.conf} r, @{run}/user/@{uid}/user-tmpfiles.d/{,*.conf} r, @{user_share_dirs}/user-tmpfiles.d/{,*.conf} r, @@ -42,7 +42,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) { /etc/{,**} rw, /home/ rw, /opt/{,**} rw, - /run/{,**} rw, + @{run}/{,**} rw, /srv/{,**} rw, /tmp/{,**} rwk, /usr/{,**} rw, diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index faf15dfbe..7f4e8fbe2 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/apt_news.py +@{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/ubuntu/esm_cache b/apparmor.d/groups/ubuntu/esm_cache index 2596d6c12..53238564a 100644 --- a/apparmor.d/groups/ubuntu/esm_cache +++ b/apparmor.d/groups/ubuntu/esm_cache @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /usr/lib/ubuntu-advantage/esm_cache.py +@{exec_path} = @{lib}/ubuntu-advantage/esm_cache.py profile esm_cache @{exec_path} { include include diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index dc67817ed..a5b65f5b3 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -37,7 +37,7 @@ profile subiquity-console-conf @{exec_path} { @{bin}/ssh-keygen rPx, @{sbin}/sshd rPx, @{bin}/snap rPUx, - /usr/lib/snapd/snap-recovery-chooser rPUx, + @{lib}/snapd/snap-recovery-chooser rPUx, /usr/share/netplan/netplan.script rPx, /usr/share/subiquity/{,**} r, diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2 index 61898a3e4..04b355a48 100644 --- a/apparmor.d/groups/virt/containerd-shim-runc-v2 +++ b/apparmor.d/groups/virt/containerd-shim-runc-v2 @@ -25,8 +25,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) { signal (send) set=kill peer=cri-containerd.apparmor.d, signal (receive) set=kill peer=containerd, - mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, - umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + mount -> @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, + umount @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/, @{exec_path} mrix, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c21fa2788..c57f7a9f8 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -38,7 +38,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { mount /tmp/containerd-mount@{int}/, mount /var/lib/docker/**/, - mount options=(rw bind) -> /run/docker/netns/*, + mount options=(rw bind) -> @{run}/docker/netns/*, mount options=(rw rprivate) -> /.pivot_root@{int}/, mount options=(rw rslave) -> /, @@ -46,7 +46,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { remount /var/lib/docker/**/, umount /.pivot_root@{int}/, - umount /run/docker/netns/*, + umount @{run}/docker/netns/*, umount /tmp/containerd-mount@{int}/, umount /var/lib/docker/**/, diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell index 16b5b6f6d..629caca10 100644 --- a/apparmor.d/profiles-a-f/aspell +++ b/apparmor.d/profiles-a-f/aspell @@ -16,7 +16,7 @@ profile aspell @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, + @{lib}/aspell/{,*} r, /var/lib/aspell/{,*} r, /var/lib/aspell/*.rws rw, diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash index e8a83892a..14feb75df 100644 --- a/apparmor.d/profiles-a-f/aspell-autobuildhash +++ b/apparmor.d/profiles-a-f/aspell-autobuildhash @@ -32,8 +32,8 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) { /usr/share/aspell/{,*} r, - /usr/lib/aspell/{,*} r, - /usr/lib/aspell/*.rws rw, + @{lib}/aspell/{,*} r, + @{lib}/aspell/*.rws rw, /var/lib/aspell/ r, /var/lib/aspell/* rw, diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim index 1dcdf8042..561e1af61 100644 --- a/apparmor.d/profiles-g-l/gajim +++ b/apparmor.d/profiles-g-l/gajim @@ -73,7 +73,7 @@ profile gajim @{exec_path} { owner @{user_cache_dirs}/gajim/** rwk, owner @{user_cache_dirs}/farstream/ rw, - owner @{user_cache_dirs}/farstream/codecs.audio.x86_64.cache{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/farstream/codecs.audio.@{arch}.cache{,.tmp@{rand6}} rw, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager index 719625dbd..0ad848c50 100644 --- a/apparmor.d/profiles-g-l/gpu-manager +++ b/apparmor.d/profiles-g-l/gpu-manager @@ -20,7 +20,7 @@ profile gpu-manager @{exec_path} { @{bin}/{,e}grep rix, /etc/modprobe.d/{,**} r, - /usr/lib/modprobe.d/{,**} r, + @{lib}/modprobe.d/{,**} r, /var/lib/ubuntu-drivers-common/* rw, diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo index b63a9e5ed..5d78a90e3 100644 --- a/apparmor.d/profiles-g-l/hardinfo +++ b/apparmor.d/profiles-g-l/hardinfo @@ -58,7 +58,7 @@ profile hardinfo @{exec_path} { @{bin}/netstat rPx, @{bin}/qtchooser rPx, - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/javac rCx -> javac, /usr/share/gdb/python/ r, /usr/share/gdb/python/** r, @@ -132,9 +132,8 @@ profile hardinfo @{exec_path} { include include - @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/* mr, - - @{lib}/jvm/java-[0-9]*-openjdk-amd64/lib/** mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/bin/* mr, + @{lib}/jvm/java-[0-9]*-openjdk-@{arch}/lib/** mr, /etc/java-[0-9]*-openjdk/** r, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 314975208..04a1d8f57 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for /proc/ioports + capability sys_admin, # Needed for @{PROC}/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for /proc/kmsg + capability syslog, # Needed for @{PROC}/kmsg network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip index bcb521c01..0a27c4b59 100644 --- a/apparmor.d/profiles-g-l/ip +++ b/apparmor.d/profiles-g-l/ip @@ -20,7 +20,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { network netlink raw, - mount fstype=sysfs -> /sys/, + mount fstype=sysfs -> @{sys}, mount options=(rw bind) / -> @{run}/netns/*, mount options=(rw rbind) @{run}/netns/ -> @{run}/netns/, mount options=(rw, bind) @{att}/ -> @{run}/netns/*, @@ -29,7 +29,7 @@ profile ip @{exec_path} flags=(attach_disconnected) { mount options=(rw, rslave) -> /, umount @{run}/netns/*, - umount /sys/, + umount @{sys}, @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index a793bf707..5099c53f3 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -74,7 +74,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { /etc/sysctl.conf r, /etc/sysctl.d/{,**} r, - /usr/lib/sysctl.d/{,**} r, + @{lib}/sysctl.d/{,**} r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index a7f046c55..7d1394e2a 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -69,10 +69,11 @@ profile mkinitramfs @{exec_path} { @{bin}/dpkg rPx -> child-dpkg, @{bin}/linux-version rPx, - /usr/share/initramfs-tools/hooks/** rPx, - /usr/share/initramfs-tools/scripts/** rPx, + @{lib}/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/hooks/** rPx, /etc/initramfs-tools/scripts/** rPx, + /usr/share/initramfs-tools/hooks/** rPx, + /usr/share/initramfs-tools/scripts/** rPx, /usr/share/initramfs-tools/{,**} r, /etc/initramfs-tools/{,**} r, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index d75301fc6..a8189694e 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,14 +19,14 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd64-microcode* r, + /usr/share/misc/amd-microcode* r /usr/share/misc/intel-microcode* r, - /etc/default/amd64-microcode r, + /etc/default/amd-microcode r, /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd64-ucode.img r, + /boot/amd-ucode.img r, /boot/intel-ucode.img r, /boot/early_ucode.cpio r, diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk index 2f057f2a7..2923f70cd 100644 --- a/apparmor.d/profiles-m-r/pcb-gtk +++ b/apparmor.d/profiles-m-r/pcb-gtk @@ -20,7 +20,7 @@ profile pcb-gtk @{exec_path} { /usr/share/pcb/ListLibraryContents.sh rix, - @{bin}/dash rix, + @{sh_path} rix, @{bin}/cat rix, @{bin}/tr rix, diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf index a83c867fa..8e39c7620 100644 --- a/apparmor.d/profiles-m-r/resolvconf +++ b/apparmor.d/profiles-m-r/resolvconf @@ -26,7 +26,7 @@ profile resolvconf @{exec_path} { @{bin}/systemctl rCx -> systemctl, @{lib}/resolvconf/list-records rix, - /usr/lib/resolvconf/{,**} r, + @{lib}/resolvconf/{,**} r, @{etc_rw}/resolv.conf.bak rw, @{etc_rw}/resolv.conf rw, From 41fc182860e760ca0f64781568f94a21973cfec3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:00:15 +0200 Subject: [PATCH 353/798] fix(test): minor integration tests fixes. --- apparmor.d/groups/apt/dpkg-statoverride | 3 +++ tests/integration/systemd/localectl.bats | 6 +++++- tests/integration/systemd/machinectl.bats | 6 +++--- tests/integration/utils/lspci.bats | 1 + 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride index d2e02f613..804e1675b 100644 --- a/apparmor.d/groups/apt/dpkg-statoverride +++ b/apparmor.d/groups/apt/dpkg-statoverride @@ -9,10 +9,13 @@ include @{exec_path} = @{bin}/dpkg-statoverride profile dpkg-statoverride @{exec_path} flags=(complain) { include + include include @{exec_path} mr, + /var/lib/dpkg/statoverride r, + include if exists } diff --git a/tests/integration/systemd/localectl.bats b/tests/integration/systemd/localectl.bats index 5d82683a2..71dfd2e06 100644 --- a/tests/integration/systemd/localectl.bats +++ b/tests/integration/systemd/localectl.bats @@ -17,7 +17,11 @@ load ../common sudo localectl set-locale LANG=en_US.UTF-8 } +@test "localectl: List available keymaps" { + localectl list-keymaps || true +} + @test "localectl: Set the system keyboard mapping for the console and X11" { - sudo localectl set-keymap uk + sudo localectl set-keymap uk || true } diff --git a/tests/integration/systemd/machinectl.bats b/tests/integration/systemd/machinectl.bats index d9ba38444..18771ae72 100644 --- a/tests/integration/systemd/machinectl.bats +++ b/tests/integration/systemd/machinectl.bats @@ -6,7 +6,7 @@ load ../common @test "importctl: Import an image as a machine" { - sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble + sudo importctl pull-tar --force --class=machine -N https://cloud-images.ubuntu.com/noble/current/noble-server-cloudimg-amd64-root.tar.xz noble || true } @test "machinectl: Display a list of available images" { @@ -14,7 +14,7 @@ load ../common } @test "machinectl: Start a machine as a service using systemd-nspawn" { - sudo machinectl start noble + sudo machinectl start noble || true } @test "machinectl: Display a list of running machines" { @@ -22,5 +22,5 @@ load ../common } @test "machinectl: Stop a running machine" { - sudo machinectl stop noble + sudo machinectl stop noble || true } diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 1b86dd41f..848b7ef61 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -7,6 +7,7 @@ load ../common @test "lspci: Show a brief list of devices" { lspci + sudo lspci } @test "lspci: Display additional info" { From 78c41305fa99e21e2fc05c0fd5880248ca830967 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:03:28 +0200 Subject: [PATCH 354/798] tests(check): look for missing tunables. --- tests/check.sh | 54 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 977846e62..e345bb14c 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -89,6 +89,7 @@ _check() { _check_too_wide _check_transition _check_useless + _check_variables # Guidelines check _check_abi @@ -107,7 +108,7 @@ _check() { _res_vim } -# Rules checks: security, compatibility and rule issues +# Rules checks: security, compatibility, and rule issues readonly ABS="abstractions" readonly ABS_DANGEROUS=(dbus dbus-session dbus-system dbus-accessibility user-tmp) @@ -226,6 +227,51 @@ _check_useless() { done } +declare -A VARIABLES_MISSING=( + # User variables + ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/share"]="@{user_share_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/state"]="@{user_state_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/bin"]="@{user_bin_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).local/lib"]="@{user_lib_dirs}" + ["(@\{HOME\}/|/home/[^/]+/).ssh"]="@{HOME}/@{XDG_SSH_DIR}" + ["(@\{HOME\}/|/home/[^/]+/).gnupg"]="@{HOME}/@{XDG_GPG_DIR}" + ["/home/[^/]+/"]="@{HOME}/" + + # System variables + ["/usr/lib(|32|64|exec)"]='@{lib}' + ["/usr/sbin"]='@{sbin}' + ["/usr/bin"]='@{bin}' + ["(x86_64|amd64|i386|i686)"]='@{arch}' + ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' + ["/usr/etc/"]='@{etc_ro}/' + ["/var/run/"]='@{run}/' + ["/run/"]='@{run}/' + ["user/[0-9]*/"]='user/@{uid}/' + ["/tmp/user/[^/]+/"]='@{tmp}/' + ["/sys/"]='@{sys}/' + ["/proc/"]='@{PROC}/' + ["1000"]="@{uid}" + + # Some system glob + [":not.active.yet"]="@{busname}" + [":1.[0-9]*"]="@{busname}" + ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" + ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" +) +_check_variables() { + _is_enabled variables || return 0 + for pattern in "${!VARIABLES_MISSING[@]}"; do + rpattern="$pattern" + [[ "$rpattern" == /* ]] && rpattern=" $rpattern" + if [[ "$line" =~ $rpattern ]]; then + match="${BASH_REMATCH[0]}" + _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + fi + done +} + # Guidelines check: https://apparmor.pujol.io/development/guidelines/ RES_ABI=false @@ -442,7 +488,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition + abstractions directory_mark equivalent useless transition variables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -462,7 +508,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -483,7 +529,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide + abstractions directory_mark equivalent too_wide variables header tabs trailing indentation vim ) for file in "${files[@]}"; do From dfb07626255518d6f539ef5b13fabdce8ff7faa9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 17:47:02 +0200 Subject: [PATCH 355/798] fix(profile): parer issue. --- apparmor.d/profiles-m-r/needrestart-iucode-scan-versions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index a8189694e..3c1c32093 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -19,7 +19,7 @@ profile needrestart-iucode-scan-versions @{exec_path} { @{sbin}/iucode_tool rix, /usr/share/misc/ r, - /usr/share/misc/amd-microcode* r + /usr/share/misc/amd-microcode* r, /usr/share/misc/intel-microcode* r, /etc/default/amd-microcode r, From c0b43c86b6573b5f3e510f1548585e3a2c94af2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:28:54 +0200 Subject: [PATCH 356/798] tests(check): add support for blocl ignore, handle inline comments. --- apparmor.d/abstractions/common/app | 7 ++- apparmor.d/abstractions/ibus.d/complete | 6 +- apparmor.d/groups/gnome/gdm-session-worker | 7 ++- apparmor.d/groups/virt/dockerd | 2 +- apparmor.d/profiles-g-l/hwinfo | 4 +- tests/check.sh | 69 ++++++++++++++++------ 6 files changed, 65 insertions(+), 30 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 15b730fb2..14106ad81 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,11 +56,12 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide owner @{user_games_dirs}/** rmix, - owner @{tmp}/** rmwk, #aa:lint ignore - owner /dev/shm/** rwlk -> /dev/shm/**, #aa:lint ignore + #aa:lint ignore=too_wide + owner @{tmp}/** rmwk, + owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, owner /var/tmp/etilqs_@{sqlhex} rw, diff --git a/apparmor.d/abstractions/ibus.d/complete b/apparmor.d/abstractions/ibus.d/complete index 8132d38a9..3ecd8c36d 100644 --- a/apparmor.d/abstractions/ibus.d/complete +++ b/apparmor.d/abstractions/ibus.d/complete @@ -8,6 +8,7 @@ type=stream peer=(addr="@/tmp/ibus/dbus-????????"), + #aa:lint ignore=tunables # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{user_cache_dirs}) # This should use this, but due to LP: #1856738 we cannot #unix (connect, receive, send) @@ -15,11 +16,10 @@ # peer=(addr="@@{user_cache_dirs}/ibus/dbus-????????"), unix (connect, receive, send) type=stream - peer=(addr="@/home/*/.cache/ibus/dbus-????????"), #aa:lint ignore - + peer=(addr="@/home/*/.cache/ibus/dbus-????????"), unix (connect, send, receive, accept, bind, listen) type=stream - addr="@/home/*/.cache/ibus/dbus-????????", #aa:lint ignore + addr="@/home/*/.cache/ibus/dbus-????????", dbus receive bus=session path=/org/freedesktop/IBus interface=org.freedesktop.DBus.Peer diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 2e4a44c4e..3bab1b134 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -99,10 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { /.fscrypt/protectors/ r, owner /.fscrypt/protectors/@{hex16} r, + #aa:lint ignore=tunables /home/ r, - /home/.fscrypt/policies/ r, #aa:lint ignore - owner /home/.fscrypt/policies/@{hex32} r, #aa:lint ignore - owner /home/.fscrypt/protectors/@{hex16}.link r, #aa:lint ignore + /home/.fscrypt/policies/ r, + owner /home/.fscrypt/policies/@{hex32} r, + owner /home/.fscrypt/protectors/@{hex16}.link r, owner @{HOME}/.pam_environment r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index c57f7a9f8..44d9f64a0 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -73,7 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @{sbin}/runc rUx, - @{bin}/runc rUx, #aa:lint ignore + @{bin}/runc rUx, #aa:lint ignore=sbin @{bin}/unpigz rix, @{sbin}/xtables-nft-multi rCx -> nft, @{sbin}/xtables-legacy-multi rCx -> nft, diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo index 04a1d8f57..314975208 100644 --- a/apparmor.d/profiles-g-l/hwinfo +++ b/apparmor.d/profiles-g-l/hwinfo @@ -13,9 +13,9 @@ profile hwinfo @{exec_path} { include capability net_raw, # Needed for network related options - capability sys_admin, # Needed for @{PROC}/ioports + capability sys_admin, # Needed for /proc/ioports capability sys_rawio, # Needed for disk related options - capability syslog, # Needed for @{PROC}/kmsg + capability syslog, # Needed for /proc/kmsg network inet dgram, network inet6 dgram, diff --git a/tests/check.sh b/tests/check.sh index e345bb14c..e593b352a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -12,6 +12,7 @@ RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) declare WITH_CHECK +declare _check_is_disabled readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -39,7 +40,17 @@ _in_array() { } _is_enabled() { - _in_array "$1" "${WITH_CHECK[@]}" + local check="$1" + if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + return 0 + fi + if _in_array "$check" "${_check_is_disabled[@]}"; then + return 1 + fi + return 0 + fi + return 1 } _wait() { @@ -51,13 +62,34 @@ _wait() { fi } +_IGNORE_LINT_BLOCK=false readonly _IGNORE_LINT="#aa:lint ignore" _ignore_lint() { - local line="$1" - if [[ "$line" == *"$_IGNORE_LINT"* ]]; then + local checks line="$1" + + if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then + # Start of an ignore block + _IGNORE_LINT_BLOCK=true + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then + # New paragraph, end of block + _IGNORE_LINT_BLOCK=false + _check_is_disabled=() + + elif [[ $_IGNORE_LINT_BLOCK == true ]]; then + # Nothing to do, we are in a block return 0 + + elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then + # Inline ignore + checks="${line#*"$_IGNORE_LINT="}" + read -ra _check_is_disabled <<<"${checks//,/ }" + + else + _check_is_disabled=() fi - return 1 } _check() { @@ -66,9 +98,7 @@ _check() { while IFS= read -r line; do line_number=$((line_number + 1)) - if _ignore_lint "$line"; then - continue - fi + _ignore_lint "$line" # Style check if [[ $line_number -lt 10 ]]; then @@ -79,8 +109,11 @@ _check() { _check_indentation _check_vim - # The following checks do not apply to comment lines + # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue + if [[ "$line" =~ ,[[:space:]]*# ]]; then + line="${line%%#*}" + fi # Rules checks _check_abstractions @@ -89,7 +122,7 @@ _check() { _check_too_wide _check_transition _check_useless - _check_variables + _check_tunables # Guidelines check _check_abi @@ -227,7 +260,7 @@ _check_useless() { done } -declare -A VARIABLES_MISSING=( +declare -A TUNABLES=( # User variables ["(@\{HOME\}/|/home/[^/]+/).cache"]="@{user_cache_dirs}" ["(@\{HOME\}/|/home/[^/]+/).config"]="@{user_config_dirs}" @@ -260,14 +293,14 @@ declare -A VARIABLES_MISSING=( ["(@\{bin\}|/usr/bin)/(|ba|da)sh "]="@{sh_path}" ["@\{lib\}/modules/[^/*]+/"]="@{lib}/modules/*/" ) -_check_variables() { - _is_enabled variables || return 0 - for pattern in "${!VARIABLES_MISSING[@]}"; do +_check_tunables() { + _is_enabled tunables || return 0 + for pattern in "${!TUNABLES[@]}"; do rpattern="$pattern" [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${VARIABLES_MISSING[$pattern]}' must be used instead of: $match" + _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -452,7 +485,7 @@ check_sbin() { for name in "${sbin[@]}"; do ( mapfile -t files < <( - grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT)" apparmor.d | + grep --line-number --recursive -P "(^|[[:space:]])@{bin}/$name([[:space:]]|$)(?!.*$_IGNORE_LINT=sbin)" apparmor.d | cut -d: -f1,2 ) for file in "${files[@]}"; do @@ -488,7 +521,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition variables + abstractions directory_mark equivalent useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -508,7 +541,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -529,7 +562,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide variables + abstractions directory_mark equivalent too_wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From da4f5f8a2c569714011c3996a60e814dbd21e001 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 22:31:57 +0200 Subject: [PATCH 357/798] fix(profile): lspci as root needs sys_admin. Raised by CI. --- apparmor.d/groups/utils/lspci | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 0ae22a03a..63a2d50ab 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,6 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability sys_admin, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, From 1d3b58f15ca1bdc7d107fda7950ff32c29d1dc07 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:15:52 +0200 Subject: [PATCH 358/798] tests(check): enable and enfore more checks. --- apparmor.d/abstractions/common/app | 4 +- apparmor.d/groups/apt/deb-systemd-invoke | 2 +- apparmor.d/groups/apt/debsums | 2 +- apparmor.d/groups/apt/dpkg | 3 +- apparmor.d/groups/apt/dpkg-divert | 1 + apparmor.d/groups/apt/dpkg-scripts | 2 + apparmor.d/groups/filesystem/btrfs | 4 +- apparmor.d/groups/filesystem/udisksd | 4 +- apparmor.d/groups/gnome/gdm-generate-config | 13 +++- apparmor.d/groups/gnome/nautilus | 3 +- apparmor.d/groups/grub/grub-editenv | 2 +- apparmor.d/groups/grub/grub-install | 12 ++-- apparmor.d/groups/grub/grub-mkconfig | 4 +- apparmor.d/groups/grub/grub-mkrelpath | 4 +- apparmor.d/groups/grub/grub-multi-install | 2 +- apparmor.d/groups/grub/grub-probe | 6 +- apparmor.d/groups/grub/grub-script-check | 2 +- apparmor.d/groups/kde/dolphin | 2 +- apparmor.d/groups/kde/kioworker | 2 +- apparmor.d/groups/pacman/mkinitcpio | 6 +- apparmor.d/groups/pacman/pacdiff | 2 +- apparmor.d/groups/pacman/pacman | 3 +- .../groups/pacman/pacman-hook-mkinitcpio | 10 +-- .../pacman/pacman-hook-mkinitcpio-remove | 6 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 +- .../systemd-generator-gpt-auto | 3 +- .../systemd-service/grub-common.service | 4 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/utils/fsck | 2 +- apparmor.d/groups/utils/fstrim | 3 +- apparmor.d/groups/xfce/thunar | 2 +- apparmor.d/profiles-a-f/baobab | 2 +- apparmor.d/profiles-a-f/deluser | 1 + apparmor.d/profiles-a-f/dkms | 2 +- apparmor.d/profiles-a-f/dlocate | 2 +- apparmor.d/profiles-a-f/etckeeper | 1 + apparmor.d/profiles-g-l/gpartedbin | 4 +- apparmor.d/profiles-g-l/initd-kexec-load | 2 +- apparmor.d/profiles-g-l/ioping | 2 +- .../profiles-g-l/kconfig-hardened-check | 2 +- apparmor.d/profiles-g-l/kernel | 2 +- apparmor.d/profiles-g-l/kernel-install | 15 ++--- apparmor.d/profiles-g-l/kexec | 2 +- apparmor.d/profiles-g-l/kmod | 2 +- apparmor.d/profiles-g-l/linux-version | 2 +- apparmor.d/profiles-m-r/mkinitramfs | 6 +- .../needrestart-iucode-scan-versions | 6 +- .../needrestart-vmlinuz-get-version | 5 +- apparmor.d/profiles-m-r/os-prober | 6 +- apparmor.d/profiles-m-r/packagekitd | 3 +- .../profiles-s-z/spectre-meltdown-checker | 6 +- apparmor.d/profiles-s-z/ucf | 2 +- apparmor.d/profiles-s-z/unmkinitramfs | 4 +- apparmor.d/profiles-s-z/update-initramfs | 6 +- apparmor.d/profiles-s-z/updatedb-mlocate | 6 +- tests/check.sh | 64 ++++++++++--------- 57 files changed, 148 insertions(+), 130 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 14106ad81..74c82f92a 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -56,10 +56,10 @@ owner @{HOME}/.var/app/** rmix, owner @{HOME}/** rwmlk -> @{HOME}/**, owner @{run}/user/@{uid}/ r, - owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too_wide + owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**, #aa:lint ignore=too-wide owner @{user_games_dirs}/** rmix, - #aa:lint ignore=too_wide + #aa:lint ignore=too-wide owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index 0994006da..d2e9e9260 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -20,7 +20,7 @@ profile deb-systemd-invoke @{exec_path} { @{exec_path} mr, @{sh_path} rix, - @{bin}/systemctl rix, + @{bin}/systemctl rix, #aa:lint ignore=transition @{bin}/systemd-tty-ask-password-agent Px, include if exists diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums index 6f66426ec..8c0087770 100644 --- a/apparmor.d/groups/apt/debsums +++ b/apparmor.d/groups/apt/debsums @@ -37,7 +37,7 @@ profile debsums @{exec_path} { /etc/{,**} r, /var/lib/{,**} r, /opt/{,**} r, - /boot/{,**} r, + @{efi}/{,**} r, /lib*/{,**} r, include if exists diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 53bebdccf..2c1ac1ce5 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -43,10 +43,11 @@ profile dpkg @{exec_path} { # For shell pwd /root/ r, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert index 6712b8b7c..e2d386804 100644 --- a/apparmor.d/groups/apt/dpkg-divert +++ b/apparmor.d/groups/apt/dpkg-divert @@ -22,6 +22,7 @@ profile dpkg-divert @{exec_path} { /var/lib/dpkg/diversions-new rw, /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, + #aa:lint ignore=too-wide /etc/** rw, include if exists diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index b262040f7..da5da33a1 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -56,6 +56,7 @@ profile dpkg-scripts @{exec_path} { /etc/** PUx, /usr/share/** PUx, + #aa:lint ignore=too-wide # Maintainer's scripts can update a lot of files / r, /*/ r, @@ -65,6 +66,7 @@ profile dpkg-scripts @{exec_path} { @{lib}/** w, /opt/*/** rw, + #aa:lint ignore=too-wide /etc/ r, /etc/** rw, /usr/share/*/{,**} rw, diff --git a/apparmor.d/groups/filesystem/btrfs b/apparmor.d/groups/filesystem/btrfs index 82742fd4a..40149588d 100644 --- a/apparmor.d/groups/filesystem/btrfs +++ b/apparmor.d/groups/filesystem/btrfs @@ -25,8 +25,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) { / r, /.snapshots/ r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, /opt/ r, /root/ r, diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index ab3813973..2ff82f5e4 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -49,7 +49,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount options=(rw move) -> @{MOUNTS}/, mount options=(rw move) -> @{MOUNTS}/*/, - mount fstype=vfat -> /boot/efi/, + mount fstype=vfat -> @{efi}/, # Allow mounting on temporary mount point mount -> @{run}/udisks2/temp-mount-*/, @@ -59,7 +59,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { umount @{MOUNTS}/, umount @{MOUNTS}/*/, umount @{run}/udisks2/temp-mount-*/, - umount /boot/efi/, + umount @{efi}/, umount /media/cdrom@{int}/, signal receive set=int peer=@{p_systemd}, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 359eeb75f..7240ffaef 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rix, - @{bin}/pkill rix, + @{bin}/pgrep rCx -> pgrep, + @{bin}/pkill rCx -> pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, @@ -48,6 +48,15 @@ profile gdm-generate-config @{exec_path} { @{PROC}/tty/drivers r, @{PROC}/uptime r, + profile pgrep { + include + include + + @{bin}/pkill mr, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index ebf975673..fc9b923d8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -81,6 +81,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { /var/cache/fontconfig/ rw, + #aa:lint ignore=too-wide # Full access to user's data / r, /*/ r, @@ -97,7 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { owner @{tmp}/** rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv index 6bdc7362a..29f9bf8f7 100644 --- a/apparmor.d/groups/grub/grub-editenv +++ b/apparmor.d/groups/grub/grub-editenv @@ -13,7 +13,7 @@ profile grub-editenv @{exec_path} { @{exec_path} mr, - /boot/grub/grubenv rw, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install index 6c45cac39..e3ed75334 100644 --- a/apparmor.d/groups/grub/grub-install +++ b/apparmor.d/groups/grub/grub-install @@ -30,12 +30,12 @@ profile grub-install @{exec_path} flags=(complain) { /etc/default/grub.d/{,**} r, /etc/default/grub r, - /boot/efi/ r, - /boot/EFI/*/grubx*.efi rw, - /boot/efi/EFI/ r, - /boot/efi/EFI/BOOT/{,**} rw, - /boot/efi/EFI/ubuntu/* w, - /boot/grub/{,**} rw, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/*/grubx*.efi rw, + @{efi}/EFI/BOOT/{,**} rw, + @{efi}/EFI/ubuntu/* w, + @{efi}/grub/{,**} rw, @{sys}/devices/**/hid r, @{sys}/devices/**/path r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index 1b5d26125..c081d53c3 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -81,8 +81,8 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { /.zfs/snapshot/*/etc/fstab r, /.zfs/snapshot/*/etc/machine-id r, - /boot/{,**} r, - /boot/grub/{,**} rw, + @{efi}/{,**} r, + @{efi}/grub/{,**} rw, /tmp/grub-*.@{rand10}/{,**} rw, diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index a60a6aaba..789f68287 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -21,8 +21,8 @@ profile grub-mkrelpath @{exec_path} { / r, /usr/share/grub/* r, - /boot/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/themes/{,**} r, /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install index e671d32fb..d900ec2f6 100644 --- a/apparmor.d/groups/grub/grub-multi-install +++ b/apparmor.d/groups/grub/grub-multi-install @@ -29,7 +29,7 @@ profile grub-multi-install @{exec_path} { @{lib}/terminfo/x/xterm-256color r, /usr/share/debconf/confmodule r, - /boot/grub/grub.cfg rw, + @{efi}/grub/grub.cfg rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index e1037c6b7..017083eaf 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -26,9 +26,9 @@ profile grub-probe @{exec_path} { /usr/share/grub/* r, / r, - /boot/ r, - /boot/grub/ r, - /boot/grub/themes/{,**} r, + @{efi}/ r, + @{efi}/grub/ r, + @{efi}/grub/themes/{,**} r, @{PROC}/@{pids}/mountinfo r, @{PROC}/devices r, diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check index 93b344cf8..9961a778e 100644 --- a/apparmor.d/groups/grub/grub-script-check +++ b/apparmor.d/groups/grub/grub-script-check @@ -13,7 +13,7 @@ profile grub-script-check @{exec_path} { @{exec_path} mr, - /boot/grub/grub* rw, + @{efi}/grub/grub* rw, include if exists } diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index eebade917..2ed232f85 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -68,7 +68,7 @@ profile dolphin @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 61e910c88..a5f867378 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -67,7 +67,7 @@ profile kioworker @{exec_path} { owner @{tmp}/{,**} rw, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /etc/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio index 1f1fc66eb..165b42c02 100644 --- a/apparmor.d/groups/pacman/mkinitcpio +++ b/apparmor.d/groups/pacman/mkinitcpio @@ -82,10 +82,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) { # Manage /boot / r, @{efi}/ r, - @{efi}/EFI/{,**} rw, @{efi}/@{hex32}/{,**} rw, - /boot/initramfs-*.img* rw, - /boot/vmlinuz-* r, + @{efi}/EFI/{,**} rw, + @{efi}/initramfs-*.img* rw, + @{efi}/vmlinuz-* r, /usr/share/systemd/bootctl/** r, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 64a813bf4..497386125 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -38,7 +38,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { # packages files / r, - /boot/{,**} r, + @{efi}/{,**} r, /etc/{,**} rw, /opt/{,**} r, /srv/{,**} r, diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 01543d63f..427ac0141 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -116,9 +116,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /**/ r, # Install/update packages + #aa:lint ignore=too-wide / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio index 68c958f4b..48ce25ab2 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio @@ -36,11 +36,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) { /etc/mkinitcpio.d/*.preset{,.pacsave} rw, / r, - /boot/ r, - /{boot,efi}/EFI/boot/boot*.efi rw, - /boot/initramfs-*-fallback.img rw, - /boot/initramfs-*.img rw, - /boot/vmlinuz-* rw, + @{efi}/ r, + @{efi}/EFI/boot/boot*.efi rw, + @{efi}/initramfs-*-fallback.img rw, + @{efi}/initramfs-*.img rw, + @{efi}/vmlinuz-* rw, /dev/tty rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove index d30cf1342..6378ca991 100644 --- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove +++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove @@ -24,9 +24,9 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} { /usr/share/mkinitcpio/*.preset r, /etc/mkinitcpio.d/*.preset rw, - /boot/vmlinuz-* rw, - /boot/initramfs-*.img rw, - /boot/initramfs-*-fallback.img rw, + @{efi}/vmlinuz-* rw, + @{efi}/initramfs-*.img rw, + @{efi}/initramfs-*-fallback.img rw, /dev/tty rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 8628aa716..5d7c18d59 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -18,7 +18,7 @@ profile snap-update-ns @{exec_path} { network netlink raw, - mount -> /boot/, + mount -> @{efi}/, mount -> /snap/**, mount -> /tmp/.snap/**, mount -> /usr/**, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 5f0885693..0f975b3b0 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -133,8 +133,8 @@ profile snapd @{exec_path} { /tmp/syscheck-mountpoint-@{int}/{,**} rw, /tmp/syscheck-squashfs-@{int} rw, - /boot/ r, - /boot/grub/grubenv r, + @{efi}/ r, + @{efi}/grub/grubenv r, / r, /home/ r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 0d6c09c6b..4bf0092d0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -17,8 +17,7 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, / r, - /boot/ r, - /efi/ r, + @{efi}/ r, /etc/fstab r, /usr/ r, diff --git a/apparmor.d/groups/systemd-service/grub-common.service b/apparmor.d/groups/systemd-service/grub-common.service index f8cf34f25..fc4de5edc 100644 --- a/apparmor.d/groups/systemd-service/grub-common.service +++ b/apparmor.d/groups/systemd-service/grub-common.service @@ -19,8 +19,8 @@ profile grub-common.service { @{bin}/mkdir ix, @{bin}/rm ix, - /boot/grub/ w, - /boot/grub/grubenv rw, + @{efi}/grub/ w, + @{efi}/grub/grubenv rw, include if exists } diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d69e7a4c4..bcdcf108d 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -63,7 +63,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { /etc/ubuntu-advantage/uaclient.conf r, /etc/update-manager/{,**} r, - /boot/ r, + @{efi}/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/updates/ r, diff --git a/apparmor.d/groups/utils/fsck b/apparmor.d/groups/utils/fsck index 40694aff9..e2537b21c 100644 --- a/apparmor.d/groups/utils/fsck +++ b/apparmor.d/groups/utils/fsck @@ -26,7 +26,7 @@ profile fsck @{exec_path} flags=(attach_disconnected) { # When a mount dir is passed to fsck as an argument. @{HOME}/ r, @{MOUNTS}/ r, - /boot/ r, + @{efi}/ r, @{run}/mount/utab r, @{run}/systemd/fsck.progress rw, diff --git a/apparmor.d/groups/utils/fstrim b/apparmor.d/groups/utils/fstrim index 250794671..87bd7fad5 100644 --- a/apparmor.d/groups/utils/fstrim +++ b/apparmor.d/groups/utils/fstrim @@ -22,8 +22,7 @@ profile fstrim @{exec_path} flags=(attach_disconnected) { @{MOUNTDIRS}/ r, @{MOUNTS}/ r, / r, - /boot/ r, - /boot/efi/ r, + @{efi}/ r, /var/ r, @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index bab16bca7..2fcd83048 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -58,7 +58,7 @@ profile thunar @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mountinfo r, # Silence non user's data - deny /boot/{,**} r, + deny @{efi}/{,**} r, deny /opt/{,**} r, deny /root/{,**} r, deny /tmp/.* rw, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index 1f9f14dc1..cd1e7563f 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -23,7 +23,7 @@ profile baobab @{exec_path} { / r, /** r, - deny /boot/{,**} r, + deny @{efi}/{,**} r, include if exists } diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser index 3505126ad..3f749a24b 100644 --- a/apparmor.d/profiles-a-f/deluser +++ b/apparmor.d/profiles-a-f/deluser @@ -31,6 +31,7 @@ profile deluser @{exec_path} { owner /etc/shadow r, + #aa:lint ignore=too-wide # This is for the "--remove-all-files" flag, which it used to remove all files owned by the user # that's going to be deleted. Basically it scans all the files in the system in each dir and look # for matches. This also includes files required by the "--remove-home" flag as well as the diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 7c594c900..4a2178322 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -117,7 +117,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) { @{lib}/modules/*/modules.* rw, /var/lib/dkms/**/module/*.ko* r, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/tmp.@{rand10} r, diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate index 9f78af639..f7d1e915e 100644 --- a/apparmor.d/profiles-a-f/dlocate +++ b/apparmor.d/profiles-a-f/dlocate @@ -55,7 +55,7 @@ profile dlocate @{exec_path} { @{bin}/md5sum mr, # For the md5 check - /boot/** r, + @{efi}/** r, /usr/** r, include if exists diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper index 023d13b47..5c4108094 100644 --- a/apparmor.d/profiles-a-f/etckeeper +++ b/apparmor.d/profiles-a-f/etckeeper @@ -48,6 +48,7 @@ profile etckeeper @{exec_path} { /etc/etckeeper/*.d/* rix, /etc/etckeeper/daily rix, + #aa:lint ignore=too-wide /etc/ rw, /etc/** rwkl -> /etc/**, diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin index 235d0cadc..35dc03584 100644 --- a/apparmor.d/profiles-g-l/gpartedbin +++ b/apparmor.d/profiles-g-l/gpartedbin @@ -92,7 +92,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/, - mount /dev/{s,v}d[a-z]*@{int} -> /boot/, + mount /dev/{s,v}d[a-z]*@{int} -> @{efi}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/, mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/, @@ -108,7 +108,7 @@ profile gpartedbin @{exec_path} flags=(attach_disconnected) { umount /tmp/gparted-*/, - umount /boot/, + umount @{efi}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load index b5bf58ff2..522d003f3 100644 --- a/apparmor.d/profiles-g-l/initd-kexec-load +++ b/apparmor.d/profiles-g-l/initd-kexec-load @@ -36,7 +36,7 @@ profile initd-kexec-load @{exec_path} { @{sys}/kernel/kexec_loaded r, - owner /boot/grub/{grub.cfg,grubenv} r, + owner @{efi}/grub/{grub.cfg,grubenv} r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping index 1ff3615f1..0cb507e36 100644 --- a/apparmor.d/profiles-g-l/ioping +++ b/apparmor.d/profiles-g-l/ioping @@ -35,7 +35,7 @@ profile ioping @{exec_path} { /bin/* r, /sbin/* r, /etc/** r, - /boot/** r, + @{efi}/** r, /opt/** r, /var/** r, @{MOUNTS}/** r, diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check index 264e49ebc..947cfabd1 100644 --- a/apparmor.d/profiles-g-l/kconfig-hardened-check +++ b/apparmor.d/profiles-g-l/kconfig-hardened-check @@ -19,7 +19,7 @@ profile kconfig-hardened-check @{exec_path} { # The usual kernel config locations - /boot/config-* r, + @{efi}/config-* r, @{PROC}/config.gz r, # This is for kernels, which are built manually diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index b718f7d18..41098ab4b 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -52,7 +52,7 @@ profile kernel @{exec_path} { # For shell pwd / r, - /boot/ r, + @{efi}/ r, /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install index bd1438f96..dede5da41 100644 --- a/apparmor.d/profiles-g-l/kernel-install +++ b/apparmor.d/profiles-g-l/kernel-install @@ -44,15 +44,12 @@ profile kernel-install @{exec_path} { / r, - @{efi}/@{hex32}/** rw, - @{efi}/loader/entries.srel r, - - owner /boot/{vmlinuz,initrd.img}-* r, - owner /boot/[a-f0-9]*/*/ rw, - owner /boot/[a-f0-9]*/*/{linux,initrd} w, - owner /boot/loader/ rw, - owner /boot/loader/entries/ rw, - owner /boot/loader/entries/*.conf w, + @{efi}/@{hex32}/** rw, + @{efi}/loader/entries.srel r, + owner @{efi}/{vmlinuz,initrd.img}-* r, + owner @{efi}/loader/ rw, + owner @{efi}/loader/entries/ rw, + owner @{efi}/loader/entries/*.conf w, owner /tmp/kernel-install.staging.@{rand6}/{,**} rw, diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec index d1e142a13..09c414430 100644 --- a/apparmor.d/profiles-g-l/kexec +++ b/apparmor.d/profiles-g-l/kexec @@ -15,7 +15,7 @@ profile kexec @{exec_path} flags=(complain) { @{exec_path} mr, - owner /boot/{initrd.img,vmlinuz}-* r, + owner @{efi}/{initrd.img,vmlinuz}-* r, @{sys}/firmware/memmap/ r, @{sys}/firmware/memmap/@{int}/{start,end,type} r, diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod index 5099c53f3..1d67b5678 100644 --- a/apparmor.d/profiles-g-l/kmod +++ b/apparmor.d/profiles-g-l/kmod @@ -44,7 +44,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) { owner /var/tmp/*modules*/{,**} rw, owner /var/tmp/dracut.*/{,**} rw, - owner /boot/System.map-* r, + owner @{efi}/System.map-* r, owner @{tmp}/mkinitcpio.*/{,**} rw, # For local kernel build diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version index a95647712..c718b6495 100644 --- a/apparmor.d/profiles-g-l/linux-version +++ b/apparmor.d/profiles-g-l/linux-version @@ -15,7 +15,7 @@ profile linux-version @{exec_path} { @{exec_path} r, - /boot/ r, + @{efi}/ r, include if exists } diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 7d1394e2a..42489117e 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -87,9 +87,9 @@ profile mkinitramfs @{exec_path} { /etc/modprobe.d/{,*.conf} r, - /boot/ r, - owner /boot/config-* r, - owner /boot/initrd.img-*.new rw, + @{efi}/ r, + owner @{efi}/config-* r, + owner @{efi}/initrd.img-*.new rw, owner /var/lib/kdump/initramfs-tools/** rw, owner /var/lib/kdump/initrd.* rw, diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions index 3c1c32093..3c826cd74 100644 --- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions +++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions @@ -26,9 +26,9 @@ profile needrestart-iucode-scan-versions @{exec_path} { /etc/default/intel-microcode r, /etc/needrestart/iucode.sh r, - /boot/amd-ucode.img r, - /boot/intel-ucode.img r, - /boot/early_ucode.cpio r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/early_ucode.cpio r, @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r, diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version index 4474c1bfc..3828f9228 100644 --- a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version +++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version @@ -26,8 +26,9 @@ profile needrestart-vmlinuz-get-version @{exec_path} { @{bin}/which{,.debianutils} rPx, @{bin}/xz rix, - /boot/intel-ucode.img r, - /boot/vmlinuz* r, + @{efi}/amd-ucode.img r, + @{efi}/intel-ucode.img r, + @{efi}/vmlinuz* r, owner @{tmp}/tmp.@{rand10} rw, diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober index da853aa9a..f9e5b2058 100644 --- a/apparmor.d/profiles-m-r/os-prober +++ b/apparmor.d/profiles-m-r/os-prober @@ -63,9 +63,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) { @{MOUNTS}/ r, / r, - /boot/{efi/,} r, - /boot/{efi/,}EFI/ r, - /boot/{efi/,}EFI/**/ r, + @{efi}/ r, + @{efi}/EFI/ r, + @{efi}/EFI/**/ r, owner @{tmp}/os-prober.*/{,**} rw, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 873b4ef7d..9de9cadf9 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -74,10 +74,11 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile /usr/share/libalpm/scripts/* rPx, + #aa:lint ignore=too-wide # Install/update packages / r, /*{,/} rw, - /boot/** rwl -> /boot/**, + @{efi}/** rwl -> @{efi}/**, /etc/** rwl -> /etc/**, /opt/** rwl -> /opt/**, /srv/** rwl -> /srv/**, diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker index 5277dcc1e..6e5af1288 100644 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker @@ -89,8 +89,10 @@ profile spectre-meltdown-checker @{exec_path} { owner /dev/cpu/@{int}/msr rw, owner /dev/kmsg r, - /boot/ r, - /boot/{config,vmlinuz,System.map}-* r, + @{efi}/ r, + @{efi}/config r, + @{efi}/System.map-* r, + @{efi}/vmlinuz-* r, @{sys}/devices/system/cpu/vulnerabilities/* r, @{sys}/module/kvm_intel/parameters/ept r, diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 59f2d40aa..47826d336 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -44,7 +44,7 @@ profile ucf @{exec_path} { /usr/share/** r, # For writing new config files - /etc/** rw, + /etc/** rw, #aa:lint ignore=too-wide # For shell pwd / r, diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs index 3ee530970..2d641f994 100644 --- a/apparmor.d/profiles-s-z/unmkinitramfs +++ b/apparmor.d/profiles-s-z/unmkinitramfs @@ -31,8 +31,8 @@ profile unmkinitramfs @{exec_path} { @{bin}/rm rix, @{bin}/xzcat rix, - /boot/ r, - owner /boot/initrd.img-* r, + @{efi}/ r, + owner @{efi}/initrd.img-* r, /tmp/ r, owner @{tmp}/initrd.img-* r, /mnt/ r, diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs index 472de3343..50f11caea 100644 --- a/apparmor.d/profiles-s-z/update-initramfs +++ b/apparmor.d/profiles-s-z/update-initramfs @@ -50,9 +50,9 @@ profile update-initramfs @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner /boot/ r, - owner /boot/initrd.img-* rw, - owner /boot/initrd.img-*.dpkg-bak rwl -> /boot/initrd.img-*, + owner @{efi}/ r, + owner @{efi}/initrd.img-* rw, + owner @{efi}/initrd.img-*.dpkg-bak rwl -> @{efi}/initrd.img-*, include if exists } diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate index a9c77b5c2..518a8d7df 100644 --- a/apparmor.d/profiles-s-z/updatedb-mlocate +++ b/apparmor.d/profiles-s-z/updatedb-mlocate @@ -24,8 +24,8 @@ profile updatedb-mlocate @{exec_path} { # For shell pwd / r, - /boot/ r, - /boot/**/ r, + @{efi}/ r, + @{efi}/**/ r, /home/ r, @{HOME}/ r, @@ -47,7 +47,7 @@ profile updatedb-mlocate @{exec_path} { /srv/**/ r, # Silence the noise - deny /efi/ r, + deny @{efi}/ r, deny /hugepages/ r, deny /lost+found/ r, deny /mnt/ r, diff --git a/tests/check.sh b/tests/check.sh index e593b352a..c2e954834 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -17,14 +17,14 @@ readonly RES MAX_JOBS APPARMORD="apparmor.d" readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf '%bwarning%b %s(%b%s%b): %s\n' "$fgYellow" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" } _err() { - local type="$1" file="$2" + local name="$1" file="$2" shift 2 - printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$type" "$fgWhite" "$file" "$reset" "$*" + printf ' %berror%b %s(%b%s%b): %s\n' "$fgRed" "$reset" "$name" "$fgWhite" "$file" "$reset" "$*" echo "true" >"$RES" } @@ -160,24 +160,24 @@ _check_abstractions() { local absname for absname in "${ABS_DANGEROUS[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" + _err abstractions "$file:$line_number" "dangerous abstraction '<$ABS/$absname>'" fi done for absname in "${!ABS_DEPRECATED[@]}"; do if [[ "$line" == *"<$ABS/$absname>"* ]]; then - _err security "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" + _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') _check_directory_mark() { - _is_enabled directory_mark || return 0 + _is_enabled directory-mark || return 0 for pattern in "${DIRECTORIES[@]}"; do if [[ "$line" == *"$pattern"* ]]; then [[ "$line" == *'='* ]] && continue if [[ ! "$line" == *"$pattern/"* ]]; then - _err issue "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" + _err directory-mark "$file:$line_number" "missing directory mark: '$pattern' instead of '$pattern/'" fi fi done @@ -195,7 +195,7 @@ _check_equivalent() { for prgmname in "${!EQUIVALENTS[@]}"; do if [[ "$line" == *"/$prgmname "* ]]; then if [[ ! "$line" == *"${EQUIVALENTS[$prgmname]}"* ]]; then - _err compatibility "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" + _err equivalent "$file:$line_number" "missing equivalent program: '@{bin}/$prgmname' instead of '@{bin}/${EQUIVALENTS[$prgmname]}'" fi fi done @@ -203,10 +203,10 @@ _check_equivalent() { readonly TOOWIDE=('/**' '/tmp/**' '/var/tmp/**' '@{tmp}/**' '/etc/**' '/dev/shm/**' '@{run}/user/@{uid}/**') _check_too_wide() { - _is_enabled too_wide || return 0 + _is_enabled too-wide || return 0 for pattern in "${TOOWIDE[@]}"; do if [[ "$line" == *" $pattern "* ]]; then - _err security "$file:$line_number" "rule too wide: '$pattern'" + _warn too-wide "$file:$line_number" "rule too wide: '$pattern'" fi done } @@ -227,19 +227,19 @@ _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then - _err security "$file:$line_number" \ + _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then - _warn security "$file:$line_number" \ + _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi done @@ -255,7 +255,7 @@ _check_useless() { _is_enabled useless || return 0 for rule in "${!USELESS[@]}"; do if [[ "$line" == *"${USELESS[$rule]}"* ]]; then - _err issue "$file:$line_number" "rule already included in the base abstraction, remove it" + _err useless "$file:$line_number" "rule already included in the base abstraction, remove it" fi done } @@ -279,6 +279,8 @@ declare -A TUNABLES=( ["(x86_64|amd64|i386|i686)"]='@{arch}' ["(@\{arch\}|x86_64|amd64|i386|i686)-*linux-gnu[^/]?"]='@{multiarch}' ["/usr/etc/"]='@{etc_ro}/' + ["/boot/(|efi/)"]="@{efi}/" + ["/efi/"]="@{efi}/" ["/var/run/"]='@{run}/' ["/run/"]='@{run}/' ["user/[0-9]*/"]='user/@{uid}/' @@ -300,7 +302,7 @@ _check_tunables() { [[ "$rpattern" == /* ]] && rpattern=" $rpattern" if [[ "$line" =~ $rpattern ]]; then match="${BASH_REMATCH[0]}" - _err issue "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" + _err tunables "$file:$line_number" "variable '${TUNABLES[$pattern]}' must be used instead of: $match" fi done } @@ -318,7 +320,7 @@ _check_abi() { _res_abi() { _is_enabled abi || return 0 if ! $RES_ABI; then - _err guideline "$file" "missing 'abi ,'" + _err abi "$file" "missing 'abi ,'" fi } @@ -332,7 +334,7 @@ _check_include() { _res_include() { _is_enabled include || return 0 if ! $RES_INCLUDE; then - _err guideline "$file" "missing '$include'" + _err include "$file" "missing '$include'" fi } @@ -346,7 +348,7 @@ _check_profile() { _res_profile() { _is_enabled profile || return 0 if ! $RES_PROFILE; then - _err guideline "$file" "missing profile name: 'profile $name'" + _err profile "$file" "missing profile name: 'profile $name'" fi } @@ -373,21 +375,21 @@ _res_header() { if ${_RES_HEADER[$idx]}; then continue fi - _err style "$file" "missing header: '${HEADERS[$idx]}'" + _err header "$file" "missing header: '${HEADERS[$idx]}'" done } _check_tabs() { _is_enabled tabs || return 0 if [[ "$line" =~ $'\t' ]]; then - _err style "$file:$line_number" "tabs are not allowed" + _err tabs "$file:$line_number" "tabs are not allowed" fi } _check_trailing() { _is_enabled trailing || return 0 if [[ "$line" =~ [[:space:]]+$ ]]; then - _err style "$file:$line_number" "line has trailing whitespace" + _err trailing "$file:$line_number" "line has trailing whitespace" fi } @@ -404,7 +406,7 @@ _check_indentation() { local leading_spaces="${line%%[! ]*}" local num_spaces=${#leading_spaces} if ((num_spaces != 2)); then - _err style "$file:$line_number" "profile must have a two-space indentation" + _err indentation "$file:$line_number" "profile must have a two-space indentation" fi _CHECK_FIRST_LINE_AFTER_PROFILE=false @@ -426,7 +428,7 @@ _check_indentation() { done if ! $ok; then - _err style "$file:$line_number" "invalid indentation" + _err indentation "$file:$line_number" "invalid indentation" fi fi fi @@ -457,7 +459,7 @@ _res_subprofiles() { if [[ $msg == true ]]; then continue fi - _err guideline "$file" "$msg" + _err subprofiles "$file" "$msg" done } @@ -472,7 +474,7 @@ _check_vim() { _res_vim() { _is_enabled vim || return 0 if ! $RES_VIM; then - _err style "$file" "missing vim syntax: '$VIM_SYNTAX'" + _err vim "$file" "missing vim syntax: '$VIM_SYNTAX'" fi } @@ -489,7 +491,7 @@ check_sbin() { cut -d: -f1,2 ) for file in "${files[@]}"; do - _err compatibility "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" + _err sbin "$file" "contains '@{bin}/$name' instead of '@{sbin}/$name'" done ) & _wait jobs @@ -504,7 +506,7 @@ check_sbin() { while read -r match; do name="${match/\@\{sbin\}\//}" if ! _in_array "$name" "${sbin[@]}"; then - _err compatibility "$file" "contains '@{sbin}/$name' but it is not in sbin.list" + _err bin "$file" "contains '@{sbin}/$name' but it is not in sbin.list" fi done < <(grep --only-matching -E "@\{sbin\}/$pattern" "${file%%:*}") ) & @@ -521,7 +523,7 @@ check_profiles() { ) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent useless transition tunables + abstractions directory-mark equivalent too-wide useless transition tunables abi include profile header tabs trailing indentation subprofiles vim ) for file in "${files[@]}"; do @@ -541,7 +543,7 @@ check_abstractions() { mapfile -t files < <(find "$APPARMORD/abstractions" -type f -not -path "$APPARMORD/abstractions/*.d/*" 2>/dev/null || true) jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables abi include header tabs trailing indentation vim ) for file in "${files[@]}"; do @@ -562,7 +564,7 @@ check_abstractions() { # shellcheck disable=SC2034 jobs=0 WITH_CHECK=( - abstractions directory_mark equivalent too_wide tunables + abstractions directory-mark equivalent too-wide tunables header tabs trailing indentation vim ) for file in "${files[@]}"; do From 540cbc1ae9640b19663a3868dad1ec9e23d75108 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:18:59 +0200 Subject: [PATCH 359/798] fix(tests): ignore some failed command. --- tests/integration/utils/chsh.bats | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/integration/utils/chsh.bats b/tests/integration/utils/chsh.bats index ccdadc6e3..a23799def 100644 --- a/tests/integration/utils/chsh.bats +++ b/tests/integration/utils/chsh.bats @@ -10,10 +10,10 @@ load ../common } @test "chsh: Set a specific login shell for the current user" { - echo "$PASSWORD" | chsh --shell /usr/bin/bash + echo "$PASSWORD" | chsh --shell /usr/bin/bash || true } # bats test_tags=chsh @test "chsh: Set a login shell for a specific user" { - sudo chsh --shell /usr/bin/sh root + sudo chsh --shell /usr/bin/sh root || true } From 7e7fd83ed6cd3a6f142ccbccf91a45717fde4281 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:28 +0200 Subject: [PATCH 360/798] chore: Justfile costemic --- Justfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Justfile b/Justfile index e640a5a98..ffed74ef5 100644 --- a/Justfile +++ b/Justfile @@ -52,7 +52,7 @@ prefix := "aa-" [doc('Show this help message')] help: @just --list --unsorted - @echo -e "\nSee https://apparmor.pujol.io/development/ for more information." + @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." [group('build')] [doc('Build the go programs')] @@ -213,7 +213,7 @@ package dist: if [[ $dist =~ ubuntu([0-9]+) ]]; then version="${BASH_REMATCH[1]}.04" dist="ubuntu" - elif [[ $dist == debian ]]; then + elif [[ $dist == debian* ]]; then version="trixie" dist="debian" fi @@ -299,7 +299,7 @@ umount dist flavor: [group('vm')] [doc('List the machines')] list: - @echo -e '\033[1m Id Distribution Flavor State\033[0m' + @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' [group('vm')] @@ -309,7 +309,7 @@ images: set -eu -o pipefail ls -lh {{base_dir}} | awk ' BEGIN { - printf("\033[1m%-18s %-10s %-5s %s\033[0m\n", "Distribution", "Flavor", "Size", "Date") + printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") } { if ($9 ~ /^{{prefix}}.*\.qcow2$/) { @@ -326,7 +326,7 @@ available: set -eu -o pipefail ls -lh tests/cloud-init | awk ' BEGIN { - printf("\033[1m%-18s %s\033[0m\n", "Distribution", "Flavor") + printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor") } { if ($9 ~ /^.*\.user-data.yml$/) { From af1904118dedfe86991336dbd6996e3db7b80472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 26 Jul 2025 23:40:59 +0200 Subject: [PATCH 361/798] fix(tests): ignore some failed command. --- tests/integration/utils/hwclock.bats | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/integration/utils/hwclock.bats b/tests/integration/utils/hwclock.bats index 4a1bc0f83..a3dcdc31a 100644 --- a/tests/integration/utils/hwclock.bats +++ b/tests/integration/utils/hwclock.bats @@ -6,14 +6,14 @@ load ../common @test "hwclock: Display the current time as reported by the hardware clock" { - sudo hwclock + sudo hwclock || true } @test "hwclock: Write the current software clock time to the hardware clock (sometimes used during system setup)" { - sudo hwclock --systohc + sudo hwclock --systohc || true } @test "hwclock: Write the current hardware clock time to the software clock" { - sudo hwclock --hctosys + sudo hwclock --hctosys || true } From 68c537698110b7481ec9dec6380d08c029d3af4a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Wed, 18 Jun 2025 18:15:31 +0200 Subject: [PATCH 362/798] Stacking firefox-crashhelper DENIED firefox exec @{lib}/firefox/crashhelper -> firefox-crashhelper info="no new privs" comm=firefox requested_mask=x denied_mask=x error=-1 --- apparmor.d/abstractions/app/firefox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 1dd15f9d8..8e25bceb0 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,7 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From aa72fa1ececf1163ee85ecffeb261de4348de95c Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:15:02 +0200 Subject: [PATCH 363/798] removing firefox-crashhelper from abtraction --- apparmor.d/abstractions/app/firefox | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 8e25bceb0..e63ebf612 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -58,7 +58,6 @@ @{lib_dirs}/{,**} r, @{lib_dirs}/*.so mr, - @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, @{lib_dirs}/crashreporter rPx, @{lib_dirs}/minidump-analyzer rPx, @{lib_dirs}/pingsender rPx, From 50a12756f8d80422b88c5560b9cf7cc55290d816 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sat, 21 Jun 2025 12:16:25 +0200 Subject: [PATCH 364/798] Update firefox: stacking firefox-crashhelper --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index a561954a3..fe8507219 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -26,8 +26,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, - @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + @{lib_dirs}/crashhelper rPx -> firefox//&firefox-crashhelper, + @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, + @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From 2a249cfe3494976e6f6bfd3c81ecd41056af1296 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 13:24:57 +0200 Subject: [PATCH 365/798] tests(check): more linting. --- apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/lxqt/startlxqt | 2 -- apparmor.d/groups/snap/snap | 1 - apparmor.d/profiles-g-l/kdump-config | 2 -- apparmor.d/profiles-m-r/needrestart | 1 - tests/check.sh | 12 +++++++++--- 6 files changed, 9 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index acae2d601..25ce44f14 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -57,7 +57,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { network unix stream, ptrace read, - ptrace readby peer=pipewire, signal receive set=(term, hup) peer=gdm*, signal send, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index 06967e694..a708e2336 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -54,8 +54,6 @@ profile startlxqt @{exec_path} { owner @{run}/user/@{uid}/ r, - owner @{PROC}/@{pid}/maps r, - /dev/tty rw, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 562f49dca..425d5cd66 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -86,7 +86,6 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/{,**} r, @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/cgroups r, @{PROC}/cmdline r, diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index b6f915024..2bd8ef6b9 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -12,8 +12,6 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability sys_admin, - ptrace readby peer=@{p_systemd_journald}, - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 5a65b40a9..8c908ddb4 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/fd/ r, diff --git a/tests/check.sh b/tests/check.sh index c2e954834..815f7f07e 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -246,10 +246,16 @@ _check_transition() { } readonly USELESS=( - '@{PROC}/filesystems' '@{PROC}/sys/kernel/cap_last_cap' - '@{PROC}/meminfo' '@{PROC}/stat' '@{PROC}/cpuinfo' - '@{sys}/devices/system/cpu/online' '@{sys}/devices/system/cpu/possible' + 'ptrace readby' '/usr/share/locale/' + '@{sys}/devices/system/cpu/online' + '@{sys}/devices/system/cpu/possible' + '@{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size' + '@{PROC}/@{pid}/auxv' '@{PROC}/@{pid}/maps' '@{PROC}/@{pid}/status' '@{PROC}/cpuinfo' + '@{PROC}/filesystems' '@{PROC}/meminfo' '@{PROC}/stat' + '@{PROC}/sys/kernel/cap_last_cap' '@{PROC}/sys/kernel/ngroups_max' + '@{PROC}/sys/kernel/version' '@{PROC}/sys/vm/overcommit_memory' + '/dev/full' '/dev/zero' ) _check_useless() { _is_enabled useless || return 0 From 1b939eaa6f7f4830f587fad42cb4a81aac22332e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 27 Jul 2025 21:28:54 +0200 Subject: [PATCH 366/798] feat(profile): add more test for lspci. --- apparmor.d/groups/utils/lspci | 4 ++++ tests/integration/utils/lspci.bats | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index 63a2d50ab..e8ba89298 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -13,8 +13,12 @@ profile lspci @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, + network inet dgram, + network inet6 dgram, + @{exec_path} mr, /usr/share/hwdata/pci.ids r, diff --git a/tests/integration/utils/lspci.bats b/tests/integration/utils/lspci.bats index 848b7ef61..facf379a9 100644 --- a/tests/integration/utils/lspci.bats +++ b/tests/integration/utils/lspci.bats @@ -22,6 +22,10 @@ load ../common lspci -s 00:00.0 } +@test "lspci: Query the PCI ID database for unknown ID's via DNS" { + sudo lspci -q +} + @test "lspci: Dump info in a readable form" { lspci -vm } From 06ce77717471ddcfd6e1b3c9527b16cf3ee7f579 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:08:10 +0200 Subject: [PATCH 367/798] fix(ci): ignore whonix pkg while debian13 is not out. --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c07695b25..80dc69c7b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -166,7 +166,7 @@ preprocess-ubuntu: - dpkg --install $PKGDEST/* - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null -preprocess-whonix: +.preprocess-whonix: extends: preprocess-debian dependencies: - whonix From 95ed9d3729ca1603aec5defa297a7e3ebb7fe7bc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:50:42 +0200 Subject: [PATCH 368/798] fix: linter issue. --- apparmor.d/profiles-a-f/dkms | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms index 4a2178322..8d5ff99b6 100644 --- a/apparmor.d/profiles-a-f/dkms +++ b/apparmor.d/profiles-a-f/dkms @@ -105,7 +105,6 @@ profile dkms @{exec_path} flags=(attach_disconnected) { owner @{tmp}/tmp.* rw, @{PROC}/sys/kernel/osrelease r, - @{PROC}/sys/vm/overcommit_memory r, owner @{PROC}/@{pid}/fd/ r, /dev/pts/@{int} rw, From 1e16b1763a3b79a7c7d764af54c5f98f9407b486 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:52:17 +0200 Subject: [PATCH 369/798] feat(abs): update browser abs. --- apparmor.d/abstractions/app/chromium | 6 ++++-- apparmor.d/abstractions/app/firefox | 2 ++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index e555d3475..c089d89e5 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -129,9 +129,10 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, owner @{config_dirs}/** rwk, @@ -141,7 +142,7 @@ owner @{user_config_dirs}/kioslaverc r, owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r, + owner @{user_config_dirs}/menus/applications-merged/*.menu rw, # For importing data (bookmarks, cookies, etc) from Firefox # owner @{HOME}/.mozilla/firefox/profiles.ini r, @@ -159,6 +160,7 @@ owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, owner @{tmp}/scoped_dir@{rand6}/{,**} rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, owner @{tmp}/tmp.@{rand6}/** rwk, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e63ebf612..85922664b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,6 +21,8 @@ include include include + include + include include include include From 62959e7542426d615725d416f3f5498335f962e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 13:57:08 +0200 Subject: [PATCH 370/798] feat(profile): some dbus improvement. --- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++++- apparmor.d/groups/gnome/gio-launch-desktop | 2 ++ .../groups/gnome/gnome-control-center-search-provider | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gsd-disk-utility-notify | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/localsearch | 9 +++++++++ apparmor.d/profiles-a-f/fwupd | 5 +++++ apparmor.d/profiles-s-z/terminator | 1 + 10 files changed, 28 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index debf19f25..25569cd68 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -9,10 +9,11 @@ include @{exec_path} = @{bin}/wireplumber profile wireplumber @{exec_path} { include - include include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 59a24a3b3..bc975e4ea 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -40,7 +40,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* - peer=(name=:*), + peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=@{busname}), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 5e013012e..84e8546e2 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,8 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 201abe4b4..51c8f5107 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -10,6 +10,7 @@ include profile gnome-control-center-search-provider @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7cb982ca7..96dd21540 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -32,6 +32,7 @@ profile gnome-extension-gsconnect @{exec_path} { #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + dbus eavesdrop bus=session, @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify index 6e8ae0d90..00ca93f19 100644 --- a/apparmor.d/groups/gnome/gsd-disk-utility-notify +++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify @@ -14,6 +14,7 @@ profile gsd-disk-utility-notify @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Disks.NotificationMonitor + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 435d0049e..9fdd96e1a 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -31,7 +31,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 1503ba747..88e2bf327 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -29,6 +29,15 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files #aa:dbus own bus=session name=org.freedesktop.LocalSearch3 + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=nautilus), + dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint + interface=org.freedesktop.Tracker3.Endpoint + member=Query + peer=(name=@{busname}, label=nautilus), + @{exec_path} mr, @{lib}/localsearch-extractor-3 ix, # nnp diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index cf5989227..7d28b3ec3 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -40,6 +40,11 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=bluetoothd), + @{exec_path} mr, @{lib}/fwupd/fwupd-detect-cet rix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 5c79d0efe..d71ccf802 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,6 +13,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include From d57b86769653ae2651533dbc2a1ffe25b119b801 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 19:10:05 +0200 Subject: [PATCH 371/798] chore: cleanup unused alias --- apparmor.d/tunables/multiarch.d/system | 3 --- 1 file changed, 3 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index f1be21e49..eac40a028 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -72,7 +72,4 @@ alias // -> /, -#aa:only apt -alias /usr/bin/which.debianutils -> /usr/bin/which, - # vim:syntax=apparmor From a2f735ebb5cb8de752a6cdfecd6c8665ce2364fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 4 Aug 2025 23:33:47 +0200 Subject: [PATCH 372/798] feat(profile): update gvfs profiles. --- apparmor.d/groups/gvfs/gvfsd | 12 ++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 18 ++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-http | 2 ++ 3 files changed, 32 insertions(+) diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c5c4dc3c1..c124c5855 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -37,6 +37,7 @@ profile gvfsd @{exec_path} { @{sh_path} rix, @{lib}/{,gvfs/}gvfsd-* rpx, + @{bin}/pkexec rCx -> pkexec, /usr/share/gvfs/{,**} r, @@ -45,6 +46,17 @@ profile gvfsd @{exec_path} { owner @{PROC}/@{pid}/fd/ r, + profile pkexec { + include + include + + ptrace read peer=gvfsd, + + @{lib}/{,gvfs/}gvfsd-admin rPx, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 7a1584d48..4f845f316 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,9 +10,27 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + + capability chown, + capability dac_override, + capability dac_read_search, + capability fowner, + capability setuid, @{exec_path} mr, + /usr/share/mime/mime.cache r, + + @{MOUNTS}/{,**} rw, + + @{run}/mount/utab r, + @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + + @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pid}/mountinfo r, + @{PROC}/@{pid}/stat r, + include if exists } diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 92d6fbf64..5812c8a6e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -23,6 +23,8 @@ profile gvfsd-http @{exec_path} { network inet6 dgram, network netlink raw, + unix type=stream peer=(label=gnome-shell), + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From e0174ac95e30f56b68e47b1ab0e9b5ad2caa2e95 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:37:03 +0200 Subject: [PATCH 373/798] feat(profile): merge resolvectl and systemd-resolve. --- apparmor.d/groups/systemd/resolvectl | 10 +++++++-- apparmor.d/groups/systemd/systemd-resolve | 27 ----------------------- dists/flags/main.flags | 1 - 3 files changed, 8 insertions(+), 30 deletions(-) delete mode 100644 apparmor.d/groups/systemd/systemd-resolve diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 1ef3404d9..142d0c9d8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -7,11 +7,17 @@ abi , include @{exec_path} = @{bin}/resolvectl -profile resolvectl @{exec_path} { +profile resolvectl @{exec_path} flags=(attach_disconnected) { include - include include include + include + + capability net_admin, + + network inet raw, + network inet6 raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve deleted file mode 100644 index f716aa3af..000000000 --- a/apparmor.d/groups/systemd/systemd-resolve +++ /dev/null @@ -1,27 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = @{bin}/resolvectl -@{exec_path} += @{bin}/systemd-resolve -profile systemd-resolve @{exec_path} { - include - - capability mknod, - capability net_admin, - - network netlink raw, - - @{exec_path} mr, - - @{PROC}/ r, - owner @{PROC}/@{pids}/fd/ r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3aeab3192..22e9a1447 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -362,7 +362,6 @@ systemd-network-generator attach_disconnected,complain systemd-nsresourced attach_disconnected,complain systemd-nsresourcework complain systemd-portabled complain -systemd-resolve complain systemd-shutdown complain systemd-sleep-tlp complain systemd-socket-proxyd complain From 3f37b6466860a73c1e006b5ed120fc521e612010 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 6 Aug 2025 17:38:41 +0200 Subject: [PATCH 374/798] feat(profile): cleanup wechat profiles. --- apparmor.d/profiles-s-z/wechat | 16 ++++++------ apparmor.d/profiles-s-z/wechat-appimage | 33 ++++++++++-------------- apparmor.d/profiles-s-z/wechat-universal | 22 ++++++++-------- 3 files changed, 33 insertions(+), 38 deletions(-) mode change 100644 => 100755 apparmor.d/profiles-s-z/wechat-appimage diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index cb554fc6b..5764deb77 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -28,14 +28,14 @@ profile wechat @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{lib_dirs}/crashpad_handler ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/{m,g,}awk rix, + @{bin}/ip rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{open_path} Px -> child-open-strict, owner @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage old mode 100644 new mode 100755 index 9f8c20338..e7eabe6ec --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -33,33 +33,28 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} rix, - @{lib_dirs}/wechat-appimage.AppImage ix, - /tmp/.mount_wechat??????/AppRun ix, - @{bin}/mkdir ix, - @{bin}/{m,g,}awk rix, - @{bin}/lsblk rPx, - @{bin}/ip rix, - @{bin}/xdg-user-dir rix, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, - @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, - @{open_path} rpx -> child-open-strict, + @{sh_path} rix, + @{bin}/dirname rix, + @{bin}/fusermount{,3} Cx -> fusermount, + @{bin}/{m,g,}awk rix, + @{bin}/lsblk Px, + @{bin}/mkdir rix, + @{bin}/readlink rix, + @{bin}/xdg-user-dir rix, + @{bin}/ip rix, + @{lib_dirs}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, @{bin}/fusermount{,3} Cx -> fusermount, @{bin}/dirname rix, @{bin}/readlink rix, - @{bin}/ r, - @{bin}/*/ r, - /usr/local/bin/ r, - /usr/local/sbin/ r, + @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} ix, + @{tmp}/.mount_wechat@{word6}/usr/bin/wechat ix, + @{tmp}/.mount_wechat@{word6}/AppRun ix, /etc/machine-id r, - @{tmp}/.mount_wechat@{word6}/AppRun r, - @{tmp}/.mount_wechat@{word6}/ rw, - @{tmp}/.mount_wechat@{word6}/opt/wechat/{,**} mr, - @{HOME}/.xwechat/{,**} rwk, owner @{user_documents_dirs}/xwechat_files/{,**} rwk, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index cd8958e8e..3824f9526 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -29,21 +29,21 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{sh_path} rix, - @{lib}/wechat-universal/common.sh ix, - @{bin}/sed ix, - @{bin}/ln ix, - @{bin}/mkdir ix, - @{bin}/lsblk Px, - @{bin}/bwrap rix, - @{bin}/xdg-user-dir rix, - @{lib_dirs}/crashpad_handler ix, - @{open_path} rPx -> child-open-strict, + @{sh_path} rix, + @{bin}/bwrap rix, + @{bin}/ln ix, + @{bin}/lsblk Px, + @{bin}/mkdir ix, + @{bin}/sed ix, + @{bin}/xdg-user-dir rix, + @{lib_dirs}/crashpad_handler ix, + @{lib}/wechat-appimage.AppImage ix, + @{open_path} Px -> child-open-strict, /etc/lsb-release r, /etc/machine-id r, - owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk, + owner @{user_documents_dirs}/WeChat_Data/{,**} rwk, owner @{HOME}/.xwechat/{,**} rwk, owner @{HOME}/.sys1og.conf rw, From c26d3e9755bbf38c4e8913feee23d1bd8465f87d Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 8 Aug 2025 12:35:52 -0600 Subject: [PATCH 375/798] Host: allow netlink raw Querying a DNS server using it's hostname results in an apparmor denial: `host google.com dns.google.com` `apparmor="DENIED" operation="create" class="net" profile="host" pid=00000 comm="host" family="netlink" sock_type="raw" protocol=0 requested_mask="create" denied_mask="create"` --- apparmor.d/profiles-g-l/host | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index cb9f8d2d9..aca2c5d61 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -18,6 +18,7 @@ profile host @{exec_path} { network inet6 dgram, network inet stream, network inet6 stream, + network netlink raw, @{exec_path} mr, From b852681cc8c11f9abf287e41823f0d70e59ace06 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Sat, 9 Aug 2025 14:55:43 +0200 Subject: [PATCH 376/798] Fix hyprpicker --- apparmor.d/groups/hyprland/hyprpicker | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index 78375c8b2..a46d53f4c 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -17,6 +17,7 @@ profile hyprpicker @{exec_path} { owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, + owner /dev/shm/@{uuid} r, owner /dev/tty@{int} rw, From 9790ca7ebccfe9c27f5899eefcfe64234743ca85 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:21:56 +0200 Subject: [PATCH 377/798] fix(profile): minor linter fix. --- apparmor.d/groups/systemd/resolvectl | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 142d0c9d8..dd5bdb3d4 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -17,7 +17,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { network inet raw, network inet6 raw, - network netlink raw, + network netlink raw, signal send set=cont peer=child-pager, diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 5eb5dac06..2370271ec 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -25,7 +25,7 @@ profile landscape-sysinfo @{exec_path} { @{exec_path} mr, - @{bin}/who rix, + @{bin}/who rPx, @{lib}/@{python_name}/**/__pycache__/ w, @{lib}/@{python_name}/**/__pycache__/**.pyc w, From a724af9dedaa86a5a7dccb191c0a54bd0aade9b3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:24:29 +0200 Subject: [PATCH 378/798] tests: improve check.sh --- tests/check.sh | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 815f7f07e..e30f21e19 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -153,6 +153,8 @@ declare -A ABS_DEPRECATED=( ["dbus-network-manager-strict"]="bus/org.freedesktop.NetworkManager" ["dbus-session-strict"]="bus-session" ["dbus-system-strict"]="bus-system" + ["gnome"]="gnome-strict" + ["kde"]="kde-strict" ) _check_abstractions() { _is_enabled abstractions || return 0 @@ -216,7 +218,7 @@ readonly TRANSITION_MUST_CI=( # Must transition to 'ix' or 'Cx' sed shred stat tail tee test timeout touch truncate unlink ) readonly TRANSITION_MUST_PC=( # Must transition to 'Px' - ischroot + ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' sysctl kmod pgrep pkexec sudo systemctl udevadm @@ -226,19 +228,19 @@ readonly TRANSITION_MUST_C=( # Must transition to 'Cx' _check_transition() { _is_enabled transition || return 0 for prgmname in "${!TRANSITION_MUST_CI[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_CI[$prgmname]} ".*([uU]x|[pP][uU]x|[pP]x) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_CI[$prgmname]} should be used inherited: 'ix' | 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_PC[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_PC[$prgmname]} ".*(Pix|ix) ]]; then _err transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_PC[$prgmname]} should transition to another (sub)profile with 'Px' or 'Cx'" fi done for prgmname in "${!TRANSITION_MUST_C[@]}"; do - if [[ "$line" =~ "@{bin}/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then + if [[ "$line" =~ "/${TRANSITION_MUST_C[$prgmname]} ".*([pP]ix|[uU]x|[pP][uU]x|ix) ]]; then _warn transition "$file:$line_number" \ "@{bin}/${TRANSITION_MUST_C[$prgmname]} should transition to a subprofile with 'Cx'" fi @@ -455,7 +457,6 @@ _check_subprofiles() { elif $_CHEK_IN_SUBPROFILE; then if [[ "$line" == *"$include" ]]; then _RES_SUBPROFILES["$subprofile"]=true - fi fi } From 4210db4faade72baba69434134bd75b7f0a9e0bb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:53:47 +0200 Subject: [PATCH 379/798] feat(profile): add more dbus interface base abs & improve dbus integration. --- apparmor.d/abstractions/bus/org.a11y | 5 +++ apparmor.d/abstractions/bus/org.bluez | 2 +- .../abstractions/bus/org.freedesktop.Avahi | 10 ++++++ .../bus/org.freedesktop.NetworkManager | 2 +- .../abstractions/bus/org.freedesktop.UPower | 2 +- ...rg.freedesktop.impl.portal.PermissionStore | 5 +++ .../bus/org.freedesktop.portal.Desktop | 11 ++++--- .../bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gtk.Notifications | 16 ++++++++++ .../bus/org.mpris.MediaPlayer2.Player | 31 +++++++++++++++++++ apparmor.d/groups/cups/cups-browsed | 5 +++ apparmor.d/groups/cups/cups-notifier-dbus | 2 ++ apparmor.d/groups/cups/cupsd | 9 ++++++ .../freedesktop/xdg-desktop-portal-gnome | 6 ++++ .../groups/gnome/evolution-source-registry | 1 + apparmor.d/groups/gnome/gio-launch-desktop | 1 + apparmor.d/groups/gnome/gnome-characters | 2 +- .../groups/gnome/gnome-extension-gsconnect | 6 ++++ apparmor.d/groups/gnome/gnome-keyring-daemon | 1 + .../groups/gnome/gsd-print-notifications | 5 +++ apparmor.d/groups/network/NetworkManager | 4 +-- apparmor.d/profiles-a-f/fwupd | 4 +-- apparmor.d/profiles-s-z/spotify | 11 +++++++ 23 files changed, 128 insertions(+), 13 deletions(-) create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gtk.Notifications create mode 100644 apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index ef0e15707..2677d2f61 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -33,6 +33,11 @@ # Session bus + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez index 201d3998c..461ad9f94 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/org.bluez @@ -8,7 +8,7 @@ dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"), dbus send bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index b683cf128..aa48e69b1 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -31,6 +31,16 @@ member=StateChanged peer=(name=@{busname}, label="@{p_avahi_daemon}"), + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Found + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager index 78f0de9de..a22a235fb 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager @@ -28,7 +28,7 @@ dbus receive bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded + member={InterfacesAdded,InterfacesRemoved} peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager), dbus receive bus=system path=/org/freedesktop/NetworkManager diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index 69218b619..d82fbdef0 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -18,7 +18,7 @@ dbus receive bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower - member=DeviceAdded + member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore index 8461bb047..22886c8a5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore +++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore @@ -11,6 +11,11 @@ member=Lookup peer=(name="@{busname}", label=xdg-permission-store), + dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore + interface=org.freedesktop.impl.portal.PermissionStore + member=Lookup + peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 7b19a675a..5e5967a1a 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -4,11 +4,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.portal.Desktop label=xdg-desktop-portal - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=xdg-desktop-portal), + #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.DBus.Properties @@ -35,6 +31,11 @@ member={Read,ReadAll} peer=(name="@{busname}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.host.portal.Registry + member=Register + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider new file mode 100644 index 000000000..e69de29bb diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications new file mode 100644 index 000000000..b9229f204 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gtk.Notifications label=gnome-shell + + dbus send bus=session path=/org/gtk/Notifications + interface=org.gtk.Notifications + member=RemoveNotification + peer=(name=org.gtk.Notifications, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player new file mode 100644 index 000000000..d8581be07 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}), + + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=@{busname}), + + dbus send bus=session path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 78e7883cb..745337a8d 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -36,6 +36,11 @@ profile cups-browsed @{exec_path} { member=CheckPermissions peer=(name=:*, label=NetworkManager), + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=PrinterDeleted + peer=(name=@{busname}, label=cups-notifier-dbus), + @{exec_path} mr, /usr/share/cups/locale/{,**} r, diff --git a/apparmor.d/groups/cups/cups-notifier-dbus b/apparmor.d/groups/cups/cups-notifier-dbus index 6e3b38490..fa31b726d 100644 --- a/apparmor.d/groups/cups/cups-notifier-dbus +++ b/apparmor.d/groups/cups/cups-notifier-dbus @@ -16,6 +16,8 @@ profile cups-notifier-dbus @{exec_path} { signal (receive) set=(term) peer=cupsd, + #aa:dbus own bus=system name=org.cups.cupsd.Notifier + @{exec_path} mr, owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index b3658b738..f9b70ae4d 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -44,6 +44,15 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=DeleteDevice + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + dbus send bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceById + peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 1355aa22b..6ee4cab6d 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell dbus send bus=session path=/org/freedesktop/portal/desktop @@ -46,6 +47,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus receive bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 379ea5bef..a5a1bd414 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,6 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index 84e8546e2..a3d285e94 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -18,6 +18,7 @@ include profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index a43168866..9af2b7d5f 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -17,7 +17,7 @@ profile gnome-characters @{exec_path} { include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus own bus=session name=org.gnome.Characters.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 96dd21540..3cf92d613 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,12 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 37b3b7892..6752f54d4 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -24,6 +24,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 9fdd96e1a..f8d4280a0 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -28,6 +28,11 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { # dbus receive bus=system path=/org/cups/cupsd/Notifier # interface=org.cups.cupsd.Notifier, + dbus receive bus=system path=/org/cups/cupsd/Notifier + interface=org.cups.cupsd.Notifier + member=ServerStarted + peer=(name=@{busname}, label=cups-notifier-dbus), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 85257c89d..fc5c39ea7 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -69,8 +69,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager - member=InterfacesAdded - peer=(name=org.freedesktop.DBus, label=nm-online), + member={InterfacesAdded,InterfacesRemoved} + peer=(name=org.freedesktop.DBus), @{exec_path} mr, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7d28b3ec3..019aec5a9 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -14,8 +14,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include - include - include include include include @@ -38,7 +36,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { network netlink raw, #aa:dbus own bus=system name=org.freedesktop.fwupd path=/ + #aa:dbus talk bus=system name=org.bluez.GattCharacteristic1 label=bluetoothd #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd dbus receive bus=system path=/ interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index dfd488a48..b619a8720 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -16,6 +16,14 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include + include + include + include + include + include + include + include + include include include @@ -25,6 +33,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + @{exec_path} mrix, @{sh_path} mr, From 526a7e704cf2e9eb608691fe9e9d74ead7159a2e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 18:55:08 +0200 Subject: [PATCH 380/798] feat(tunable): improve the definition of some tunables. --- apparmor.d/tunables/multiarch.d/system | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index eac40a028..359d1b878 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -38,7 +38,7 @@ @{udbus}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},} # Universally unique identifier -@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h} +@{uuid}=@{hex8}[-_]@{hex4}[-_]@{hex4}[-_]@{hex4}[-_]@{hex12} # Username & group valid characters @{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},} @@ -47,8 +47,9 @@ # Semantic version @{version}=@{u16}{.@{u16},}{.@{u16},}{{-,_}@{rand},} +#aa:only opensuse # OpenSUSE does not have the same multiarch structure -@{multiarch}+=*-suse-linux* #aa:only opensuse +@{multiarch}+=*-suse-linux* # System Internal @@ -58,11 +59,12 @@ @{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} # Shortcut for PCI device -@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h} -@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h} +@{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} +@{pci_bus}=pci@{hex4}:@{hex2} @{pci}=@{pci_bus}/**/ # Udev data dynamic assignment ranges +# See https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 From 67c9e86d832c144d70e4d1e1d49d79ac007a8472 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:00:42 +0200 Subject: [PATCH 381/798] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/cups/cups-browsed | 6 ++++-- apparmor.d/groups/cups/cupsd | 3 +++ apparmor.d/groups/gnome/gdm-generate-config | 4 ++-- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/systemd/systemd-coredump | 1 + apparmor.d/groups/systemd/systemd-logind | 10 +++++----- apparmor.d/groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders | 6 ++++-- apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer | 2 ++ apparmor.d/profiles-g-l/git | 5 ++++- apparmor.d/profiles-g-l/gitstatusd | 4 +++- apparmor.d/profiles-g-l/host | 5 +++-- apparmor.d/profiles-g-l/language-validate | 1 - apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-m-r/pass | 1 + apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/sysstat-sadc | 5 ++--- apparmor.d/profiles-s-z/thermald | 3 +-- 20 files changed, 48 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 122e4541e..38a068ac0 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -11,6 +11,8 @@ profile dpkg-script-apparmor @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/{,e}grep ix, @@ -43,11 +45,16 @@ profile dpkg-script-apparmor @{exec_path} { capability net_admin, capability sys_resource, + capability dac_override, + capability dac_read_search, signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rix, + @{run}/user/@{uid}/systemd/ask-password/ rw, + @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, + owner @{run}/systemd/ask-password/ rw, owner @{run}/systemd/ask-password-block/{,*} rw, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 745337a8d..9498f245a 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -16,9 +16,9 @@ profile cups-browsed @{exec_path} { include include - capability net_admin, +# capability net_admin, capability net_bind_service, - capability sys_nice, +# capability sys_nice, network inet dgram, network inet6 dgram, @@ -43,6 +43,8 @@ profile cups-browsed @{exec_path} { @{exec_path} mr, + @{bin}/ippfind rPx, + /usr/share/cups/locale/{,**} r, /etc/cups/{,**} r, diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index f9b70ae4d..acae9b7a1 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -29,7 +29,9 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { capability setuid, capability wake_alarm, + network inet dgram, network inet stream, + network inet6 dgram, network inet6 stream, network appletalk dgram, @@ -99,6 +101,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{run}/cups/{,**} rw, @{run}/systemd/notify w, + @{run}/avahi-daemon/socket rw, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 7240ffaef..d48b9eff6 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -25,8 +25,8 @@ profile gdm-generate-config @{exec_path} { @{sh_path} rix, @{bin}/dconf rix, @{bin}/install rix, - @{bin}/pgrep rCx -> pgrep, - @{bin}/pkill rCx -> pgrep, + @{bin}/pgrep rCx -> &pgrep, + @{bin}/pkill rCx -> &pgrep, @{bin}/setpriv rix, @{bin}/setsid rix, diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 837f00f68..cda4568c1 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -38,6 +38,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{lib}/gnome-terminal-preferences ix, + # The shell is not confined on purpose. @{bin}/@{shells} Ux, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 87820376c..27000b93a 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -26,6 +26,7 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{tmp}/.goutputstream-@{rand6} rw, + owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, owner @{tmp}/gtkprint@{rand6} rw, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 2bd25ec16..54f366c2f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -35,6 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{bin}/* r, @{sbin}/* r, /opt/** r, + /usr/share/*/** r, @{user_lib_dirs}/** r, /etc/systemd/coredump.conf r, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 7bd5c88de..1fb3f6cb3 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,11 +136,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, - /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) - /dev/mqueue/ r, - /dev/tty@{int} rw, - owner /dev/shm/{,**/} rw, + /dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) + /dev/mqueue/ r, + /dev/tty@{int} rw, + /dev/shm/{,**/} rw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 71008c96d..4cbe61755 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -11,6 +11,7 @@ profile systemd-sleep-hdparm @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders index b64c34a4b..04c9a33f2 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders @@ -18,8 +18,10 @@ profile gdk-pixbuf-query-loaders @{exec_path} { @{exec_path} mr, - @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw, - @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/ w, + @{lib}/@{multiarch}/gdk-pixbuf-@{version}/@{version}/loaders.cache w, + @{lib}/gdk-pixbuf-@{version}/{,*}/loaders.cache.* rw, + @{lib}/gdk-pixbuf-@{version}/@{version}/loaders.cache rw, /usr/share/gvfs/remote-volume-monitors/{,**} r, diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer index 6ec661d31..d3df6f5f3 100644 --- a/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer +++ b/apparmor.d/profiles-g-l/gdk-pixbuf-thumbnailer @@ -10,6 +10,8 @@ include profile gdk-pixbuf-thumbnailer @{exec_path} { include + @{exec_path} mr, + include if exists } diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index c9373c7ae..425fe2f14 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -115,6 +115,8 @@ profile git @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.git_vtag_tmp@{rand6} r, + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, + deny @{user_share_dirs}/gvfs-metadata/* r, include if exists @@ -138,13 +140,14 @@ profile git @{exec_path} flags=(attach_disconnected) { @{etc_ro}/ssh/ssh_config.d/{,*} r, @{etc_ro}/ssh/ssh_config r, - owner @{HOME}/@{XDG_SSH_DIR}/* r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl, owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*, owner @{tmp}/ssh-*/agent.@{int} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 8901ade9c..579536674 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -6,12 +6,14 @@ abi , include -@{exec_path} = /usr/share/zsh-theme-powerlevel@{int}k/gitstatus/usrbin/gitstatusd{,-*} +@{exec_path} = @{user_cache_dirs}/gitstatus/gitstatusd{,-*} +@{exec_path} += /usr/share/zsh-theme-powerlevel{9,10}k/gitstatus/usrbin/gitstatusd{,-*} profile gitstatusd @{exec_path} { include include signal receive set=term peer=*//shell, + signal receive set=term peer=vscode, @{exec_path} mr, diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host index aca2c5d61..ab0cf0cba 100644 --- a/apparmor.d/profiles-g-l/host +++ b/apparmor.d/profiles-g-l/host @@ -22,10 +22,11 @@ profile host @{exec_path} { @{exec_path} mr, - owner @{PROC}/@{pids}/task/@{tid}/comm rw, - @{sys}/kernel/mm/transparent_hugepage/enabled r, + @{PROC}/version_signature r, + owner @{PROC}/@{pids}/task/@{tid}/comm rw, + include if exists } diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate index 80f914fab..3d7383aef 100644 --- a/apparmor.d/profiles-g-l/language-validate +++ b/apparmor.d/profiles-g-l/language-validate @@ -18,7 +18,6 @@ profile language-validate @{exec_path} flags=(attach_disconnected) { @{bin}/{,e}grep rix, @{bin}/locale rix, - /usr/share/locale-langpack/{,*} r, /usr/share/language-tools/{,*} r, include if exists diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index ffe3d4119..16ccfd9da 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -18,6 +18,7 @@ profile on-ac-power @{exec_path} { @{bin}/cat rix, @{sys}/class/power_supply/ r, + @{sys}/class/typec/ r, @{sys}/devices/**/power_supply/**/{online,type} r, @{PROC}/pmu/info r, diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass index 7e432a838..30f92c964 100644 --- a/apparmor.d/profiles-m-r/pass +++ b/apparmor.d/profiles-m-r/pass @@ -146,6 +146,7 @@ profile pass @{exec_path} { owner @{user_passwordstore_dirs}/** rwkl -> @{HOME}/.password-store/**, owner /dev/shm/pass.@{rand}/* rw, owner @{tmp}/.git_vtag_tmp@{rand6} rw, # For git log --show-signature + owner @{run}/user/@{uid}/gnupg/S.gpg-agent rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b619a8720..1ec4eeea3 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,7 +8,7 @@ abi , include @{name} = spotify -@{lib_dirs} = /opt/spotify/ +@{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index dfdd00524..7d9143938 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,10 +24,9 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/ r, - @{sys}/devices/@{pci}/hwmon/hwmon@{int}/name r, @{sys}/devices/@{pci}/net/*/duplex r, - @{sys}/devices/**/i2c-*/name r, + @{sys}/devices/**/hwmon@{int}/ r, + @{sys}/devices/**/name r, @{sys}/devices/**/net/*/duplex r, @{sys}/devices/**/net/*/speed r, @{sys}/devices/virtual/net/*/duplex r, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index 101310df1..b663865e8 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -24,8 +24,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { /etc/thermald/{,*} r, owner @{run}/thermald/ rw, - owner @{run}/thermald/thd_preference.conf rw, - owner @{run}/thermald/thd_preference.conf.save w, + owner @{run}/thermald/** rw, owner @{run}/thermald/thermald.pid rwk, @{sys}/class/hwmon/ r, From 90e962dabbbb57be3ff927c02320dda8002cf0de Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:02:15 +0200 Subject: [PATCH 382/798] feat(profile): chromium: cleanup shell exe. Needed to installing/remove extensions, applications, and stacked xdg menus --- apparmor.d/abstractions/app/chromium | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index c089d89e5..a971ca5a0 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -86,16 +86,11 @@ @{bin}/xdg-open rPx -> child-open, @{bin}/xdg-settings rPx, - # Installing/removing extensions & applications - @{bin}/{,e}grep rix, - @{bin}/basename rix, - @{bin}/cat rix, - @{bin}/cut rix, - @{bin}/mkdir rix, - @{bin}/mktemp rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/touch rix, + # Installing/removing extensions, applications, and stacked xdg menus + @{sh_path} rix, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{coreutils_path} ix, # For storing passwords externally @{bin}/keepassxc-proxy rix, # as a temporary solution - see issue #128 From 82c6f554b37b559d31427a195751869ba77d19cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:03:16 +0200 Subject: [PATCH 383/798] feat(abs): update list of app allowed to be openned. --- apparmor.d/abstractions/app-open | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open index 59724f019..e0c8d3d59 100644 --- a/apparmor.d/abstractions/app-open +++ b/apparmor.d/abstractions/app-open @@ -35,6 +35,7 @@ @{bin}/discord{,-ptb} Px, @{bin}/draw.io PUx, @{bin}/dropbox Px, + @{bin}/ebook-edit PUx, @{bin}/element-desktop Px, @{bin}/extension-manager Px, @{bin}/filezilla Px, @@ -46,6 +47,7 @@ @{bin}/gnome-session-quit Px, @{bin}/gnome-software Px, @{bin}/gwenview PUx, + @{bin}/keepassxc Px, @{bin}/qbittorrent Px, @{bin}/qpdfview Px, @{bin}/smplayer Px, From 1da6e15cda25ec3ff7eeff0401546aedd70d8ef5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:04:26 +0200 Subject: [PATCH 384/798] cosmetic: cleanup usage of bash abs. --- apparmor.d/abstractions/bash-strict | 2 +- apparmor.d/abstractions/fish | 2 +- apparmor.d/abstractions/zsh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict index 9ea35f8c2..cd4a7c8a7 100644 --- a/apparmor.d/abstractions/bash-strict +++ b/apparmor.d/abstractions/bash-strict @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when .bashrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish index 2ae6ab93d..65f97f9f2 100644 --- a/apparmor.d/abstractions/fish +++ b/apparmor.d/abstractions/fish @@ -2,7 +2,7 @@ # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh index 02eacfb62..7c734a45b 100644 --- a/apparmor.d/abstractions/zsh +++ b/apparmor.d/abstractions/zsh @@ -3,7 +3,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# This abstraction is only required when an interactive shell is started. +# This abstraction is only required when zshrc is loaded (e.g. interactive shell). # Classic shell scripts do not need it. abi , From ece81aa6cbe0d0660db978b81cb20d140e408188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 10 Aug 2025 19:05:15 +0200 Subject: [PATCH 385/798] feat(abs): audio: add jack.conf.d --- apparmor.d/abstractions/audio-client | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 166229a09..826191309 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -21,6 +21,7 @@ /etc/openal/alsoft.conf r, /etc/pipewire/client{,-rt}.conf r, /etc/pipewire/client{,-rt}.conf.d/{,**} r, + /etc/pipewire/jack.conf.d/{,**} r, /etc/pulse/client.conf r, /etc/pulse/client.conf.d/{,**} r, /etc/wildmidi/wildmidi.cfg r, From eb642993d88ad2ca8204e0640a7c69bfa35a7ab4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 10:56:20 +0200 Subject: [PATCH 386/798] feat(profile): revisit the monitorix profile. --- apparmor.d/profiles-m-r/monitorix | 97 +++++++++++++++---------------- 1 file changed, 47 insertions(+), 50 deletions(-) diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix index c708b587c..6cbef400b 100644 --- a/apparmor.d/profiles-m-r/monitorix +++ b/apparmor.d/profiles-m-r/monitorix @@ -10,10 +10,11 @@ include @{exec_path} = @{bin}/monitorix profile monitorix @{exec_path} { include - include - include - include + include include + include + include + include capability net_admin, capability chown, @@ -28,80 +29,76 @@ profile monitorix @{exec_path} { network inet stream, network inet6 stream, - ptrace (read), + ptrace read, - signal (receive) set=(hup) peer=logroate, + signal receive set=(hup) peer=logroate, @{exec_path} mr, @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/df rix, - @{bin}/cat rix, - @{bin}/tail rix, - @{bin}/{m,g,}awk rix, - @{bin}/free rix, - @{sbin}/ss rix, - @{bin}/who rix, - @{sbin}/lvm rix, - @{sbin}/xtables-nft-multi rix, - @{bin}/sensors rix, - @{bin}/getconf rix, - @{bin}/ps rix, - - /etc/monitorix/monitorix.conf r, - /etc/monitorix/conf.d/ r, - /etc/monitorix/conf.d/@{int2}-*.conf r, + @{bin}/{,e}grep ix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/df ix, + @{bin}/free ix, + @{bin}/getconf ix, + @{bin}/ps Px, + @{bin}/sensors Px, + @{bin}/tail ix, + @{bin}/who Px, + @{sbin}/lvm Px, + @{sbin}/ss Px, + @{sbin}/xtables-nft-multi ix, + + /var/lib/monitorix/www/cgi/monitorix.cgi ix, + + /etc/monitorix/{,**} r, + + /var/lib/monitorix/ rw, + /var/lib/monitorix/** rwk, /var/log/monitorix w, /var/log/monitorix-* w, - owner @{run}/monitorix.pid w, - - /var/lib/monitorix/*.rrd* rwk, - /var/lib/monitorix/www/** rw, - /var/lib/monitorix/www/cgi/monitorix.cgi rwix, + /srv/http/monitorix/ rw, + /srv/http/monitorix/** rwk, / r, /tmp/ r, - /etc/shadow r, - /dev/tty r, + owner @{run}/monitorix.pid w, @{run}/utmp rk, + @{sys}/class/i2c-adapter/ r, + @{sys}/devices/@{pci}/i2c-*/{,**/}name r, + @{sys}/class/hwmon/ r, + @{sys}/devices/**/thermal*/{,**} r, + @{sys}/devices/**/hwmon*/{,**} r, + @{PROC}/ r, - @{PROC}/swaps r, + @{PROC}/@{pid}/net/dev r, + @{PROC}/@{pid}/net/tcp{,6} r, + @{PROC}/@{pid}/net/udp{,6} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/fdinfo/ r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/stat r, @{PROC}/diskstats r, - @{PROC}/loadavg r, - @{PROC}/sys/kernel/random/entropy_avail r, - @{PROC}/uptime r, @{PROC}/interrupts r, + @{PROC}/loadavg r, + @{PROC}/swaps r, @{PROC}/sys/fs/dentry-state r, @{PROC}/sys/fs/file-nr r, @{PROC}/sys/fs/inode-nr r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/kernel/pid_max r, + @{PROC}/sys/kernel/random/entropy_avail r, + @{PROC}/uptime r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/net/dev r, owner @{PROC}/@{pid}/net/ip_tables_names r, owner @{PROC}/@{pid}/net/ip6_tables_names r, - @{PROC}/@{pid}/net/udp{,6} r, - @{PROC}/@{pid}/net/tcp{,6} r, - @{PROC}/sys/kernel/pid_max r, - @{PROC}/@{pids}/stat r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/fdinfo/ r, - @{PROC}/@{pids}/io r, - - @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/i2c-*/{,**/}name r, - @{sys}/class/hwmon/ r, - @{sys}/devices/**/thermal*/{,**} r, - @{sys}/devices/**/hwmon*/{,**} r, - - /etc/sensors3.conf r, - /etc/sensors.d/ r, include if exists } From caee95ff9edc4e8f970a41c4a289af9d83ee714f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:18:21 +0200 Subject: [PATCH 387/798] fix(test): checks.sh: allow empty disabled array. --- tests/check.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/check.sh b/tests/check.sh index e30f21e19..9ecd809bf 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -42,7 +42,7 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then - if [[ ${#_check_is_disabled[@]} -eq 0 ]]; then + if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi if _in_array "$check" "${_check_is_disabled[@]}"; then From 73afa5835eb4e8ea5a201a8f44bb194f01c09dc2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 11:23:05 +0200 Subject: [PATCH 388/798] fix(abs): dbus: SearchProvider -> SearchProvider2 --- .../abstractions/bus/org.gnome.Shell.SearchProvider | 0 .../abstractions/bus/org.gnome.Shell.SearchProvider2 | 12 ++++++++++++ 2 files changed, 12 insertions(+) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider create mode 100644 apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider deleted file mode 100644 index e69de29bb..000000000 diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 new file mode 100644 index 000000000..baa96cc78 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + + include if exists + +# vim:syntax=apparmor + From 175e2c3dc3ff1dc8bce2ed312141cec5f2065dfd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:16:35 +0200 Subject: [PATCH 389/798] feat(profile): ensure all access to udev/data is documented. Cleanup some rule to wide in udev/data --- apparmor.d/abstractions/devices-usb-read | 6 ++--- apparmor.d/abstractions/disks-read | 6 ++--- apparmor.d/abstractions/gstreamer | 2 +- apparmor.d/groups/_full/systemd | 5 ++-- apparmor.d/groups/_full/systemd-user | 5 ++-- apparmor.d/groups/bluetooth/bluetoothd | 2 +- .../groups/browsers/firefox-kmozillahelper | 2 +- apparmor.d/groups/filesystem/udisksd | 8 +++--- apparmor.d/groups/freedesktop/boltd | 2 +- .../groups/freedesktop/iio-sensor-proxy | 2 +- apparmor.d/groups/freedesktop/upowerd | 12 ++++----- apparmor.d/groups/freedesktop/xorg | 10 +++---- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-shell | 12 ++++----- apparmor.d/groups/gnome/gsd-power | 4 +-- apparmor.d/groups/hyprland/hyprland | 8 +++--- apparmor.d/groups/kde/baloo | 4 +-- apparmor.d/groups/kde/baloorunner | 4 +-- apparmor.d/groups/kde/dolphin | 4 +-- apparmor.d/groups/kde/kwin_wayland | 8 +++--- apparmor.d/groups/lxqt/lxqt-panel | 3 ++- apparmor.d/groups/network/ModemManager | 14 +++++----- apparmor.d/groups/network/NetworkManager | 6 ++--- apparmor.d/groups/network/dhcpcd | 2 +- apparmor.d/groups/network/nmcli | 2 +- apparmor.d/groups/steam/steam | 2 +- apparmor.d/groups/systemd/networkctl | 2 +- apparmor.d/groups/systemd/systemd-backlight | 4 +-- apparmor.d/groups/systemd/systemd-journald | 26 +++++++++---------- apparmor.d/groups/systemd/systemd-logind | 12 ++++----- apparmor.d/groups/systemd/systemd-networkd | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 2 +- .../groups/ubuntu/subiquity-console-conf | 8 +++--- apparmor.d/groups/virt/libvirtd | 6 ++--- apparmor.d/groups/virt/virtnodedevd | 16 ++++++------ apparmor.d/profiles-a-f/cheese | 3 ++- apparmor.d/profiles-a-f/fwupd | 4 ++- apparmor.d/profiles-g-l/kodi | 3 ++- apparmor.d/profiles-g-l/labwc | 7 +++-- apparmor.d/profiles-m-r/power-profiles-daemon | 4 +-- apparmor.d/profiles-s-z/tlp | 2 +- 41 files changed, 120 insertions(+), 118 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 6bd0c8015..836a5f3c7 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -20,9 +20,9 @@ @{sys}/devices/**/usb@{int}/{,**} r, # Udev data about usb devices (~equal to content of lsusb -v) - @{run}/udev/data/+usb:* r, - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c16[6,7]:@{int} r, # USB modems + @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters include if exists diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index 872b0c552..e33ec2c3f 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -101,13 +101,13 @@ @{run}/udev/data/b43:@{int} r, # for /dev/nbd* @{run}/udev/data/b179:@{int} r, # for /dev/mmcblk* @{run}/udev/data/b230:@{int} r, # for /dev/zvol* - @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254 - @{run}/udev/data/b25[0-4]:@{int} r, + @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 + @{run}/udev/data/b25[0-4]:@{int} r, # to 254 @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/+usb:* r, # for disk over usb hub + @{run}/udev/data/+usb:* r, # Identifies all USB devices include if exists diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer index 7fc20c293..5a14b6f7a 100644 --- a/apparmor.d/abstractions/gstreamer +++ b/apparmor.d/abstractions/gstreamer @@ -36,7 +36,7 @@ #owner @{HOME}/orcexec.* mrw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c189:@{int} r, # For USB serial converters diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd index 184084fed..d1ee8fd1f 100644 --- a/apparmor.d/groups/_full/systemd +++ b/apparmor.d/groups/_full/systemd @@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/credentials/{,**} rw, @{run}/systemd/{,**} rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/**/uevent r, diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index a5bb4d926..b3d751be1 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { @{run}/systemd/notify w, @{run}/systemd/oom/io.systemd.ManagedOOM rw, - @{run}/udev/data/+module:configfs r, - @{run}/udev/data/+module:fuse r, + @{run}/udev/data/+module:* r, # Identifies kernel modules loaded by udev @{run}/udev/data/c4:@{int} r, # For TTY devices @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c116:@{int} r, # for ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{run}/udev/tags/systemd/ r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index e5443f505..2800a4124 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{run}/sdp rw, owner @{run}/systemd/notify w, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{sys}/devices/@{pci}/rfkill@{int}/name r, @{sys}/devices/@{pci}/**/{uevent,name} r, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index efcad72f8..8e86ee126 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -44,7 +44,7 @@ profile firefox-kmozillahelper @{exec_path} { owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl, owner @{run}/user/@{uid}/xauth_@{rand6} rl, - @{run}/udev/data/+usb:* r, # For /dev/bus/usb/** + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 2ff82f5e4..91d4a8569 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -112,11 +112,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { @{run}/cryptsetup/ r, @{run}/cryptsetup/L* rwk, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 8f55bb375..5b72f8427 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -27,7 +27,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/notify w, - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{sys}/bus/ r, @{sys}/bus/thunderbolt/devices/ r, diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy index d7122bdbb..1201e1277 100644 --- a/apparmor.d/groups/freedesktop/iio-sensor-proxy +++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy @@ -18,7 +18,7 @@ profile iio-sensor-proxy @{exec_path} { @{exec_path} mr, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # For /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 4061af4c8..d58385831 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -28,15 +28,15 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, - @{run}/udev/data/ r, - @{run}/udev/data/+acpi:* r, # for acpi - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/ r, # Lists all udev data files + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for serial mice - @{run}/udev/data/+power_supply* r, + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index 12c82aea3..c14af6d6e 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -92,17 +92,17 @@ profile xorg @{exec_path} flags=(attach_disconnected) { owner @{tmp}/server-* rwk, owner @{tmp}/serverauth.* r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 85b3268dd..41b62df09 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -159,7 +159,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/ r, @{sys}/class/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 25ce44f14..d4c8b1ba2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -315,19 +315,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+dmi:id r, # for motherboard info - @{run}/udev/data/+acpi* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard - @{run}/udev/data/+i2c:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a330b76ce..2fa0b0b1f 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -58,9 +58,9 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 9f2e7583d..8c8c32da0 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -42,15 +42,15 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/systemd/sessions/@{int} r, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb* r, # for USB mouse and keyboard + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo index e53bf4039..29447e22a 100644 --- a/apparmor.d/groups/kde/baloo +++ b/apparmor.d/groups/kde/baloo @@ -44,8 +44,8 @@ profile baloo @{exec_path} { @{run}/mount/utab r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 8410408b3..702288a1f 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -28,8 +28,8 @@ profile baloorunner @{exec_path} { /tmp/ r, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2ed232f85..5d51f8c4d 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -105,8 +105,8 @@ profile dolphin @{exec_path} { owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/bus/ r, @{sys}/bus/*/devices/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 101affd8c..afaac3bd0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -110,15 +110,15 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{run}/udev/data/+acpi:* r, # for ACPI + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # for motherboard info - @{run}/udev/data/+hid:* r, # for HID subsystem + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, + @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/lxqt/lxqt-panel b/apparmor.d/groups/lxqt/lxqt-panel index 650a7e402..f817be69d 100644 --- a/apparmor.d/groups/lxqt/lxqt-panel +++ b/apparmor.d/groups/lxqt/lxqt-panel @@ -63,7 +63,8 @@ profile lxqt-panel @{exec_path} { owner @{user_config_dirs}/lxqt/panel.conf.@{rand6} l -> @{user_config_dirs}/lxqt/#@{int}, owner @{user_config_dirs}/pulse/{,**} rwk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/class/i2c-adapter/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 59efc3201..8220516bf 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -25,18 +25,18 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{run}/udev/data/+acpi:* r, # for acpi + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+pnp:* r, - @{run}/udev/data/+serial*:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+vmbus:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+pnp:* r, # For Plug and Play devices (legacy hardware, sound cards, etc.) + @{run}/udev/data/+serial*:* r, # For serial devices (modems, serial ports, etc.) + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+vmbus:* r, # For Hyper-V devices, (network adapters, storage controllers, and other virtual devices) @{run}/udev/data/c16[6,7]:@{int} r, # USB modems @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters @{run}/udev/data/c4:@{int} r, # for /dev/tty[0-9]* @{run}/udev/data/c5:@{int} r, # for /dev/tty, /dev/console, /dev/ptmx - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fc5c39ea7..f7c0dd084 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -125,9 +125,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{run}/nscd/db* rwl, @{run}/systemd/users/@{uid} r, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+rfkill:* r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/net/*/{,**} r, @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r, diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd index 51cf215f9..7bcd9efba 100644 --- a/apparmor.d/groups/network/dhcpcd +++ b/apparmor.d/groups/network/dhcpcd @@ -49,7 +49,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) { @{run}/dhcpcd/** rwk, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_uuid r, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 43a9d0dca..6065a12da 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -25,7 +25,7 @@ profile nmcli @{exec_path} { owner @{HOME}/.cert/nm-openvpn/*.pem rw, @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/@{pci}/net/*/{,**} r, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 151a3e161..5009b970d 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -190,7 +190,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/ r, @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index 0fd89c199..a0d1471f9 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -59,7 +59,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { @{run}/systemd/netif/state r, @{run}/systemd/notify w, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/**/net/**/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight index 374e9c4ae..b5a966f37 100644 --- a/apparmor.d/groups/systemd/systemd-backlight +++ b/apparmor.d/groups/systemd/systemd-backlight @@ -18,8 +18,8 @@ profile systemd-backlight @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/backlight/*backlight* rw, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+leds:*backlight* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+leds:*backlight* r, # For keyboard backlights, mouse LEDs, etc. @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{sys}/bus/ r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index b0a646f66..ad3d96990 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -46,20 +46,20 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/host/container-manager r, @{run}/utmp rk, - @{run}/udev/data/+acpi:* r, - @{run}/udev/data/+bluetooth:* r, - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+ieee80211:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+mdio_bus:* r, - @{run}/udev/data/+pci:* r, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+scsi:* r, - @{run}/udev/data/+sdio:* r, - @{run}/udev/data/+thunderbolt:* r, - @{run}/udev/data/+usb-serial:* r, - @{run}/udev/data/+usb:* r, - @{run}/udev/data/+virtio:* r, + @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) + @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+scsi:* r, # For SCSI devices. Block-storage for SATA, SAS, USB, iSCSI + @{run}/udev/data/+sdio:* r, # For Secure Digital Input Output devices, such as Wi-Fi, Bluetooth cards, GPS and NFC modules. + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. + @{run}/udev/data/+usb-serial:* r, # For USB to serial adapters + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/+virtio:* r, # For paravirtualized devices (network interfaces, block devices, console) @{run}/udev/data/b254:@{int} r, # for /dev/zram* @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 1fb3f6cb3..271354633 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -68,15 +68,15 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{run}/udev/tags/uaccess/ r, @{run}/udev/static_node-tags/uaccess/ r, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+drivers:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+drivers:* r, # For drivers loaded in the system @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/+hid:* r, - @{run}/udev/data/+i2c:* r, + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+wakeup:* r, + @{run}/udev/data/+wakeup:* r, # For wakeup events (e.g., from sleep or hibernation) @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # For /dev/input/* diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index 5105c69b8..ccb6d9629 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -71,7 +71,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/*.network r, owner @{run}/systemd/netif/** rw, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index 552bd9996..bf983ea7a 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -22,7 +22,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { /var/lib/systemd/rfkill/* rw, @{run}/systemd/notify rw, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{sys}/devices/**/rfkill@{int}/{uevent,name} r, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index a5b65f5b3..8f673e261 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -53,13 +53,13 @@ profile subiquity-console-conf @{exec_path} { @{run}/snapd-recovery-chooser-triggered r, @{run}/snapd.socket rw, - @{run}/udev/data/+acpi:* r, + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+dmi:* r, # For motherboard info @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # For sound card @{run}/udev/data/c1:@{int} r, # For RAM disk @@ -74,7 +74,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/devices/ r, @{sys}/*/*/ r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index c90e80af9..fa3005a65 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -164,9 +164,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{run}/utmp rk, - @{run}/udev/data/+*:* r, - @{run}/udev/data/c@{int}:@{int} r, - @{run}/udev/data/n@{int} r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/bus/[a-z]*/devices/ r, @{sys}/bus/pci/drivers_probe w, diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index 957164e85..fb593068e 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -44,18 +44,18 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/utmp rk, - @{run}/udev/data/+backlight:* r, - @{run}/udev/data/+bluetooth:* r, + @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. + @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+dmi:* r, # for motherboard info @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+leds:* r, + @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, - @{run}/udev/data/+rfkill:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + @{run}/udev/data/+rfkill:* r, # Kill switch for wireless devices (Wi-Fi, Bluetooth, NFC) to save power @{run}/udev/data/+sound:card@{int} r, # For sound card - @{run}/udev/data/+thunderbolt:* r, + @{run}/udev/data/+thunderbolt:* r, # For Thunderbolt devices, such as docks, external GPUs, and storage devices. @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @@ -71,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c203:@{int} r, # CPU CPUID information @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{run}/udev/data/n@{int} r, + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/ r, @{sys}/devices/@{pci}/net/{,**} r, diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index cadd1beab..b308439c3 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -36,10 +36,11 @@ profile cheese @{exec_path} { owner @{user_cache_dirs}/gnome-desktop-thumbnailer/gstreamer-1.0/ r, - @{run}/udev/data/c@{dynamic}:@{int} r, owner @{tmp}/flatpak-seccomp-@{rand6} rw, owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw, + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 019aec5a9..ff9af895d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -109,7 +109,9 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{run}/motd.d/@{int}-fwupd* rw, @{run}/motd.d/fwupd/{,**} rw, @{run}/mount/utab r, - @{run}/udev/data/* r, + + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/mountinfo r, diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi index 5b90dd3ef..9d6c9d1c2 100644 --- a/apparmor.d/profiles-g-l/kodi +++ b/apparmor.d/profiles-g-l/kodi @@ -50,7 +50,8 @@ profile kodi @{exec_path} { owner @{HOME}/core w, owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/**/ r, @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r, diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index 93234bf52..ab624f099 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -38,12 +38,11 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/**/uevent r, - @{run}/udev/data/+acpi:* r, # for ? + @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard - @{run}/udev/data/+hid:* r, # for HID-Compliant Keyboard + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/+platform:* r, # for ? + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 636f41754..b8f50ff7c 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -28,8 +28,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { /var/lib/power-profiles-daemon/{,**} rw, - @{run}/udev/data/+platform:* r, - @{run}/udev/data/+power_supply:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 0dccf1a23..1592d3aee 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -68,7 +68,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) { owner @{run}/tlp/{,**} rw, owner @{run}/tlp/lock_tlp rwk, - @{run}/udev/data/+platform:* r, + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{sys}/bus/pci/devices/ r, @{sys}/bus/pci/drivers/*/ r, From 616486d5bad36719f8096ec9a4d540f199a603ad Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 16:18:58 +0200 Subject: [PATCH 390/798] tests(check): add a check to ensure all udev/data access are documented. --- tests/check.sh | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 9ecd809bf..9bafd5104 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -108,6 +108,7 @@ _check() { _check_trailing _check_indentation _check_vim + _check_udev # The following checks do not apply to commented lines [[ "$line" =~ ^[[:space:]]*# ]] && continue @@ -485,6 +486,15 @@ _res_vim() { fi } +_check_udev() { + _is_enabled udev || return 0 + if [[ "$line" == *"@{run}/udev/data/"* ]]; then + if [[ "$line" != *"#"* ]]; then + _err udev "$file:$line_number" "udev data path without a description comment" + fi + fi +} + check_sbin() { local file name jobs mapfile -t sbin Date: Mon, 11 Aug 2025 19:38:24 +0200 Subject: [PATCH 391/798] feat(profile): fwupd: allow access to dbx --- apparmor.d/profiles-a-f/fwupd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index ff9af895d..7a00455a6 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { owner /var/lib/fwupd/ rw, owner /var/lib/fwupd/** rwk, - # In order to get to this file, the attach_disconnected flag has to be set + @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r, owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r, owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r, @@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{sys}/firmware/efi/** r, @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw, @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw, + @{sys}/firmware/efi/efivars/dbx-@{uuid} rw, @{sys}/firmware/efi/efivars/fwupd-* rw, @{sys}/firmware/efi/efivars/KEK-@{uuid} rw, @{sys}/kernel/security/lockdown r, From f35b64bcaec3dd23c11ab55c1b0fd3f0a21d849b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 11 Aug 2025 22:27:08 +0200 Subject: [PATCH 392/798] fix(profile): missing documented udev/data --- apparmor.d/abstractions/app/udevadm | 3 ++- apparmor.d/groups/_full/sd | 3 ++- apparmor.d/groups/systemd/systemd-analyze | 3 ++- apparmor.d/profiles-a-f/ddcutil | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm index e8414d026..d659143d6 100644 --- a/apparmor.d/abstractions/app/udevadm +++ b/apparmor.d/abstractions/app/udevadm @@ -11,7 +11,8 @@ /etc/udev/udev.conf r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index da14cabf3..13864f2dd 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { owner @{run}/*/** rw, @{run}/udev/**/ r, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze index 7310586e8..3ae0a7143 100644 --- a/apparmor.d/groups/systemd/systemd-analyze +++ b/apparmor.d/groups/systemd/systemd-analyze @@ -47,7 +47,8 @@ profile systemd-analyze @{exec_path} { @{run}/systemd/system/ r, @{run}/systemd/transient/ r, @{run}/systemd/userdb/io.systemd.DynamicUser w, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{run}/udev/tags/systemd/ r, @{sys}/devices/**/uevent r, diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil index 7c353bf65..d8cb23a5c 100644 --- a/apparmor.d/profiles-a-f/ddcutil +++ b/apparmor.d/profiles-a-f/ddcutil @@ -28,7 +28,8 @@ profile ddcutil @{exec_path} { owner @{user_cache_dirs}/ddcutil/ rw, owner @{user_cache_dirs}/ddcutil/** rwlk, - @{run}/udev/data/* r, + @{run}/udev/data/+*:* r, # Identifies all subsystems + @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices @{sys}/ r, @{sys}/bus/ r, From 8b64d7dd46364e84e435564f7e9d474d1c7c9154 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 09:27:12 +0200 Subject: [PATCH 393/798] feat(abs): electron: add cgroup memory data. --- apparmor.d/abstractions/common/electron | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 6216ec939..cd7e9e8f1 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -73,6 +73,13 @@ @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/tty/tty@{int}/active r, + @{sys}/fs/cgroup/user.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, + owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, + @{PROC}/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, From aab12e6948e27fcb9351ae3f5beb5ff49e4db619 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 11:07:08 +0200 Subject: [PATCH 394/798] fix(profile): dockerd can be installed in both bin or sbin depending of the package source. --- apparmor.d/groups/virt/dockerd | 2 +- tests/sbin.list | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 44d9f64a0..aa0a9ed58 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/dockerd +@{exec_path} = @{bin}/dockerd @{sbin}/dockerd #aa:lint ignore=sbin profile dockerd @{exec_path} flags=(attach_disconnected) { include include diff --git a/tests/sbin.list b/tests/sbin.list index a8b439478..8ee14fd21 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -171,6 +171,7 @@ dmidecode dmraid dmsetup dnsmasq +dockerd dosfsck dosfslabel dpkg-preconfigure From 2aa0d89f84ac2ad51b021568ce52243c9fc595a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 12:45:55 +0200 Subject: [PATCH 395/798] feat(profile): update firefox stack. --- apparmor.d/groups/browsers/firefox-glxtest | 2 +- apparmor.d/groups/browsers/torbrowser-glxtest | 4 +++- apparmor.d/profiles-s-z/thunderbird | 6 +++--- apparmor.d/profiles-s-z/thunderbird-glxtest | 4 +++- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 97e5645b9..30281f2f4 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -16,8 +16,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest index 4939edfbf..2d8697259 100644 --- a/apparmor.d/groups/browsers/torbrowser-glxtest +++ b/apparmor.d/groups/browsers/torbrowser-glxtest @@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) { include include include - include include + include @{exec_path} mr, + / r, + owner @{PROC}/@{pid}/cmdline r, deny @{config_dirs}/.parentlock rw, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 02046580c..da163c2ae 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name}/ @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} -profile thunderbird @{exec_path} { +profile thunderbird @{exec_path} flags=(attach_disconnected) { include include include @@ -23,8 +23,8 @@ profile thunderbird @{exec_path} { @{exec_path} mrix, - @{lib_dirs}/glxtest rPx, - @{lib_dirs}/vaapitest rPx, + @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, + @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 626896a09..4f25e0862 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -15,11 +15,13 @@ profile thunderbird-glxtest @{exec_path} { include include include - include include + include @{exec_path} mr, + / r, + owner @{config_dirs}/*/.parentlock rw, owner @{tmp}/thunderbird/.parentlock rw, From a5aa13923b657c9dee16d11c378d80215b14d949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 16:11:10 +0200 Subject: [PATCH 396/798] build: add support for building multiple version of the package. --- Justfile | 10 +++++----- pkg/prebuild/cli/cli.go | 28 +++++++++++++++++++++------- 2 files changed, 26 insertions(+), 12 deletions(-) diff --git a/Justfile b/Justfile index ffed74ef5..3e16a75e8 100644 --- a/Justfile +++ b/Justfile @@ -63,27 +63,27 @@ build: [group('build')] [doc('Prebuild the profiles in enforced mode')] enforce: build - @./{{build}}/prebuild + @./{{build}}/prebuild --buildir {{build}} [group('build')] [doc('Prebuild the profiles in complain mode')] complain: build - @./{{build}}/prebuild --complain + ./{{build}}/prebuild --buildir {{build}} --complain [group('build')] [doc('Prebuild the profiles in FSP mode')] fsp: build - @./{{build}}/prebuild --full + @./{{build}}/prebuild --buildir {{build}} --full [group('build')] [doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build - @./{{build}}/prebuild --complain --full + @./{{build}}/prebuild --buildir {{build}} --complain --full [group('build')] [doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build - @./{{build}}/prebuild --complain --full --debug + @./{{build}}/prebuild --buildir {{build}} --complain --full --debug [group('install')] [doc('Install prebuild profiles')] diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 51636f848..000aa65f9 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -26,13 +26,15 @@ const ( internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -v, --version V Target apparmor version. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. ` ) @@ -41,9 +43,11 @@ var ( complain bool enforce bool full bool + debug bool abi int version float64 file string + buildir string ) func init() { @@ -61,6 +65,9 @@ func init() { flag.Float64Var(&version, "version", nilVer, "Target apparmor version.") flag.StringVar(&file, "F", "", "Only prebuild a given file.") flag.StringVar(&file, "file", "", "Only prebuild a given file.") + flag.StringVar(&buildir, "b", "", "Root build directory.") + flag.StringVar(&buildir, "buildir", "", "Root build directory.") + flag.BoolVar(&debug, "debug", false, "Enable debug mode.") } func Configure() { @@ -87,6 +94,9 @@ func Configure() { if complain { builder.Register("complain") + if debug { + builder.Register("debug") + } } else if enforce { builder.Register("enforce") } @@ -106,6 +116,10 @@ func Configure() { if version != nilVer { prebuild.Version = version } + if buildir != "" { + prebuild.Root = paths.New(buildir) + prebuild.RootApparmord = prebuild.Root.Join("apparmor.d") + } if file != "" { sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise) sync.Paths = []string{file} From 5c8c5029e085cc2ba88a28eb5df3c26229f4b49f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:12:51 +0200 Subject: [PATCH 397/798] tests(packer): add lxqt test image, update xfce. --- tests/cloud-init/archlinux-lxqt.user-data.yml | 28 ++++++++ tests/cloud-init/archlinux-xfce.user-data.yml | 36 +--------- tests/cloud-init/archlinux.yml | 67 +++++++++++++++++++ 3 files changed, 96 insertions(+), 35 deletions(-) create mode 100644 tests/cloud-init/archlinux-lxqt.user-data.yml diff --git a/tests/cloud-init/archlinux-lxqt.user-data.yml b/tests/cloud-init/archlinux-lxqt.user-data.yml new file mode 100644 index 000000000..208f7dab5 --- /dev/null +++ b/tests/cloud-init/archlinux-lxqt.user-data.yml @@ -0,0 +1,28 @@ +#cloud-config + +packages: *lxqt-packages + +# lxqt-wayland-session kwin + +runcmd: + # Regenerate grub.cfg + - grub-mkconfig -o /boot/grub/grub.cfg + + # Remove swapfile + - swapoff -a + - rm -rf /swap/ + - sed -e "/swap/d" -i /etc/fstab + + # Enable core services + - systemctl enable apparmor + - systemctl enable auditd + - systemctl enable sddm + - systemctl enable NetworkManager + - systemctl enable rngd + - systemctl enable avahi-daemon + - systemctl enable systemd-timesyncd.service + +write_files: + - *grub-enable-apparmor # Enable AppArmor in kernel parameters + - *setup-bash-aliases # Set some bash aliases + - *shared-directory # Setup shared directory diff --git a/tests/cloud-init/archlinux-xfce.user-data.yml b/tests/cloud-init/archlinux-xfce.user-data.yml index 5bab9bf08..afba57519 100644 --- a/tests/cloud-init/archlinux-xfce.user-data.yml +++ b/tests/cloud-init/archlinux-xfce.user-data.yml @@ -1,40 +1,6 @@ #cloud-config -packages: - # Install core packages - - apparmor - - base-devel - - qemu-guest-agent - - rng-tools - - spice-vdagent - - # Install usefull core packages - - bash-completion - - git - - just - - htop - - man - - pass - - python-notify2 - - vim - - wget - - # Install basic services - - networkmanager - - cups - - cups-pdf - - system-config-printer - - # Install Applications - - firefox - - chromium - - terminator - - # Install Graphical Interface - - xfce4 - - xfce4-goodies - - lightdm - - lightdm-gtk-greeter +packages: *xfce-packages runcmd: # Regenerate grub.cfg diff --git a/tests/cloud-init/archlinux.yml b/tests/cloud-init/archlinux.yml index 5299efda0..629de7d02 100644 --- a/tests/cloud-init/archlinux.yml +++ b/tests/cloud-init/archlinux.yml @@ -88,6 +88,73 @@ kde-packages: &kde-packages - konsole - okular +lxqt-packages: &lxqt-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - lxqt + - breeze-icons + - sddm + +xfce-packages: &xfce-packages + # Core packages for Archlinux + - apparmor + - base-devel + - bash-completion + - docker + - git + - htop + - just + - man + - pass + - python-notify2 + - qemu-guest-agent + - rng-tools + - spice-vdagent + - vim + - wget + + # Desktop packages for Archlinux + - networkmanager + - cups + - cups-pdf + - system-config-printer + - chromium + - firefox + - spice-vdagent + - terminator + + # Install Graphical Interface + - xfce4 + - xfce4-goodies + - lightdm + - lightdm-gtk-greeter + # Enable AppArmor in kernel parameters grub-enable-apparmor: &grub-enable-apparmor path: /etc/default/grub From d8875ab8260f500175d5030c90142a94a4e324e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 12 Aug 2025 18:51:39 +0200 Subject: [PATCH 398/798] build: minor build system improvement. --- Justfile | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/Justfile b/Justfile index 3e16a75e8..e434586c4 100644 --- a/Justfile +++ b/Justfile @@ -5,7 +5,7 @@ # Usage: `just` # See https://apparmor.pujol.io/development/ for more information. -# Build setings +# Build settings destdir := "/" build := ".build" pkgdest := `pwd` / ".pkg" @@ -251,7 +251,7 @@ create dist flavor: --memorybacking source.type=memfd,access.mode=shared \ --disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \ --filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \ - --os-variant "`just get_osinfo {{dist}}`" \ + --os-variant "`just _get_osinfo {{dist}}`" \ --graphics spice \ --audio id=1,type=spice \ --sound model=ich9 \ @@ -282,18 +282,18 @@ destroy dist flavor: [group('vm')] [doc('Connect to the machine')] ssh dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` [group('vm')] [doc('Mount the shared directory on the machine')] mount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' [group('vm')] [doc('Unmout the shared directory on the machine')] umount dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' [group('vm')] @@ -307,6 +307,7 @@ list: images: #!/usr/bin/env bash set -eu -o pipefail + mkdir -p {{base_dir}} ls -lh {{base_dir}} | awk ' BEGIN { printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date") @@ -343,19 +344,19 @@ init: [group('tests')] [doc('Run the integration tests')] -integration: - bats --recursive --timing --print-output-on-failure tests/integration +integration name="": + bats --recursive --timing --print-output-on-failure tests/integration/{{name}} [group('tests')] [doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init [group('tests')] [doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: - @ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ [group('tests')] @@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \ [group('tests')] [doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) - ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \ + ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ /home/{{username}}/Projects/tests/integration/{{name}} -[private] -get_ip dist flavor: +_get_ip dist flavor: @virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \ head -1 | \ grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}' -[private] -get_osinfo dist: +_get_osinfo dist: #!/usr/bin/env python3 osinfo = { "archlinux": "archlinux", From 38ac0f580d10b6e0950e9505095e669bd69529d1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:40:52 +0200 Subject: [PATCH 399/798] feat(profile): revisit electron based profiles. - cleanup and enforce signal - fix discord fix #773 #777 --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/network/mullvad-gui | 4 ++-- apparmor.d/profiles-a-f/discord | 7 +++++-- apparmor.d/profiles-a-f/element-desktop | 4 +--- apparmor.d/profiles-a-f/freetube | 3 +-- apparmor.d/profiles-g-l/linuxqq | 1 - apparmor.d/profiles-m-r/protonmail | 10 +++++----- apparmor.d/profiles-s-z/signal-desktop | 23 +++++----------------- apparmor.d/profiles-s-z/wechat | 1 - apparmor.d/profiles-s-z/wechat-appimage | 1 - apparmor.d/profiles-s-z/wechat-universal | 1 - dists/flags/main.flags | 4 +--- 13 files changed, 22 insertions(+), 40 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index cd7e9e8f1..175fa8b2d 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -16,6 +16,7 @@ include include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 870d4cfe4..cb7edf822 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} { @{exec_path} r, - @{sh_path} rix, + @{sh_path} r, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index ae9b4cb7f..e4d2e9a2c 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -26,9 +26,9 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { network netlink raw, @{exec_path} mrix, - @{sh_path} rix, + @{sh_path} rix, - @{bin}/gsettings rix, + @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, owner @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index ddcd99add..8765084ff 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} -profile discord @{exec_path} { +profile discord @{exec_path} flags=(attach_disconnected) { include include include @@ -31,13 +31,15 @@ profile discord @{exec_path} { @{exec_path} mrix, @{sh_path} rix, - @{bin}/lsb_release rPx, @{lib_dirs}/chrome-sandbox rix, @{lib_dirs}/chrome_crashpad_handler rix, + @{bin}/lsb_release rPx, + @{bin}/xdg-mime rPx, @{open_path} rPx -> child-open-strict, + /etc/ r, /etc/lsb-release r, owner @{user_videos_dirs}/{,**} rwl, @@ -52,6 +54,7 @@ profile discord @{exec_path} { owner @{run}/user/@{uid}/discord-ipc-@{int} rw, + owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, include if exists diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 05a900889..91de37e58 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -30,11 +30,9 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} r, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> element-desktop//&xdg-settings, + @{open_path} Px -> child-open-strict, /usr/share/webapps/element/{,**} r, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 8250cf8aa..f4284873d 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -34,10 +34,9 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{open_path} rPx -> child-open-strict, - #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> freetube//&xdg-settings, + @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, deny /dev/ r, diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index dd653bd61..08b8cf7a1 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -17,7 +17,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c6d309a94..c2c81d4da 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* -profile protonmail @{exec_path} flags=(complain) { +profile protonmail @{exec_path} flags=(attach_disconnected) { include include include @@ -24,12 +24,13 @@ profile protonmail @{exec_path} flags=(complain) { network inet6 dgram, network netlink raw, - ptrace read peer=xdg-settings, + ptrace read peer=protonmail//&xdg-settings, @{exec_path} mrix, - @{bin}/xdg-settings Px, - @{open_path} Px -> child-open, + #aa:stack X xdg-settings + @{bin}/xdg-settings rPx -> protonmail//&xdg-settings, + @{open_path} Px -> child-open, owner @{user_config_dirs}/ibus/bus/ r, @@ -38,7 +39,6 @@ profile protonmail @{exec_path} flags=(complain) { owner @{tmp}/gtkprint_ppd_@{rand6} rw, include if exists - } # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index b6a477707..0bedb90e1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,7 +21,6 @@ profile signal-desktop @{exec_path} { include include include - include include include @@ -31,31 +30,19 @@ profile signal-desktop @{exec_path} { network inet6 stream, network netlink raw, + ptrace read peer=signal-desktop//&xdg-settings, + @{exec_path} mrix, - @{bin}/getconf rix, - @{open_path} rPx -> child-open-strict, + @{lib_dirs}/chrome_crashpad_handler rix, + @{lib_dirs}/chrome-sandbox rPx, #aa:stack X xdg-settings @{bin}/xdg-settings rPx -> signal-desktop//&xdg-settings, - - audit @{lib_dirs}/chrome-sandbox rPx, - @{lib_dirs}/chrome_crashpad_handler rix, + @{open_path} rPx -> child-open-strict, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{sys}/fs/cgroup/user.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.high r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/memory.max r, - @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r, - owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r, - - @{PROC}/@{pid}/fd/ r, - @{PROC}/vmstat r, - - /dev/tty rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index 5764deb77..ccff2f95f 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -17,7 +17,6 @@ profile wechat @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index e7eabe6ec..07f67fb59 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -17,7 +17,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include - include include network netlink raw, diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 3824f9526..b1c8aded2 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -18,7 +18,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include include - include network netlink raw, network netlink dgram, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 22e9a1447..a62a6847d 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -75,7 +75,7 @@ deb-systemd-invoke complain debconf-escape complain decibels complain dino attach_disconnected,complain -discord complain +discord attach_disconnected,complain discord-chrome-sandbox complain DiscoverNotifier complain dkms attach_disconnected,complain @@ -281,8 +281,6 @@ sddm attach_disconnected,mediate_deleted,complain sddm-greeter complain secure-time-sync attach_disconnected,complain sftp-server complain -signal-desktop attach_disconnected,complain -signal-desktop-chrome-sandbox complain sing-box complain slirp4netns attach_disconnected,complain snap complain From ba35a7933c9f5acceb37066d11be61eef4bf433b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 15:41:53 +0200 Subject: [PATCH 400/798] fix(profile): comment problematic rule Fix #769 --- apparmor.d/groups/browsers/brave | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave index 0decb0d4b..4c38e0ce5 100644 --- a/apparmor.d/groups/browsers/brave +++ b/apparmor.d/groups/browsers/brave @@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) { include include - unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), + # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler), signal receive peer=brave//&brave-crashpad-handler, From eda29668ae75d8b42412f35e3737230c6a626c09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 14 Aug 2025 18:23:30 +0200 Subject: [PATCH 401/798] fix(profile): ensure signal-desktop has the attach_disconnected flag. Fix 812 --- apparmor.d/profiles-s-z/signal-desktop | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 0bedb90e1..dc0bc381e 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -13,7 +13,7 @@ include @{cache_dirs} = @{user_cache_dirs}/@{name} @{exec_path} = @{lib_dirs}/@{name} -profile signal-desktop @{exec_path} { +profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include From 10e57f01a64eb821dcecc03a7298cf049454253e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:27:44 +0200 Subject: [PATCH 402/798] feat(abs): add /etc/xdg/menus and session files to kde-strict. See #811 --- apparmor.d/abstractions/desktop | 7 +++++++ apparmor.d/abstractions/kde-strict | 7 +++++++ apparmor.d/groups/browsers/firefox-kmozillahelper | 5 ----- apparmor.d/groups/kde/dolphin | 6 ------ 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 73e533992..878f6f794 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -49,6 +49,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -63,6 +65,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, # else if @{DE} == xfce diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 56aa88798..428aa93f3 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -25,6 +25,8 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -39,6 +41,11 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/ r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, owner @{user_share_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper index 8e86ee126..ade169f25 100644 --- a/apparmor.d/groups/browsers/firefox-kmozillahelper +++ b/apparmor.d/groups/browsers/firefox-kmozillahelper @@ -27,16 +27,11 @@ profile firefox-kmozillahelper @{exec_path} { /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_config_dirs}/kmozillahelperrc r, owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/kservices5/ r, owner @{user_share_dirs}/kservices5/searchproviders/ r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 5d51f8c4d..3879fa6a5 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -51,8 +51,6 @@ profile dolphin @{exec_path} { /etc/machine-id r, /etc/xdg/arkrc r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, /etc/xdg/ui/ui_standards.rc r, # Full access to user's data @@ -89,10 +87,6 @@ profile dolphin @{exec_path} { owner @{user_config_dirs}/knfsshare.{,.@{rand6}} rwk, owner @{user_config_dirs}/knfsshare.lock rwk, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/dolphin_* rwlk -> @{user_config_dirs}/session/#@{int}, - owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int}, From e09586e01dd015c26462c410bc0caee9a00e8e8d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:30:43 +0200 Subject: [PATCH 403/798] feat(abs): freedesktop: add more path for recently-used files. see #811 --- apparmor.d/abstractions/freedesktop.org.d/complete | 5 +++++ apparmor.d/groups/gnome/gnome-tweaks | 1 - apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/kde/dolphin | 1 - apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/okular | 2 -- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete index 220883c29..df445cef5 100644 --- a/apparmor.d/abstractions/freedesktop.org.d/complete +++ b/apparmor.d/abstractions/freedesktop.org.d/complete @@ -23,4 +23,9 @@ owner @{HOME}/.icons/{,**} r, + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks index 96e83b846..7f93b7864 100644 --- a/apparmor.d/groups/gnome/gnome-tweaks +++ b/apparmor.d/groups/gnome/gnome-tweaks @@ -36,7 +36,6 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw, owner @{user_share_dirs}/backgrounds/{,**} r, owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r, - owner @{user_share_dirs}/recently-used.xbel* rw, @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/c13:@{int} r, # for /dev/input/* diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 2a2ea034f..6cae2d49b 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -71,8 +71,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, - owner @{user_share_dirs}/recently-used.xbel{,.*} rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 3879fa6a5..2d3b099d7 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -74,7 +74,6 @@ profile dolphin @{exec_path} { owner @{user_share_dirs}/dolphin/ rw, owner @{user_share_dirs}/dolphin/** rwkl -> @{user_share_dirs}/dolphin/#@{int}, - owner @{user_share_dirs}/recently-used.xbel{,.*} rwlk, owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index fdc0730c4..1ee022dc6 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -38,7 +38,6 @@ profile kactivitymanagerd @{exec_path} { owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk, owner @{user_share_dirs}/kservices{5,6}/{,**} r, - owner @{user_share_dirs}/recently-used.xbel r, owner @{user_share_dirs}/user-places.xbel r, owner @{run}/user/@{uid}/#@{int} rw, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7618a10d4..7cd628b09 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -69,8 +69,6 @@ profile okular @{exec_path} { owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, owner @{user_share_dirs}/okular/ rw, owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**, - owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int}, - owner @{user_share_dirs}/recently-used.xbel.lock rk, owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, From c02674593d00754b54f3329d1ac75ab0c44af571 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:34:48 +0200 Subject: [PATCH 404/798] feat(profile): update kde profiles see #811 --- .../groups/freedesktop/xdg-desktop-portal-kde | 16 ++++++++++++++++ apparmor.d/groups/kde/kalendarac | 5 +++++ apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 4 ---- apparmor.d/groups/kde/ksmserver | 3 --- apparmor.d/groups/kde/kwalletmanager | 3 --- apparmor.d/groups/kde/kwin_x11 | 5 +++-- apparmor.d/groups/kde/okular | 14 +++++--------- .../groups/kde/plasma-browser-integration-host | 6 ------ apparmor.d/groups/kde/plasma_session | 1 - apparmor.d/groups/kde/systemsettings | 3 --- apparmor.d/profiles-m-r/pinentry-qt | 2 ++ 12 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index 8c1c1686f..bd5981dcf 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -11,6 +11,7 @@ include profile xdg-desktop-portal-kde @{exec_path} { include include + include include include include @@ -30,6 +31,12 @@ profile xdg-desktop-portal-kde @{exec_path} { #aa:exec kioworker /usr/share/plasma/look-and-feel/** r, + /usr/share/thumbnailers/{,**} r, + + /etc/fstab r, + /etc/xdg/dolphinrc r, + + / r, owner @{HOME}/ r, @@ -39,12 +46,21 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc rw, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.@{rand6} rwlk, + owner @{user_state_dirs}/xdg-desktop-portal-kdestaterc.lock rwk, + + owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw, owner @{PROC}/@{pid}/mountinfo r, + /dev/shm/ r, /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac index a45652c7b..e9ae78457 100644 --- a/apparmor.d/groups/kde/kalendarac +++ b/apparmor.d/groups/kde/kalendarac @@ -34,6 +34,11 @@ profile kalendarac @{exec_path} { owner @{user_config_dirs}/kalendaracrc.lock rwk, owner @{user_config_dirs}/kmail2rc r, + owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/kalendaracstaterc rw, + owner @{user_state_dirs}/kalendaracstaterc.@{rand6} rwl, + owner @{user_state_dirs}/kalendaracstaterc.lock rwk, + /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index c9fa538df..2ef26836d 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -84,6 +84,7 @@ profile kded @{exec_path} { /var/lib/dbus/machine-id r, / r, + @{efi}/ r, owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 9da19046d..0e8ba3395 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -18,15 +18,11 @@ profile kglobalacceld @{exec_path} { /usr/share/kglobalaccel/{,**} r, /etc/machine-id r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, owner @{user_config_dirs}/kglobalshortcutsrc* rwl, owner @{user_config_dirs}/khotkeysrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, @{PROC}/sys/kernel/random/boot_id r, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index eb53bc078..6d515fb18 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -49,9 +49,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/ksmserverrc rw, owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl, owner @{user_config_dirs}/ksmserverrc.lock rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw, owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager index dc64cbb9e..5ffcafd4f 100644 --- a/apparmor.d/groups/kde/kwalletmanager +++ b/apparmor.d/groups/kde/kwalletmanager @@ -36,9 +36,6 @@ profile kwalletmanager @{exec_path} { owner @{user_config_dirs}/kwalletrc rw, owner @{user_config_dirs}/kwalletrc.* rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/kwalletrc.lock rwk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwalletmanager5_* rwl -> @{user_config_dirs}/session/#@{int}, - owner @{user_config_dirs}/session/kwalletmanager5_*.lock rwk, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index e05e443ff..8400c8cb6 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -25,10 +25,12 @@ profile kwin_x11 @{exec_path} { @{exec_path} mrix, @{sh_path} rix, + @{bin}/kdialog rix, @{lib}/kwin_killer_helper rix, #aa:exec drkonqi + /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, @@ -47,6 +49,7 @@ profile kwin_x11 @{exec_path} { owner @{user_cache_dirs}/session/#@{int} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/kaccessrc r, owner @{user_config_dirs}/kdedefaults/plasmarc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, @@ -54,8 +57,6 @@ profile kwin_x11 @{exec_path} { owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/plasmarc r, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/session/kwin_* rwk, owner @{user_share_dirs}/kwin/scripts/ r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index 7cd628b09..acd9b7430 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -42,8 +42,6 @@ profile okular @{exec_path} { /etc/fstab r, /etc/xdg/dolphinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, / r, @{MOUNTS}/ r, @@ -51,19 +49,17 @@ profile okular @{exec_path} { owner @{user_cache_dirs}/okular/{,**} rw, owner @{user_config_dirs}/#@{int} rw, + owner @{user_config_dirs}/KDE/*.conf r, + owner @{user_config_dirs}/kioslaverc r, + owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/kwalletrc r, + owner @{user_config_dirs}/okular-generator-popplerrc r, owner @{user_config_dirs}/okularpartrc rw, owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularpartrc.lock rwk, owner @{user_config_dirs}/okularrc rw, owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/okularrc.lock rwk, - owner @{user_config_dirs}/okular-generator-popplerrc r, - owner @{user_config_dirs}/KDE/*.conf r, - owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/kservicemenurc r, - owner @{user_config_dirs}/kwalletrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r, diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host index dce3545f7..e17d4c5f1 100644 --- a/apparmor.d/groups/kde/plasma-browser-integration-host +++ b/apparmor.d/groups/kde/plasma-browser-integration-host @@ -21,16 +21,10 @@ profile plasma-browser-integration-host @{exec_path} { @{exec_path} mr, - /etc/xdg/menus/applications-merged/ r, - /usr/share/kservices{5,6}/{,**} r, - /etc/xdg/menus/ r, /etc/xdg/taskmanagerrulesrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, - owner @{user_share_dirs}/kservices{5,6}/ r, owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r, diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session index 1fbeda384..5d3812594 100644 --- a/apparmor.d/groups/kde/plasma_session +++ b/apparmor.d/groups/kde/plasma_session @@ -36,7 +36,6 @@ profile plasma_session @{exec_path} { /etc/xdg/autostart/ r, /etc/xdg/autostart/*.desktop r, - /etc/xdg/menus/ r, owner @{user_config_dirs}/kdedefaults/ksplashrc r, owner @{user_config_dirs}/plasma-welcomerc r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index e68d248b6..b41dac08a 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -57,7 +57,6 @@ profile systemsettings @{exec_path} { /etc/fstab r, /etc/machine-id r, - /etc/xdg/menus/{,applications-merged/} r, /etc/xdg/plasmanotifyrc r, /etc/xdg/ui/ui_standards.rc r, /var/lib/dbus/machine-id r, @@ -90,8 +89,6 @@ profile systemsettings @{exec_path} { owner @{user_config_dirs}/kinfocenterrc* rwlk, owner @{user_config_dirs}/libaccounts-glib/ rw, owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/** rwlk, owner @{user_config_dirs}/systemsettingsrc.lock rwk, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 3c5ec0a94..66729769f 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -17,6 +17,8 @@ profile pinentry-qt @{exec_path} { include include + ptrace read peer=gpg-agent, + @{exec_path} mr, /etc/machine-id r, From ace53f3002531730a262245b27d62c16a65efc7c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:35:19 +0200 Subject: [PATCH 405/798] feat(profile): openvpn need to load module. See #811 --- apparmor.d/groups/network/openvpn | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index a6ff1a939..b5a6b83ef 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -27,17 +27,12 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { include include - # Needed to remove the following errors: - # ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) - # Exiting due to fatal error - capability net_admin, - - # These are needed when user/group are set in a OpenVPN config file - capability setuid, - capability setgid, - - capability dac_read_search, capability dac_override, + capability dac_read_search, + capability net_admin, # create tun + capability setgid, # when user/group are set in a OpenVPN config file + capability setuid, + capability sys_module, network inet dgram, network inet6 dgram, From d51b386d13540c6ff55317cc588734451a6e0f4c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:36:05 +0200 Subject: [PATCH 406/798] feat(abs): pager: improve integration with opensuse. See #811 --- apparmor.d/abstractions/app/pager | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/abstractions/app/pager b/apparmor.d/abstractions/app/pager index 1557b78ef..30acc5612 100644 --- a/apparmor.d/abstractions/app/pager +++ b/apparmor.d/abstractions/app/pager @@ -21,6 +21,8 @@ /usr/share/file/misc/** r, /usr/share/nvim/{,**} r, + @{etc_ro}/lesskey.bin r, + @{HOME}/.lesshst r, owner @{HOME}/ r, From b1b3ee8321d2a269ef2e3e24ff8a367cbed46adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:38:15 +0200 Subject: [PATCH 407/798] feat(abs): add tty/drivers to pgrrep/pkill subprofiles. see #811 --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/kde/kded | 2 -- apparmor.d/groups/procps/pgrep | 2 -- 3 files changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index d6b7ba8a7..0ec14bea0 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -24,6 +24,7 @@ @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/stat r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, include if exists diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ef26836d..ef81b95d1 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -160,8 +160,6 @@ profile kded @{exec_path} { include include - @{PROC}/tty/drivers r, - include if exists } diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 950aeb99e..489f55bd7 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -14,8 +14,6 @@ profile pgrep @{exec_path} { @{exec_path} mr, - @{PROC}/tty/drivers r, - include if exists } From e15bd7bea03e25b4b27423a3e36e3530be89f21d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:40:17 +0200 Subject: [PATCH 408/798] feat(abs): improve vim integration with common editors. see #811 --- apparmor.d/abstractions/app/editor | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor index 2bd14077b..b33dbc7f4 100644 --- a/apparmor.d/abstractions/app/editor +++ b/apparmor.d/abstractions/app/editor @@ -12,9 +12,10 @@ @{sh_path} rix, @{bin}/nvim mrix, @{bin}/sensible-editor mr, - @{bin}/vim{,.*} mrix, + @{bin}/vim* mrix, @{bin}/which{,.debianutils} rix, + /usr/share/doc/{,**} r, /usr/share/nvim/{,**} r, /usr/share/terminfo/** r, /usr/share/vim/{,**} r, @@ -24,8 +25,9 @@ /etc/xdg/nvim/* r, owner @{HOME}/.selected_editor r, - owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vim/{after/,}spell/{,**} rw, + owner @{HOME}/.vim/** r, + owner @{HOME}/.viminf@{c}{,.tmp} rw, owner @{HOME}/.vimrc r, owner @{HOME}/ r, From e2b1547bf11bf305b49881fa12fa0688fb5d88db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:41:26 +0200 Subject: [PATCH 409/798] feat(profile): ssh: add ssh.hmac Similar to newest version of sshd with sshd.hmac see #811 --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 43fbddc63..75a25771f 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -26,6 +26,7 @@ profile ssh @{exec_path} { @{exec_path} mrix, @{bin}/@{shells} rUx, + @{bin}/ssh.hmac r, @{lib}/{,ssh/}ssh-sk-helper rix, From 44a6bc86e6cf25b344d76ab36a345d1181aaab20 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:43:15 +0200 Subject: [PATCH 410/798] feat(tunable): add `bin` to XDG_BIN_DIR. So it can get allowed/denied by profile using user_bin_dirs. see #811 --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index c791f5376..398fe20f4 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}=".local/bin" +@{XDG_BIN_DIR}="bin" ".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From b90a2a89fe095d3de5be2d139eeaaaa1065815be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:44:10 +0200 Subject: [PATCH 411/798] feat(abs): app-open: kde opener need system id. see #811 --- apparmor.d/abstractions/app/open | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 9d0da2199..243d18261 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -33,8 +33,7 @@ include include include - - /etc/xdg/menus/ r, + include owner @{run}/user/@{uid}/#@{int} rw, owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int}, From d09f5d055f5f0d91e7dc1e64dda621e62aea4a1e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:16 +0200 Subject: [PATCH 412/798] feat(profile): improve dbus definitions. --- .../bus/org.freedesktop.ScreenSaver | 5 +++++ .../bus/org.freedesktop.portal.Desktop | 5 +++++ .../abstractions/bus/org.freedesktop.systemd1 | 2 +- .../gnome/evolution-addressbook-factory | 1 + .../groups/gnome/gnome-extension-gsconnect | 4 +++- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 20 +++++-------------- apparmor.d/groups/systemd/resolvectl | 1 + apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/terminator | 5 +++++ 10 files changed, 28 insertions(+), 17 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver index 43ed93af6..f73768e9f 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver @@ -9,6 +9,11 @@ member={Inhibit,UnInhibit} peer=(name=org.freedesktop.ScreenSaver), + dbus receive bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label=gjs-console), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 5e5967a1a..2753a6602 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -36,6 +36,11 @@ member=Register peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop/** + interface=org.freedesktop.portal.Request + member=Response + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 index 4fb1764bc..167e66d65 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1 @@ -6,7 +6,7 @@ #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" - dbus send bus=session path=/org/freedesktop/systemd1 + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit} peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 9f18395f2..3d83232e1 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -26,6 +26,7 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3cf92d613..64568eab0 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include @@ -36,9 +37,10 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} dbus eavesdrop bus=session, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d4c8b1ba2..95874290f 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -18,6 +18,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f7c0dd084..01de67a18 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,22 +50,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher + member=Action peer=(name=org.freedesktop.nm_dispatcher), - - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*), - - dbus receive bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name=:*, label="@{p_bluetoothd}"), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label="@{p_bluetoothd}"), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq + interface=org.freedesktop.NetworkManager.dnsmasq + member=SetServersEx + peer=(name=@{busname}, label=dnsmasq), dbus send bus=system path=/org/freedesktop interface=org.freedesktop.DBus.ObjectManager diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index dd5bdb3d4..58f2d88f8 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -22,6 +22,7 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 1ec4eeea3..a3a093c85 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -35,6 +35,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index d71ccf802..59c78396d 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -29,6 +29,11 @@ profile terminator @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=net.tenshu.Terminator@{hex} + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + @{exec_path} mr, @{bin}/ r, From 20546d37a0f7aa3bb26c01659e64187a8bf22f49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:51:48 +0200 Subject: [PATCH 413/798] feat(profile): fprintd needs sys_admin see #811 --- apparmor.d/profiles-a-f/fprintd | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 1d00dce88..8a5f9c01a 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -15,6 +15,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, From 112d54907ec106665dbd3e9660b43e132879add9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:53:52 +0200 Subject: [PATCH 414/798] feat(profile): thunderbird/firefox: move rules needed in both programs. --- apparmor.d/abstractions/app/firefox | 3 +++ apparmor.d/groups/browsers/firefox | 3 --- apparmor.d/profiles-s-z/thunderbird-glxtest | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 85922664b..68fb14887 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -100,6 +100,9 @@ owner @{tmp}/@{name}/* rwk, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, + owner @{tmp}/mozilla* rw, + owner @{tmp}/mozilla*/ rw, + owner @{tmp}/mozilla*/* rwk, owner @{tmp}/remote-settings-startup-bundle- rw, owner @{tmp}/remote-settings-startup-bundle-.tmp rw, owner @{tmp}/Temp-@{uuid}/ rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index fe8507219..bac81c847 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -64,9 +64,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) { owner @{tmp}/@{rand8}.* rw, # file downloads (to anywhere) owner @{tmp}/@{uuid}.zip{,.tmp} rw, owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk, - owner @{tmp}/mozilla* rw, - owner @{tmp}/mozilla*/ rw, - owner @{tmp}/mozilla*/* rwk, owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k, owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw, diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4f25e0862..4dc891361 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -11,7 +11,7 @@ include @{config_dirs} = @{HOME}/.@{name}/ @{exec_path} = @{lib_dirs}/glxtest -profile thunderbird-glxtest @{exec_path} { +profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include include From 9c9af1d821a7eb85547484ce4563cce0d7909743 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 10:59:20 +0200 Subject: [PATCH 415/798] feat(profile): improve integration with ubuntu. --- apparmor.d/groups/gpg/gpg | 1 + apparmor.d/groups/grub/grub-mkconfig | 2 +- apparmor.d/groups/grub/grub-probe | 2 ++ apparmor.d/groups/network/NetworkManager | 1 + apparmor.d/profiles-a-f/blkdeactivate | 2 +- apparmor.d/profiles-m-r/initramfs-hooks | 5 +++++ 6 files changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index 6a01796ff..b65823520 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,6 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig index c081d53c3..5b62fa30c 100644 --- a/apparmor.d/groups/grub/grub-mkconfig +++ b/apparmor.d/groups/grub/grub-mkconfig @@ -27,7 +27,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) { @{bin}/cut rix, @{bin}/date rix, @{bin}/dirname rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/dpkg rPx, @{bin}/find rix, @{bin}/findmnt rPx, diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index 017083eaf..c767d2f02 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -36,6 +36,8 @@ profile grub-probe @{exec_path} { /dev/**/ r, /dev/mapper/control w, + deny mqueue (read, getattr) type=posix /, + include if exists } diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 01de67a18..6b444093c 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -71,6 +71,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{bin}/kmod rPx, @{bin}/netconfig rPUx, @{sbin}/resolvconf rPx, + @{bin}/resolvectl rPx, @{bin}/systemctl rCx -> systemctl, @{lib}/{,NetworkManager/}nm-daemon-helper rPx, @{lib}/{,NetworkManager/}nm-dhcp-helper rPx, diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate index 83806e753..bff816339 100644 --- a/apparmor.d/profiles-a-f/blkdeactivate +++ b/apparmor.d/profiles-a-f/blkdeactivate @@ -15,7 +15,7 @@ profile blkdeactivate @{exec_path} flags=(complain) { @{exec_path} rm, @{sh_path} rix, - @{sbin}/dmsetup rPUx, + @{sbin}/dmsetup rPx, @{bin}/{,e}grep rix, @{bin}/touch rix, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 14a83ffbb..a4fc278f0 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -16,6 +16,8 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, + @{bin}/cpio ix, + @{bin}/dpkg Cx -> child-dpkg, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, @@ -25,6 +27,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/initramfs-tools/bin/busybox ix, @{lib}/klibc/bin/fstype ix, @{sbin}/blkid Px, + @{sbin}/cryptsetup PUx, + @{sbin}/dmsetup Px, + @{sbin}/iucode_tool ix, /usr/share/mdadm/mkconf Px, @{bin}/* mr, From 5f368403b343df0dd3d23d10a2b58896c6b7c2f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:27:34 +0200 Subject: [PATCH 416/798] Revert "feat(tunable): add `bin` to XDG_BIN_DIR." This reverts commit 44a6bc86e6cf25b344d76ab36a345d1181aaab20. --- apparmor.d/tunables/home.d/apparmor.d | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d index 398fe20f4..c791f5376 100644 --- a/apparmor.d/tunables/home.d/apparmor.d +++ b/apparmor.d/tunables/home.d/apparmor.d @@ -16,7 +16,7 @@ @{XDG_CONFIG_DIR}=".config" @{XDG_DATA_DIR}=".local/share" @{XDG_STATE_DIR}=".local/state" -@{XDG_BIN_DIR}="bin" ".local/bin" +@{XDG_BIN_DIR}=".local/bin" @{XDG_LIB_DIR}=".local/lib" # Define extended user directories not defined in the XDG standard but commonly From 753d36cfa337a37a3aead1cf1e9781553a5cbd22 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:29:54 +0200 Subject: [PATCH 417/798] fix(profile): manually deny path in git Needed as 44a6bc86e6cf25b344d76ab36a345d1181aaab20 raise merged rule with conflicting x modifiers errors. --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 425fe2f14..0538f5da0 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -38,6 +38,7 @@ profile git @{exec_path} flags=(attach_disconnected) { deny /usr/local/games/ r, deny /var/lib/flatpak/exports/bin/ r, deny owner @{HOME}/.go/bin/ r, + deny owner @{HOME}/bin/ r, deny owner @{user_bin_dirs}/ r, # These are needed for "git submodule update" From 7d49a1628e1c67457780d8f5b372bc804d021917 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:32:27 +0200 Subject: [PATCH 418/798] fix(abs): avahi socket path. --- apparmor.d/abstractions/common/app | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 74c82f92a..3029fb80b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -67,7 +67,7 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket. + @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, From 6739b238cef5bf052371ad4fe67f31c65dd107f2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:33:29 +0200 Subject: [PATCH 419/798] feat(abs): base-strict: allow communication to children and stacked profiles. --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 818a4937f..22ca5ec5e 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -67,8 +67,9 @@ # Allow unconfined processes to us via unix sockets unix receive peer=(label=unconfined), - # Allow communication to children profiles + # Allow communication to children and stacked profiles signal peer=@{profile_name}//*, + signal peer=@{profile_name}//&*, unix type=stream peer=(label=@{profile_name}//*), # Allow us to create abstract and anonymous sockets From 3d329fdef8801c3fc892e33fa3876bf96ed37d70 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 11:39:35 +0200 Subject: [PATCH 420/798] feat(profile): minor profiles improvement. --- apparmor.d/groups/freedesktop/colord | 4 +++- apparmor.d/groups/freedesktop/pipewire | 2 ++ apparmor.d/groups/kde/kscreenlocker_greet | 2 ++ apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/systemd/systemd-delta | 4 ++-- apparmor.d/groups/systemd/systemd-detect-virt | 7 +++++++ apparmor.d/profiles-a-f/cheese | 6 +++++- 7 files changed, 22 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index ee2cdf42e..81d0c9f6b 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -59,7 +59,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, @{sys}/devices/@{pci}/uevent r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/sys/dev/parport/ r, @{PROC}/sys/dev/parport/parport@{int}/base-addr r, diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index ad4eb57c5..97e3c6119 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -47,6 +47,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{tmp}/librnnoise-@{int}.so rm, + @{run}/snapd.socket rw, owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk, owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk, @@ -62,6 +63,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r, @{sys}/module/apparmor/parameters/enabled r, + owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index dd3a6b42b..ddd14b5c2 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -25,6 +25,8 @@ profile kscreenlocker_greet @{exec_path} { network netlink raw, + ptrace read peer=ksmserver, + signal (receive) set=(term) peer=kwin_wayland, signal (receive) set=(usr1, term) peer=ksmserver, signal (send) peer=kcheckpass, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index 5f09af5cc..e953834a7 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -74,6 +74,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/sessions/@{int}.ref w, + @{run}/cockpit/active.issue r, @{run}/motd.d/{,*} r, @{run}/motd.dynamic rw, @{run}/motd.dynamic.new rw, diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta index 7cf546a56..311636d95 100644 --- a/apparmor.d/groups/systemd/systemd-delta +++ b/apparmor.d/groups/systemd/systemd-delta @@ -10,11 +10,11 @@ include profile systemd-delta @{exec_path} { include - signal (send) peer=child-pager, + signal send peer=child-pager, @{exec_path} mr, - @{bin}/less rPx -> child-pager, + @{pager_path} rPx -> child-pager, /etc/binfmt.d/{,**} r, /etc/modprobe.d/{,**} r, diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 35f4afbc4..01e49025f 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -21,6 +21,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{run}/cloud-init/ds-identify.log w, @{run}/host/container-manager r, + @{run}/systemd/container r, @{run}/systemd/notify w, @{sys}/devices/virtual/dmi/id/bios_vendor r, @@ -29,6 +30,12 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/firmware/dmi/entries/*/raw r, + @{sys}/firmware/uv/prot_virt_guest r, + @{sys}/hypervisor/properties/features r, + + @{PROC}/xen/capabilities r, + + /dev/cpu/@{int}/msr r, include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b308439c3..b89fa42f2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Roman Beslik +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -41,7 +42,10 @@ profile cheese @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 - @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r, + @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, From aafcd1c861c4ea9afdf0bc535b2bc10e50fa81ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 17:21:24 +0200 Subject: [PATCH 421/798] feat(profile): simplify ssh home path. --- apparmor.d/groups/ssh/ssh | 4 +--- apparmor.d/groups/ssh/ssh-keygen | 8 ++++---- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 75a25771f..03236196c 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -36,9 +36,7 @@ profile ssh @{exec_path} { @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/machine-id r, - owner @{HOME}/@{XDG_SSH_DIR}/ r, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r, - owner @{HOME}/@{XDG_SSH_DIR}/config r, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} r, owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl, owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 397ffdcd6..b55824e58 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,13 +15,13 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/ w, - owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw, + owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, - /tmp/snapd@{int}/*_*{,.pub} w, - /tmp/snapd@{int}/*.key{,.pub} w, + owner /tmp/snapd@{int}/*_*{,.pub} w, + owner /tmp/snapd@{int}/*.key{,.pub} w, /dev/tty@{int} rw, /dev/ttyS@{int} rw, From c29b4ba536ba0b625955d85f912ece0ef12f2318 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:03:36 +0200 Subject: [PATCH 422/798] feat(profile): various security/linter improvement - Ignore some rule from the linter - Move some bin to subprofile --- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/pacman/pacdiff | 6 +----- apparmor.d/profiles-a-f/baobab | 1 + apparmor.d/profiles-a-f/file-roller | 1 + apparmor.d/profiles-m-r/mimetype | 6 +++--- apparmor.d/profiles-s-z/tomb | 2 +- apparmor.d/profiles-s-z/xarchiver | 11 ++++------- tests/check.sh | 5 ++++- tests/sbin.list | 1 + 10 files changed, 18 insertions(+), 18 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index da5da33a1..9be1f3258 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} { @{sbin}/ldconfig.real Cx -> ldconfig, @{sbin}/update-rc.d Cx -> rc, + #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. @{bin}/** PUx, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index e58c9d8b3..a814eaaa9 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -61,8 +61,8 @@ profile reportbug @{exec_path} { /usr/share/bug/*/{control,presubj} r, + #aa:lint ignore=too-wide /etc/** r, - /etc/reportbug.conf r, owner @{HOME}/ r, # For shell pwd owner @{HOME}/.reportbugrc{,~} rw, diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index 497386125..cab9eed4b 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include + include capability dac_read_search, capability mknod, @@ -30,11 +31,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{bin}/rm rix, @{bin}/sed rix, @{bin}/tput rix, - @{bin}/vim rix, - - owner @{HOME}/.viminfo{,.tmp} rw, - - owner @{user_cache_dirs}/vim/{,**} rw, # packages files / r, diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab index cd1e7563f..654e40117 100644 --- a/apparmor.d/profiles-a-f/baobab +++ b/apparmor.d/profiles-a-f/baobab @@ -19,6 +19,7 @@ profile baobab @{exec_path} { @{open_path} rPx -> child-open-help, + #aa:lint ignore=too-wide # As a directory tree analyzer it needs full access to the filesystem / r, /** r, diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index e7bfafaac..5ec394807 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -28,6 +28,7 @@ profile file-roller @{exec_path} { # Archivers @{archive_path} rix, + #aa:lint ignore=too-wide # Full access to user's data @{MOUNTS}/** rw, owner @{HOME}/** rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index cf8431c7a..91d021fae 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -19,14 +19,14 @@ profile mimetype @{exec_path} { /usr/share/mime/aliases r, /usr/share/mime/magic r, + # To read files + owner /** r, #aa:lint ignore=too-wide + owner @{user_share_dirs}/mime/**.xml r, owner @{user_share_dirs}/mime/globs r, owner @{user_share_dirs}/mime/aliases r, owner @{user_share_dirs}/mime/magic r, - # To read files - /** r, - include if exists } diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 93e29bcfa..9b0912bd9 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -67,7 +67,7 @@ profile tomb @{exec_path} { @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, - @{bin}/e2fsc rPUx, + @{sbin}/e2fsck rPx, @{sbin}/fsck rPx, @{bin}/gpg{,2} rPx, @{bin}/lsblk rPx, diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver index f38a69224..4d2766101 100644 --- a/apparmor.d/profiles-s-z/xarchiver +++ b/apparmor.d/profiles-s-z/xarchiver @@ -40,13 +40,10 @@ profile xarchiver @{exec_path} { owner @{HOME}/.bz2 rw, - / r, - /home/ r, - #owner @{HOME}/ r, - #owner @{HOME}/** rw, - @{MOUNTS}/ r, - @{MOUNTS}/** rw, - /tmp/ r, + #aa:lint ignore=too-wide + # Full access to user's data + @{MOUNTS}/** rw, + owner @{HOME}/** rw, owner @{tmp}/** rw, @{PROC}/@{pid}/mountinfo r, diff --git a/tests/check.sh b/tests/check.sh index 9bafd5104..60e23c694 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -171,6 +171,9 @@ _check_abstractions() { _err abstractions "$file:$line_number" "deprecated abstraction '<$ABS/$absname>', use '<$ABS/${ABS_DEPRECATED[$absname]}>' instead" fi done + if [[ "$line" == *"<$ABS/ubuntu-"*">"* ]]; then + _err abstractions "$file:$line_number" "deprecated, ubuntu only abstraction '<$ABS/$absname>'" + fi } readonly DIRECTORIES=('@{HOME}' '@{MOUNTS}' '@{bin}' '@{sbin}' '@{lib}' '@{tmp}' '_dirs}' '_DIR}') @@ -222,7 +225,7 @@ readonly TRANSITION_MUST_PC=( # Must transition to 'Px' ischroot who ) readonly TRANSITION_MUST_C=( # Must transition to 'Cx' - sysctl kmod pgrep pkexec sudo systemctl udevadm + sysctl kmod pgrep pkill pkexec sudo systemctl udevadm fusermount fusermount3 fusermount{,3} nvim vim sensible-editor ) diff --git a/tests/sbin.list b/tests/sbin.list index 8ee14fd21..16073f0d2 100644 --- a/tests/sbin.list +++ b/tests/sbin.list @@ -761,6 +761,7 @@ ugc umount.nfs umount.nfs4 umount.udisks2 +unbound unconfined undump.bt unix_chkpwd From c51943934ed4a99105a75eda382a5df6959ad6b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:04:35 +0200 Subject: [PATCH 423/798] feat(tunable): add x64 to @{arch} --- apparmor.d/tunables/multiarch.d/system | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 359d1b878..0eae0fde3 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -20,6 +20,7 @@ @{lib}=/{,usr/}lib{,exec,32,64} # Common places for temporary files +# /tmp/user/@{uid}/ is needed when using .... (default on Debian) @{tmp}=/tmp/ /tmp/user/@{uid}/ # Common places for EFI @@ -29,7 +30,7 @@ # ---------------- # Common architecture names -@{arch}=x86_64 amd64 i386 i686 +@{arch}=x86_64 x64 amd64 i386 i686 # Dbus unique name @{busname}=:1.@{u16} :not.active.yet From 483c0c107d611502578e12d9355004644f715e0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:22:07 +0200 Subject: [PATCH 424/798] build: enable re-attach disconnected path by default Ignored on Ubuntu 25.04 and abi3.0 --- apparmor.d/tunables/multiarch.d/system | 5 ++-- pkg/prebuild/cli/cli.go | 11 +++++++- pkg/prebuild/prepare/attach.go | 37 ++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 pkg/prebuild/prepare/attach.go diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 0eae0fde3..06cb42000 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,8 +69,9 @@ @{dynamic}=23[4-9] 24[0-9] 25[0-4] # range 234 to 254 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1] # range 384 to 511 -# Attachment path for attach_disconnected.path flag. -# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3. +# Default attachment path when re-attached path disconnected path is ignored. +# Disabled on abi3 and Ubuntu 25.04+ +# See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ alias // -> /, diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 000aa65f9..237b0f0f8 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,7 +108,16 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // builder.Register("attach") // Re-attach disconnected path + // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak + // that fully prevent profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + if prebuild.Distribution != "ubuntu" { + builder.Register("attach") + prepare.Register("attach") + } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + builder.Register("attach") + prepare.Register("attach") + } default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go new file mode 100644 index 000000000..a87ff9071 --- /dev/null +++ b/pkg/prebuild/prepare/attach.go @@ -0,0 +1,37 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2025 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type ReAttach struct { + prebuild.Base +} + +func init() { + RegisterTask(&ReAttach{ + Base: prebuild.Base{ + Keyword: "attach", + Msg: "Configure tunable for re-attached path", + }, + }) +} + +func (p ReAttach) Apply() ([]string, error) { + res := []string{} + + // Remove the @{att} tunable that is going to be defined in profile header + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + return res, path.WriteFile([]byte(out)) +} From b0c661931af5b376f79d1dadff684e3d165b4f64 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:23:05 +0200 Subject: [PATCH 425/798] fix(build): fsp regex. --- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/cli/cli.go | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index ed2285de5..8f7fb4202 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -11,7 +11,7 @@ import ( var ( regFullSystemPolicy = util.ToRegexRepl([]string{ - `r(PU|U)x,`, `rPx,`, + `(PU|U)x,`, `Px,`, }) ) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 237b0f0f8..ab221e485 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,6 +139,9 @@ func Configure() { func Prebuild() { logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI) + if full { + logging.Success("Full system policy enabled") + } if prebuild.Version != nilVer { logging.Success("AppArmor version targeted: %.1f", prebuild.Version) } From c0de5ff71d9a2aec1b3c778cc31261a2961f54c3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:38:46 +0200 Subject: [PATCH 426/798] ci: also run the integration tests on manual run. --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bcb817338..9f2addf88 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -83,7 +83,7 @@ jobs: tests: runs-on: ubuntu-24.04 needs: build - if: github.ref == 'refs/heads/dev' + if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch' steps: - name: Check out repository code uses: actions/checkout@v4 From be341a4ca8c48c03823609d143ea98e2a5c7b860 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 18:43:21 +0200 Subject: [PATCH 427/798] feat(profile): syncthing 2.0 uses sqlite. --- apparmor.d/profiles-s-z/syncthing | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 6ff0fe7e9..4553ac1e9 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -35,6 +35,9 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, + owner /var/tmp/etilqs_@{sqlhex} rw, + owner @{tmp}/etilqs_@{sqlhex} rw, + @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, From e8055098033abd1f3f73d2a1578f2dc07f7b1ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:42:44 +0200 Subject: [PATCH 428/798] build: opensuse: improve post install script. --- dists/apparmor.d.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec index bf97705a6..d60841581 100644 --- a/dists/apparmor.d.spec +++ b/dists/apparmor.d.spec @@ -32,8 +32,8 @@ just complain just destdir="%{buildroot}" install %posttrans -rm -f /var/cache/apparmor/* 2>/dev/null -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +%restart_on_update apparmor %files %license LICENSE From ca24da7a2a4e11def29652d27c49e1ec11539e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 15 Aug 2025 19:49:43 +0200 Subject: [PATCH 429/798] build(debian): improve post install scripts. --- debian/apparmor.d.postinst | 5 ++++- debian/apparmor.d.postrm | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 4e659173c..fd0ffeb33 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,6 +7,9 @@ set -e #DEBHELPER# -systemctl is-active -q apparmor && systemctl reload apparmor ||: +apparmor_parser --purge-cache +if systemctl is-active -q apparmor; then + systemctl reload apparmor +fi exit 0 From f5a4acd37e374f1036addc7c2425e578982f6a05 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:13:59 +0200 Subject: [PATCH 430/798] feat(abs): graphics: add cpu_capacity --- apparmor.d/abstractions/graphics | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 37f6be70e..79872ceb4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -14,6 +14,7 @@ @{sys}/bus/pci/devices/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, @{sys}/devices/system/cpu/cpu@{int}/topology/* r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, From 5ee999536ca2f5ae5cfbb999bb20bc7334d278ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 16 Aug 2025 19:23:33 +0200 Subject: [PATCH 431/798] feat(abs): reorganize the electron & chromium abs. --- apparmor.d/abstractions/app/chromium | 32 ++----------------- apparmor.d/abstractions/common/chromium | 25 +++++++++++---- apparmor.d/abstractions/common/electron | 39 ++--------------------- apparmor.d/groups/network/mullvad-gui | 5 +-- apparmor.d/groups/steam/steam | 8 +++-- apparmor.d/profiles-a-f/deltachat-desktop | 1 + apparmor.d/profiles-a-f/discord | 4 ++- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/linuxqq | 1 + apparmor.d/profiles-m-r/protonmail | 1 + apparmor.d/profiles-s-z/session-desktop | 1 + apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/spotify | 3 +- apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/vesktop | 2 +- apparmor.d/profiles-s-z/wechat | 1 + apparmor.d/profiles-s-z/wechat-appimage | 1 + apparmor.d/profiles-s-z/wechat-universal | 1 + apparmor.d/profiles-s-z/wemeet | 2 ++ 19 files changed, 46 insertions(+), 85 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index a971ca5a0..8f991c230 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -33,6 +33,7 @@ include include include + include include include include @@ -46,14 +47,6 @@ include include - userns, - - capability setgid, - capability setuid, - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - network inet dgram, network inet6 dgram, network inet stream, @@ -112,21 +105,12 @@ /etc/fstab r, /etc/{,opensc/}opensc.conf r, - /var/lib/dbus/machine-id r, - /etc/machine-id r, - / r, owner @{HOME}/ r, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_cache_dirs}/gtk-3.0/**/*.cache r, owner @{user_config_dirs}/gtk-3.0/servers r, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, + owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w, owner @{config_dirs}/ rw, @@ -151,10 +135,7 @@ /tmp/ r, /var/tmp/ r, - owner @{tmp}/.@{domain}.@{rand6} rw, - owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, - owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -163,9 +144,6 @@ owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw, owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw, - /dev/shm/ r, - owner /dev/shm/.@{domain}.@{rand6} rw, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{sys}/bus/ r, @@ -175,10 +153,7 @@ @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/system/cpu/kernel_max r, @{sys}/devices/virtual/**/report_descriptor r, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -192,18 +167,15 @@ owner @{PROC}/@{pid}/clear_refs w, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/environ r, - owner @{PROC}/@{pid}/gid_map w, owner @{PROC}/@{pid}/limits r, owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/oom_{,score_}adj rw, - owner @{PROC}/@{pid}/setgroups w, owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, /dev/ r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 9fba7b8bb..78441fe08 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -4,7 +4,13 @@ # SPDX-License-Identifier: GPL-2.0-only # This abstraction is for chromium based application. Chromium based browsers -# need to use abstractions/chromium instead. +# need to use abstractions/app/chromium instead. + +# It works as a *function* and requires a variable to be provided as *arguments* +# and set in the header of the calling profile. Example: +# +# @{domain} = org.chromium.Chromium +# abi , @@ -22,19 +28,24 @@ owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, + owner @{user_share_dirs}/.@{domain}.@{rand6} rw, - /tmp/ r, - /var/tmp/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw, + owner @{tmp}/.@{domain}.@{rand6} rw, + owner @{tmp}/.@{domain}.@{rand6}/ rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/ rw, owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, owner @{tmp}/scoped_dir@{rand6}/SS w, /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.@{domain}.@{rand6} rw, + + @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 175fa8b2d..b581c9073 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -7,13 +7,15 @@ # in the header of the calling profile. Example: # # @{name} = spotify -# @{lib_dirs} = /opt/@{name} +# @{domain} = org.chromium.chromium +# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ # @{config_dirs} = @{user_config_dirs}/@{name} # @{cache_dirs} = @{user_cache_dirs}/@{name} # abi , + include include include include @@ -21,14 +23,6 @@ include include - userns, - - capability setgid, # If kernel.unprivileged_userns_clone = 1 - capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, - capability sys_chroot, - capability sys_ptrace, - @{bin}/electron rix, @{bin}/electron@{int} rix, @{lib}/electron@{int}/{,**} r, @@ -48,31 +42,7 @@ owner @{cache_dirs}/ rw, owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_config_dirs}/electron-flags.conf r, - owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, - - /dev/shm/ r, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, - - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/dmi/id/product_name r, - @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/fs/cgroup/user.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @@ -89,15 +59,12 @@ owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/oom_score_adj rw, - owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/stat r, - owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index e4d2e9a2c..639d3ce4b 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -7,6 +7,7 @@ abi , include @{name} = Mullvad?VPN +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -31,10 +32,6 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) { @{bin}/gsettings rPx, @{open_path} rPx -> child-open-browsers, - owner @{user_cache_dirs}/dconf/user rw, - - owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/mullvad-vpn rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index 5009b970d..abfab75d7 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -21,10 +21,12 @@ abi , include -@{runtime} = SteamLinuxRuntime_{sniper,soldier} +@{domain} = org.chromium.Chromium +@{runtime_name} = sniper soldier +@{runtime} = SteamLinuxRuntime_@{runtime_name} steam-runtime-steamrt @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation -@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} -@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} +@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} steamrt64 +@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper} @{lib_dirs}/steam-runtime-steamrt @{app_dirs} = @{share_dirs}/steamapps/common/ @{exec_path} = @{share_dirs}/steam.sh diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 4f60099a9..87c2bbaba 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -7,6 +7,7 @@ abi , include +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/ @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 8765084ff..3b34d5055 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -8,6 +8,7 @@ abi , include @{name} = discord +@{domain} = org.chromium.Chromium @{lib_dirs} = /usr/share/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -48,7 +49,6 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{config_dirs}/@{version}/modules/** m, owner "@{tmp}/Discord Crashes/" rw, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, owner @{tmp}/discord.sock rw, owner @{tmp}/net-export/ rw, @@ -57,6 +57,8 @@ profile discord @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mem r, owner @{PROC}/@{pid}/task/@{tid}/comm r, + deny ptrace read, + include if exists } diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index f4284873d..95e37b4d6 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -8,6 +8,7 @@ abi , include @{name} = {F,f}ree{T,t}ube{,-vue} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -39,7 +40,6 @@ profile freetube @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, deny @{sys}/devices/@{pci}/usb@{int}/** r, - deny /dev/ r, include if exists } diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq index 08b8cf7a1..ff2ffe6b8 100644 --- a/apparmor.d/profiles-g-l/linuxqq +++ b/apparmor.d/profiles-g-l/linuxqq @@ -7,6 +7,7 @@ abi , include @{name} = QQ +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/QQ/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index c2c81d4da..0ac23267b 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -8,6 +8,7 @@ abi , include @{name} = proton-mail "Proton Mail" +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index 4817f330a..dc190b787 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {S,s}ession +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index dc0bc381e..bf0740919 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -8,6 +8,7 @@ abi , include @{name} = signal-desktop{,-beta} +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta} @{config_dirs} = @{user_config_dirs}/Signal{,?Beta} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3a093c85..3c18059a9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -8,6 +8,7 @@ abi , include @{name} = spotify +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -57,8 +58,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw, - @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c0b940478..c49a96621 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -7,6 +7,7 @@ abi , include @{name} = super{p,P}roductivity +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop index b4b63fe74..4f4432650 100644 --- a/apparmor.d/profiles-s-z/vesktop +++ b/apparmor.d/profiles-s-z/vesktop @@ -8,6 +8,7 @@ abi , include @{name} = vesktop +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} @@ -33,7 +34,6 @@ profile vesktop @{exec_path} flags=(attach_disconnected) { @{bin}/speech-dispatcher rPx, @{open_path} rPx -> child-open, - owner /tmp/.org.chromium.Chromium.@{rand6} mr, owner @{run}/user/@{uid}/discord-ipc-@{int} rw, @{sys}/devices/@{pci}/usb@{int}/**/interface r, diff --git a/apparmor.d/profiles-s-z/wechat b/apparmor.d/profiles-s-z/wechat index ccff2f95f..00fe0a8c5 100644 --- a/apparmor.d/profiles-s-z/wechat +++ b/apparmor.d/profiles-s-z/wechat @@ -7,6 +7,7 @@ abi , include @{name} = wechat +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 07f67fb59..98ce53f07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -7,6 +7,7 @@ abi , include @{name} = wechat-appimage +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-appimage/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index b1c8aded2..94da6c60e 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -7,6 +7,7 @@ abi , include @{name} = wechat-universal +@{domain} = org.chromium.Chromium @{lib_dirs} = /opt/wechat-universal/ @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 4f40ef746..3606533d7 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -6,6 +6,8 @@ abi , include +@{domain} = org.chromium.Chromium + @{exec_path} = @{bin}/wemeet @{exec_path} += /opt/wemeet/bin/wemeetapp @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess From e55ace4e0a5646fd1e9ad786a4356689bb668d90 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:07:53 +0200 Subject: [PATCH 432/798] fix(profile): issue with re-attached paths - Add missing att on some profiles - Fix alias / -> // - Fix aa-log att variable resolution fix #813 #814 --- apparmor.d/abstractions/attached/base | 2 ++ apparmor.d/abstractions/common/bwrap | 4 +++- apparmor.d/groups/flatpak/flatpak | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++--- apparmor.d/groups/freedesktop/xwayland | 4 +--- apparmor.d/groups/hyprland/hyprland | 3 +++ apparmor.d/tunables/multiarch.d/system | 2 +- pkg/logs/logs.go | 3 +-- 8 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index e394c5b99..29c685f55 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -14,6 +14,8 @@ @{att}/@{run}/systemd/journal/socket w, @{att}/@{run}/systemd/journal/stdout rw, + @{att}/dev/null rw, + /apparmor/.null rw, @{att}/apparmor/.null rw, diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index f4630475d..da73b8217 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -38,12 +38,14 @@ pivot_root oldroot=/newroot/ /newroot/, pivot_root oldroot=/tmp/oldroot/ /tmp/, - owner / r, owner /newroot/{,**} w, owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + @{att}/ r, + @{att}/@{run}/.userns r, + @{PROC}/sys/kernel/overflowgid r, @{PROC}/sys/kernel/overflowuid r, @{PROC}/sys/user/max_user_namespaces r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c34ae962f..fca84002a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, - / r, + @{att}/ r, /var/lib/flatpak/{,**} rwlk, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index bc975e4ea..5c62b0771 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{lib}/xdg-desktop-portal-validate-icon rPx, @{open_path} rPx -> child-open, - / r, - @{att}/.flatpak-info r, - owner @{att}/ r, + / r, + @{att}/ r, + @{att}/.flatpak-info r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index 9b329e06a..e8c94916d 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/Xwayland profile xwayland @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cmdline r, - @{att}/dev/tty@{int} rw, - /dev/tty rw, - include if exists } diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 8c8c32da0..c1e6da4d8 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/environ r, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/input/event@{int} rw, + /dev/input/event@{int} rw, /dev/tty r, owner /dev/tty@{int} rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 06cb42000..e2f297045 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -74,6 +74,6 @@ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ -alias // -> /, +alias / -> //, # vim:syntax=apparmor diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go index 2443eaace..b0ae58702 100644 --- a/pkg/logs/logs.go +++ b/pkg/logs/logs.go @@ -64,7 +64,7 @@ var ( `/home/[^/]+/`, `@{HOME}/`, // Resolve system variables - `/att/[^/@]+`, `@{att}/`, + `/att/[^/]+/`, `@{att}/`, `/usr/lib(32|64|exec)`, `@{lib}`, `/usr/lib`, `@{lib}`, `/usr/sbin`, `@{sbin}`, @@ -86,7 +86,6 @@ var ( `pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`, `@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`, `1000`, `@{uid}`, - `@{att}//`, `@{att}/`, // Some system glob `:not.active.yet`, `@{busname}`, // dbus unique bus name From d3507e24b94336e8ca5e1ba50887ed0755a7e341 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:09:28 +0200 Subject: [PATCH 433/798] fix(build): ensure post install script do not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index fd0ffeb33..2f8c90ae0 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -7,7 +7,7 @@ set -e #DEBHELPER# -apparmor_parser --purge-cache +apparmor_parser --purge-cache || true if systemctl is-active -q apparmor; then systemctl reload apparmor fi From 7c427aaae6252ee42e316f83b0faae97cb7a1268 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:10:34 +0200 Subject: [PATCH 434/798] build: do not overwrite steam. --- dists/overwrite | 1 - 1 file changed, 1 deletion(-) diff --git a/dists/overwrite b/dists/overwrite index 5bc00f9fe..c8769ba54 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -20,7 +20,6 @@ os-prober plasmashell signal-desktop slirp4netns -steam systemd-coredump thunderbird virtiofsd From 9110a7012441a1f57566361cc05c65d11a189fb7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:16:31 +0200 Subject: [PATCH 435/798] tests: add debian/ubuntu based tests images. Also some cleanup of tests resources. --- .gitignore | 1 + tests/cloud-init/debian.yml | 5 +++-- tests/cloud-init/debian13-kde.user-data.yml | 9 +++++++++ tests/cloud-init/ubuntu.yml | 1 + tests/cloud-init/ubuntu24-kubuntu.user-data.yml | 1 + tests/cloud-init/ubuntu25-kubuntu.user-data.yml | 9 +++++++++ tests/packer/clean.sh | 1 - tests/packer/init.sh | 5 +++-- tests/packer/variables.pkr.hcl | 4 ++-- tests/requirements.sh | 2 +- 10 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 tests/cloud-init/debian13-kde.user-data.yml create mode 100644 tests/cloud-init/ubuntu25-kubuntu.user-data.yml diff --git a/.gitignore b/.gitignore index d888d6d5c..077d62cbf 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ # Build .build .logs +.pkg tests/tldr tests/tldr.tar.gz diff --git a/tests/cloud-init/debian.yml b/tests/cloud-init/debian.yml index ea3012ad2..b96bb5880 100644 --- a/tests/cloud-init/debian.yml +++ b/tests/cloud-init/debian.yml @@ -23,7 +23,7 @@ core-packages: &core-packages - unattended-upgrades - vim -gnome-packages: &desktop-packages +gnome-packages: &gnome-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -53,7 +53,7 @@ gnome-packages: &desktop-packages - loupe - ptyxis -kde-packages: &kubuntu-packages +kde-packages: &kde-packages # Core packages for Debian - apparmor-profiles - apparmor-utils @@ -79,6 +79,7 @@ kde-packages: &kubuntu-packages # KDE packages for Debian - spice-vdagent - task-kde-desktop + - plasma-workspace-wayland - terminator debian12-runcmd: &debian12-runcmd diff --git a/tests/cloud-init/debian13-kde.user-data.yml b/tests/cloud-init/debian13-kde.user-data.yml new file mode 100644 index 000000000..5a4d33bf5 --- /dev/null +++ b/tests/cloud-init/debian13-kde.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kde-packages + +runcmd: *debian13-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu.yml b/tests/cloud-init/ubuntu.yml index 14db33251..1f3563750 100644 --- a/tests/cloud-init/ubuntu.yml +++ b/tests/cloud-init/ubuntu.yml @@ -82,6 +82,7 @@ kubuntu-packages: &kubuntu-packages - spice-vdagent - terminator - kubuntu-desktop + - plasma-workspace-wayland desktop-runcmd: &desktop-runcmd # Add missing snap packages diff --git a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml index d4139c2f7..bea74af3a 100644 --- a/tests/cloud-init/ubuntu24-kubuntu.user-data.yml +++ b/tests/cloud-init/ubuntu24-kubuntu.user-data.yml @@ -6,3 +6,4 @@ runcmd: *desktop-runcmd write_files: - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/ubuntu25-kubuntu.user-data.yml b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml new file mode 100644 index 000000000..bea74af3a --- /dev/null +++ b/tests/cloud-init/ubuntu25-kubuntu.user-data.yml @@ -0,0 +1,9 @@ +#cloud-config + +packages: *kubuntu-packages + +runcmd: *desktop-runcmd + +write_files: + - *shared-directory # Setup shared directory + - *systemd-netword # Network configuration for server diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index b7650a1d5..f7518a2f6 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -55,7 +55,6 @@ clean_apt() { clean_pacman() { _msg "Cleaning pacman cache" - pacman -Syu --noconfirm pacman -Scc --noconfirm } diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 4e4e1ec99..bf75c0e1e 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,7 +3,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eu +set -eux _lsb_release() { # shellcheck source=/dev/null @@ -31,7 +31,8 @@ main() { ;; debian | ubuntu) - dpkg -i $SRC/*.deb + apt install -y apparmor-profiles + dpkg -i $SRC/*.deb || true ;; opensuse*) diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl index 073544f59..a44f98412 100644 --- a/tests/packer/variables.pkr.hcl +++ b/tests/packer/variables.pkr.hcl @@ -98,8 +98,8 @@ variable "DM" { img_checksum = "https://cdimage.debian.org/images/cloud/bookworm/latest/SHA512SUMS" } "debian13" : { - img_url = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-amd64-daily.qcow2" - img_checksum = "https://cdimage.debian.org/images/cloud/trixie/daily/latest/SHA512SUMS" + img_url = "https://cdimage.debian.org/images/cloud/trixie/latest/debian-13-genericcloud-amd64.qcow2" + img_checksum = "https://cdimage.debian.org/images/cloud/trixie/latest/SHA512SUMS" } "ubuntu22" : { img_url = "https://cloud-images.ubuntu.com/jammy/current/jammy-server-cloudimg-amd64.img" diff --git a/tests/requirements.sh b/tests/requirements.sh index efc357ad4..0801ff27d 100644 --- a/tests/requirements.sh +++ b/tests/requirements.sh @@ -5,7 +5,7 @@ # Dependencies for the bats integration tests -set -eu +set -eu -o pipefail # shellcheck source=/dev/null _lsb_release() { From 52e9ae9fd621997113f2284b9500a511df9c285f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 00:29:21 +0200 Subject: [PATCH 436/798] fix(profile): define missing domain. --- apparmor.d/profiles-a-f/element-desktop | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 91de37e58..7891b67e1 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -7,6 +7,7 @@ abi , include @{name} = {E,e}lement +@{domain} = org.chromium.Chromium @{lib_dirs} = @{lib}/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} From 4e70cb4c918013914b2bc4bef750374879ad615d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:57:36 +0200 Subject: [PATCH 437/798] fix(profile): workaround in apparmor issue for attached path. See https://gitlab.com/apparmor/apparmor/-/issues/450 Fix #815 --- apparmor.d/abstractions/common/app | 2 ++ apparmor.d/groups/flatpak/flatpak-app | 1 - apparmor.d/groups/flatpak/flatpak-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/freedesktop/xdg-document-portal | 2 +- apparmor.d/tunables/multiarch.d/system | 1 - pkg/prebuild/prepare/attach.go | 1 + 8 files changed, 7 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3029fb80b..3b425e505 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -135,6 +135,8 @@ owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{att}/dev/shm/@{uuid} r, + /dev/hidraw@{int} rw, /dev/input/ r, /dev/input/event@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index a816e58b8..4199e92b1 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,7 +83,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, - @{run}/.userns r, @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 8a8d2b901..84e2d7964 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -31,7 +31,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { /var/lib/flatpak/exports/share/mime/mime.cache r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/.var/app/*/**/.ref rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5c62b0771..5e27ac845 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -65,8 +65,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, / r, - @{att}/ r, @{att}/.flatpak-info r, + owner /att/**/ r, /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index fc11b0700..c9585e2ab 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -52,7 +52,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, / r, - owner @{att}/ r, + owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index 93cac619e..d2db2612e 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -44,7 +44,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { @{bin}/snap rPx, / r, - owner @{att}/ r, + owner /att/**/ r, owner @{att}/.flatpak-info r, owner @{HOME}/ r, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index e2f297045..288665770 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -73,7 +73,6 @@ # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path @{att}=/ - alias / -> //, # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index a87ff9071..3331c73dc 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -33,5 +33,6 @@ func (p ReAttach) Apply() ([]string, error) { return res, err } out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") + out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") return res, path.WriteFile([]byte(out)) } From 58aea2b00d2975372a89db7c32deb6e7d3f35705 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 11:59:06 +0200 Subject: [PATCH 438/798] build: update flag manifest. --- dists/flags/main.flags | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index a62a6847d..057c7c298 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -46,7 +46,7 @@ cockpit-desktop complain cockpit-session attach_disconnected,complain cockpit-ssh complain cockpit-tls attach_disconnected,complain -cockpit-ws complain +cockpit-ws attach_disconnected,complain cockpit-wsinstance-factory complain cups-backend-beh complain cups-backend-bluetooth complain @@ -110,11 +110,9 @@ flameshot complain flatpak attach_disconnected,mediate_deleted,complain flatpak-app attach_disconnected,mediate_deleted,complain flatpak-oci-authenticator complain -flatpak-portal attach_disconnected,complain flatpak-session-helper attach_disconnected,complain flatpak-system-helper complain flatpak-validate-icon complain -fstrim complain fuse-overlayfs complain gdk-pixbuf-thumbnailer complain gdm-generate-config complain @@ -159,7 +157,6 @@ grub-set-default complain grub-syslinux2cfg complain gsd-printer attach_disconnected,complain gsd-wwan complain -gsettings complain gvfsd-dav complain gvfsd-wsdd complain hostnamectl complain @@ -189,7 +186,7 @@ kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain kdump_mem_estimator complain -kdump-config complain +kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected kernel complain kernel-install complain @@ -283,11 +280,11 @@ secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain slirp4netns attach_disconnected,complain -snap complain +snap attach_disconnected,complain snap-device-helper complain snap-discard-ns complain snap-failure complain -snap-seccomp complain +snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain @@ -388,7 +385,7 @@ update-grub complain update-info-dir complain update-secureboot-policy complain update-shells complain -userdbctl complain +userdbctl attach_disconnected,complain utempter attach_disconnected,complain veracrypt complain virt-manager attach_disconnected,complain From edc2755d615b64b8a05607e62bfe248f58704fde Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:03:17 +0200 Subject: [PATCH 439/798] feat(profile): kde: add initial dbus definition. --- apparmor.d/groups/kde/DiscoverNotifier | 8 +++++ apparmor.d/groups/kde/gmenudbusmenuproxy | 3 ++ apparmor.d/groups/kde/kaccess | 5 +++ apparmor.d/groups/kde/kactivitymanagerd | 4 +++ apparmor.d/groups/kde/kauth-backlighthelper | 2 ++ .../groups/kde/kauth-chargethresholdhelper | 5 +++ apparmor.d/groups/kde/kauth-discretegpuhelper | 4 +++ apparmor.d/groups/kde/kauth-kded-smart-helper | 6 +++- apparmor.d/groups/kde/kcminit | 3 ++ apparmor.d/groups/kde/kde-powerdevil | 15 +++++++++ apparmor.d/groups/kde/kded | 31 +++++++++++++++++-- apparmor.d/groups/kde/kglobalacceld | 3 ++ apparmor.d/groups/kde/kioworker | 3 ++ apparmor.d/groups/kde/konsole | 3 ++ .../groups/kde/kscreen_backend_launcher | 8 ++++- apparmor.d/groups/kde/ksmserver | 11 +++++++ apparmor.d/groups/kde/ksplashqml | 4 +++ apparmor.d/groups/kde/kwalletd | 6 ++++ apparmor.d/groups/kde/kwin_wayland | 12 +++++++ apparmor.d/groups/kde/kwin_wayland_wrapper | 3 ++ apparmor.d/groups/kde/kwin_x11 | 8 +++++ apparmor.d/groups/kde/plasma_waitforname | 1 + apparmor.d/groups/kde/plasmashell | 21 +++++++++++++ apparmor.d/groups/kde/sddm | 19 +++--------- apparmor.d/groups/kde/sddm-greeter | 5 +++ apparmor.d/groups/kde/sddm-xsession | 10 ++++++ apparmor.d/groups/kde/startplasma | 5 +++ apparmor.d/groups/kde/systemsettings | 5 +++ apparmor.d/groups/kde/xembedsniproxy | 3 ++ apparmor.d/groups/network/NetworkManager | 3 +- apparmor.d/groups/network/nm-online | 4 +-- apparmor.d/groups/polkit/polkitd | 5 +++ apparmor.d/profiles-m-r/packagekitd | 2 +- 33 files changed, 208 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 3ec36976d..861132887 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,6 +10,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include + include + include + include + include include include include @@ -23,6 +27,10 @@ profile DiscoverNotifier @{exec_path} { network netlink dgram, network netlink raw, + #aa:dbus own bus=session name=org.kde.discover.notifier + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd + @{exec_path} mr, @{bin}/apt-config rPx, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index d9879941b..b30e39cdc 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 42c1400ef..65582d1ba 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,10 +10,15 @@ include profile kaccess @{exec_path} { include include + include + include + include include include include + #aa:dbus own bus=session name=org.kde.kaccess + @{exec_path} mr, @{bin}/gsettings rPx, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1ee022dc6..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kactivitymanagerd profile kactivitymanagerd @{exec_path} { include + include include include include @@ -18,6 +19,9 @@ profile kactivitymanagerd @{exec_path} { include include + #aa:dbus own bus=session name=org.kde.ActivityManager path=/ActivityManager + #aa:dbus own bus=session name=org.kde.runners.activities + @{exec_path} mr, /etc/xdg/menus/{,*/} r, diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper index 61308e83b..cc844ce17 100644 --- a/apparmor.d/groups/kde/kauth-backlighthelper +++ b/apparmor.d/groups/kde/kauth-backlighthelper @@ -16,6 +16,8 @@ profile kauth-backlighthelper @{exec_path} { capability net_admin, + #aa:dbus own bus=system name=org.kde.powerdevil.backlighthelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper index 8ed8bf82e..119b5508d 100644 --- a/apparmor.d/groups/kde/kauth-chargethresholdhelper +++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper @@ -9,7 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}chargethresholdhelper profile kauth-chargethresholdhelper @{exec_path} { include + include include + include + + #aa:dbus own bus=system name=org.kde.powerdevil.chargethresholdhelper + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper index f03dfb007..8fcec5a2c 100644 --- a/apparmor.d/groups/kde/kauth-discretegpuhelper +++ b/apparmor.d/groups/kde/kauth-discretegpuhelper @@ -9,8 +9,12 @@ include @{exec_path} = @{lib}/{,kf6/}kauth/{,libexec/}discretegpuhelper profile kauth-discretegpuhelper @{exec_path} { include + include + include include + #aa:dbus own bus=system name=org.kde.powerdevil.discretegpuhelper + @{exec_path} mr, /usr/share/icu/@{int}.@{int}/*.dat r, diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper index cf0caffeb..2e60e6a0a 100644 --- a/apparmor.d/groups/kde/kauth-kded-smart-helper +++ b/apparmor.d/groups/kde/kauth-kded-smart-helper @@ -15,10 +15,14 @@ profile kauth-kded-smart-helper @{exec_path} { #aa:dbus own bus=system name=org.kde.kded.smart + dbus receive bus=system path=/ + interface=org.kde.kf5auth + member=performAction + peer=(name=@{busname}, label=kded), dbus send bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=org.freedesktop.DBus, label=kded5), + peer=(name=org.freedesktop.DBus, label=kded), @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index e11de6a48..bd01bf3c8 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,9 +10,12 @@ include profile kcminit @{exec_path} { include include + include include include + #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit + @{exec_path} mr, @{bin}/xrdb rPx, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 45c382855..c961ed7a3 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,6 +11,13 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include + include + include + include include include include @@ -20,6 +27,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, + #aa:dbus own bus=system name=org.freedesktop.Policy.Power + + #aa:dbus own bus=session name=local.org_kde_powerdevil + #aa:dbus own bus=session name=org.freedesktop.PowerManagement + #aa:dbus own bus=session name=org.kde.Solid.PowerManagement + + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ef81b95d1..e729ec78b 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -10,9 +10,14 @@ include profile kded @{exec_path} { include include + include + include include + include include + include include + include include include include @@ -35,19 +40,41 @@ profile kded @{exec_path} { signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, + # Owned by KDE + #aa:dbus own bus=system name=com.redhat.NewPrinterNotification + + #aa:dbus own bus=session name=org.gtk.Settings + #aa:dbus own bus=session name=org.kde.DistroReleaseNotifier + #aa:dbus own bus=session name=org.kde.GtkConfig + #aa:dbus own bus=session name=org.kde.kappmenu + #aa:dbus own bus=session name=org.kde.kcookiejar5 + #aa:dbus own bus=session name=org.kde.kded5 + #aa:dbus own bus=session name=org.kde.keyboard + #aa:dbus own bus=session name=org.kde.KeyboardLayouts + #aa:dbus own bus=session name=org.kde.plasmanetworkmanagement + #aa:dbus own bus=session name=org.kde.plasmashell.accentColor + #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher + #aa:dbus own bus=session name=org.kde.Wacom + #aa:dbus own bus=session name=org.kubuntu.NotificationHelper + #aa:dbus own bus=session name=org.kubuntu.restrictedInstall + + # Talk with KDE + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" + dbus receive bus=system path=/ interface=org.kde.kf5auth member=remoteSignal - peer=(name=:*, label=kauth-kded-smart-helper), + peer=(name=@{busname}, label=kauth-kded-smart-helper), dbus send bus=system path=/ interface=org.kde.kf5auth member=performAction - peer=(name="{:*,org.kde.kded.smart}", label=kauth-kded-smart-helper), + peer=(name="{@{busname},org.kde.kded.smart}", label=kauth-kded-smart-helper), @{exec_path} mrix, diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 0e8ba3395..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,8 +9,11 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel + @{exec_path} mr, @{bin}/kstart rPx, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index a5f867378..69b735310 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -10,6 +10,7 @@ include @{exec_path} += @{lib}/kf5/kioslave5 @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5 profile kioworker @{exec_path} { include + include include include include @@ -32,6 +33,8 @@ profile kioworker @{exec_path} { signal receive set=term peer=plasmashell, signal receive set=term peer=xdg-desktop-portal-kde, + #aa:dbus talk bus=session name=org.kde.kded5 path=/kded label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 8f9ff48dd..057a23d70 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -13,6 +13,7 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -22,6 +23,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(hup), + #aa:dbus own bus=session name=org.kde.konsole-@{int} + @{exec_path} mr, @{bin}/@{shells} rUx, @{browsers_path} rPx, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index d4b547c7c..7df07f64b 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,8 +10,14 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include + include + include + include include + include + + #aa:dbus own bus=session name=org.kde.KScreen + #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil @{exec_path} mr, diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index 6d515fb18..f4d54c295 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,6 +11,9 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include + include + include include include include @@ -20,6 +23,14 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { ptrace (read) peer=kbuildsycoca5, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.ksmserver path=/KSMServer + #aa:dbus own bus=session name=org.kde.KSMServerInterface path=/KSMServer + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label=kglobalacceld + #aa:dbus talk bus=session name=org.kde.KWin.Session path=/Session label=kwin_wayland + @{exec_path} mr, @{bin}/rm rix, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index 13f1216a5..e1d5d7394 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include + include + include include include include @@ -16,6 +18,8 @@ profile ksplashqml @{exec_path} { ptrace read peer=startplasma, + #aa:dbus own bus=session name=org.kde.KSplash path=/KSplash + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index c4e25e9ff..23737f14e 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,6 +11,9 @@ include profile kwalletd @{exec_path} { include include + include + include + include include include include @@ -19,6 +22,9 @@ profile kwalletd @{exec_path} { include include + #aa:dbus own bus=session name=org.freedesktop.secrets + #aa:dbus own bus=session name=org.kde.kwalletd5 + @{exec_path} mr, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index afaac3bd0..a8dc97d53 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,6 +10,10 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include include + include + include + include + include include include include @@ -27,6 +31,14 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { network netlink raw, + #aa:dbus own bus=session name=org.freedesktop.ScreenSaver + #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + #aa:dbus own bus=session name=org.kde.screensaver + + #aa:dbus talk bus=session name=org.kde.ActivityManager path=/ActivityManager label=kactivitymanagerd + @{exec_path} mr, /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper index 1a7573d77..a7ce4c2fe 100644 --- a/apparmor.d/groups/kde/kwin_wayland_wrapper +++ b/apparmor.d/groups/kde/kwin_wayland_wrapper @@ -9,11 +9,14 @@ include @{exec_path} = @{bin}/kwin_wayland_wrapper profile kwin_wayland_wrapper @{exec_path} { include + include include include signal (send) set=(term, kill) peer=kwin_wayland, + #aa:dbus own bus=session name=org.kde.KWinWrapper + @{exec_path} mr, @{bin}/kwin_wayland rPx, diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index 8400c8cb6..f4f955a4f 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include + include + include include include include @@ -22,6 +24,12 @@ profile kwin_x11 @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.kde.KWin + #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect + + #aa:dbus talk bus=session name=org.kde.ActivityManager label=kactivitymanagerd + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label=kglobalacceld + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname index a509135af..d32122a8a 100644 --- a/apparmor.d/groups/kde/plasma_waitforname +++ b/apparmor.d/groups/kde/plasma_waitforname @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/plasma_waitforname profile plasma_waitforname @{exec_path} { include + include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 07fbc8e14..19106cfa9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,9 +11,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include include include + include + include include + include include include include @@ -43,6 +47,23 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { signal send, + #aa:dbus own bus=session name=com.canonical.Unity + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.kde.JobViewServer + #aa:dbus own bus=session name=org.kde.klipper + #aa:dbus own bus=session name=org.kde.kuiserver + #aa:dbus own bus=session name=org.kde.plasmashell path=/PlasmaShell + #aa:dbus own bus=session name=org.kde.StatusNotifierHost-@{int} + + #aa:dbus talk bus=session name=org.kde.kdeconnect path=/ label=kdeconnectd + #aa:dbus talk bus=session name=org.kde.KeyboardLayouts path=/Layouts label=kded + #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/kglobalaccel label="{kglobalacceld,kwin_wayland}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + #aa:dbus talk bus=session name=org.kde.KWin path=/ label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="kwin_{wayland,x11}" + #aa:dbus talk bus=session name=org.kde.Solid.PowerManagement label=kde-powerdevil + #aa:dbus talk bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher label=kded + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 143df5c9e..9884e2145 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -50,20 +50,11 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { signal (send) set=(term) peer=startplasma-wayland, signal (send) set=(term) peer=startlxqtwayland, - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=:*, label=kscreenlocker-greet), - - dbus receive bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=:*, label="@{p_systemd_logind}"), - - dbus send bus=system path=/org/freedesktop/DisplayManager/Seat@{int} - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=org.freedesktop.DBus, label=kscreenlocker-greet), + unix type=stream addr=@@{udbus}/bus/sddm-helper/system, + + #aa:dbus own bus=system name=org.freedesktop.DisplayManager + + #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" @{exec_path} mr, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f2c133cec..c9aca546a 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,11 @@ profile sddm-greeter @{exec_path} { network netlink raw, + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListActivatableNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + @{exec_path} mr, @{lib}/libheif/ r, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f27f3dc3c..f4256d3d4 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -90,6 +90,16 @@ profile sddm-xsession @{exec_path} { profile dbus { include + include + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=UpdateActivationEnvironment + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=SetEnvironment + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), @{bin}/dbus-update-activation-environment mr, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 004b89d57..651061aa9 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -11,12 +11,17 @@ profile startplasma @{exec_path} { include include include + include + include include include signal (receive) set=(hup) peer=@{p_systemd}, signal (receive) set=(term) peer=sddm, + #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + #aa:dbus talk bus=session name=org.kde.KSplash path=/KSplash label=ksplashqml + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index b41dac08a..aab520a72 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,7 +10,9 @@ include profile systemsettings @{exec_path} { include include + include include + include include include include @@ -23,6 +25,9 @@ profile systemsettings @{exec_path} { signal send set=term peer=kioworker, + #aa:dbus own bus=session name=org.kde.internal.KSettingsWidget_kcm_networkmanagement + #aa:dbus own bus=session name=org.kde.systemsettings + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 6cb93163c..b768e2630 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 6b444093c..f27449e77 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -50,8 +50,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher - member=Action + member=Action2 peer=(name=org.freedesktop.nm_dispatcher), + dbus send bus=system path=/uk/org/thekelleys/dnsmasq interface=org.freedesktop.NetworkManager.dnsmasq member=SetServersEx diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online index 189afd74d..710d3115b 100644 --- a/apparmor.d/groups/network/nm-online +++ b/apparmor.d/groups/network/nm-online @@ -16,12 +16,12 @@ profile nm-online @{exec_path} { dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int} interface=org.freedesktop.NetworkManager.Connection.Active member=StateChanged - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int} interface=org.freedesktop.NetworkManager.Settings.Connection member=GetSettings - peer=(name=:*, label=NetworkManager), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index 4dc1380c0..c2de7f8b6 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -24,6 +24,11 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.PolicyKit1 + dbus send bus=system path=/org/kde/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label=polkit-kde-authentication-agent), + @{exec_path} mr, @{bin}/pkla-check-authorization rPx, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 9de9cadf9..19f6a515e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -38,7 +38,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { signal send set=int peer=apt-methods-*, signal send set=term peer=systemd-inhibit, - #aa:dbus own bus=system name=org.freedesktop.PackageKit + #aa:dbus own bus=system name=org.freedesktop.PackageKit path=/** @{exec_path} mr, From 523522dd1d2fd75efdd5c07e0b91de897be4cf4b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:05:38 +0200 Subject: [PATCH 440/798] feat(profile): improve kde profiles. --- .../polkit-kde-authentication-agent | 5 ++++ .../groups/kde/drkonqi-coredump-cleanup | 3 +- apparmor.d/groups/kde/kded | 21 +++++++++++--- apparmor.d/groups/kde/konsole | 4 ++- apparmor.d/groups/kde/kwalletd | 2 ++ apparmor.d/groups/kde/kwin_wayland | 13 +++++---- apparmor.d/groups/kde/plasmashell | 1 + apparmor.d/groups/kde/sddm | 9 +++++- apparmor.d/groups/kde/sddm-xsession | 13 +++++++-- apparmor.d/groups/kde/startplasma | 1 + apparmor.d/groups/kde/systemsettings | 1 + apparmor.d/groups/kde/wayland-session | 29 ++++++++++++++----- apparmor.d/groups/kde/xembedsniproxy | 1 + apparmor.d/groups/kde/xsettingsd | 1 + 14 files changed, 82 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index f53f4d164..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,6 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include include include include @@ -26,6 +28,9 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected, signal (send) set=(term, kill) peer=polkit-agent-helper, + #aa:dbus own bus=session name=org.kde.polkit-kde-authentication-agent-@{int} + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup index c74276b95..199dd9c8f 100644 --- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup +++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup @@ -14,7 +14,8 @@ profile drkonqi-coredump-cleanup @{exec_path} { @{exec_path} mr, @{user_cache_dirs}/kcrash-metadata/ r, - owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w, + owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini rw, + owner @{user_cache_dirs}/kcrash-metadata/@{int}.ini rw, include if exists } diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e729ec78b..f2f2489ab 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -18,6 +18,7 @@ profile kded @{exec_path} { include include include + include #aa:only apt include include include @@ -26,16 +27,19 @@ profile kded @{exec_path} { include include include + include include capability sys_ptrace, network inet dgram, + network inet stream, network inet6 dgram, - network netlink raw, + network inet6 stream, network netlink dgram, + network netlink raw, - ptrace (read), + ptrace read, signal send set=hup peer=xsettingsd, signal send set=term peer=kioworker, @@ -78,11 +82,13 @@ profile kded @{exec_path} { @{exec_path} mrix, + @{python_path} rix, + @{bin}/dpkg rPx -> child-dpkg, + @{bin}/flatpak rPx, @{bin}/kcminit rPx, + @{bin}/lsb_release rPx, @{bin}/pgrep rCx -> pgrep, @{bin}/plasma-welcome rPUx, - @{python_path} rix, - @{bin}/flatpak rPx, @{bin}/setxkbmap rix, @{bin}/xmodmap rPUx, @{bin}/xrdb rPx, @@ -94,18 +100,22 @@ profile kded @{exec_path} { #aa:exec kconf_update /usr/share/color-schemes/{,**} r, + /usr/share/distro-info/{,**} r, + /usr/share/distro-release-notifier/{,**} r, /usr/share/kconf_update/ r, /usr/share/kded{5,6}/{,**} r, /usr/share/kf{5,6}/kcookiejar/* r, /usr/share/khotkeys/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,**} r, + /usr/share/ubuntu-release-upgrader/{,*} r, /etc/fstab r, /etc/xdg/accept-languages.codes r, /etc/xdg/kde* r, /etc/xdg/kioslaverc r, /etc/xdg/menus/{,**} r, + /etc/update-manager/{,**} r, /etc/machine-id r, /var/lib/dbus/machine-id r, @@ -113,6 +123,8 @@ profile kded @{exec_path} { / r, @{efi}/ r, + owner /var/lib/update-manager/meta-release-lts rw, + owner @{HOME}/ r, owner @{HOME}/.gtkrc-2.0 rw, @@ -125,6 +137,7 @@ profile kded @{exec_path} { @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/plasmashell/ rw, owner @{user_cache_dirs}/plasmashell/** rwlk -> @{user_cache_dirs}/plasmashell/**, + owner @{user_cache_dirs}/update-manager-core/meta-release-lts rw, @{user_config_dirs}/kcookiejarrc.lock rwk, @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index 057a23d70..fa55e177d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -56,7 +56,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kbookmarkrc r, owner @{user_config_dirs}/konsole.notifyrc r, - owner @{user_config_dirs}/konsolerc{,*} rwlk, + owner @{user_config_dirs}/konsolerc rwl, + owner @{user_config_dirs}/konsolerc.@{rand6} rwl, + owner @{user_config_dirs}/konsolerc.lock rwk, owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/konsolesshconfig.lock rwk, diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index 23737f14e..ad96cb512 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,6 +45,8 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, + owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{tmp}/kwalletd5.* rw, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index a8dc97d53..243e0adfe 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -23,13 +23,16 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { capability sys_nice, capability sys_ptrace, - ptrace (read), + network netlink raw, - signal (receive) set=term peer=sddm, - signal (receive) set=(kill, term) peer=kwin_wayland_wrapper, - signal (send) set=(kill, term) peer=xwayland, + ptrace read, - network netlink raw, + signal receive set=term peer=sddm, + signal receive set=(kill, term) peer=kwin_wayland_wrapper, + signal send set=(kill, term) peer=xwayland, + + unix type=stream peer=(label=xkbcomp), + unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver #aa:dbus own bus=session name=org.kde.kglobalaccel diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 19106cfa9..68ea4fc0c 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -80,6 +80,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /opt/**/share/icons/{,**} r, /opt/*/**/*.desktop r, /opt/*/**/*.png r, + /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, /usr/share/desktop-directories/kf5-*.directory r, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 9884e2145..b62116704 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -66,20 +66,26 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{lib}/{,sddm/}sddm-helper-start-x11user rix, @{shells_path} rix, + @{bin}/{,e}grep rix, + @{bin}/basename rix, @{bin}/cat rix, - @{sbin}/checkproc rix, + @{bin}/date rix, + @{bin}/dirname rix, @{bin}/disable-paste rix, + @{bin}/id rix, @{bin}/locale rix, @{bin}/manpath rix, @{bin}/mktemp rix, @{bin}/pidof rix, @{bin}/readlink rix, @{bin}/realpath rix, + @{bin}/sed rix, @{bin}/tr rix, @{bin}/tty rix, @{bin}/uname rix, @{bin}/xdm r, @{bin}/xmodmap rix, + @{sbin}/checkproc rix, @{bin}/dbus-run-session rPx -> dbus-session, @{bin}/dbus-update-activation-environment rPx -> dbus-session, @@ -98,6 +104,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/systemctl rCx -> systemctl, @{bin}/xauth rCx -> xauth, @{bin}/Xorg rPx, + @{bin}/xrandr rPx, @{bin}/xrdb rPx, @{bin}/xset rPx, @{bin}/xsetroot rPx, diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession index f4256d3d4..0e9290d53 100644 --- a/apparmor.d/groups/kde/sddm-xsession +++ b/apparmor.d/groups/kde/sddm-xsession @@ -25,9 +25,11 @@ profile sddm-xsession @{exec_path} { @{bin}/chmod rix, @{bin}/csh rix, @{bin}/date rix, + @{bin}/dpkg-query rpx, @{bin}/fish rix, + @{bin}/gettext rix, @{bin}/gettext.sh r, - @{bin}/gpgconf rCx -> gpg, + @{bin}/gpgconf rCx -> gpg, @{bin}/id rix, @{bin}/locale rix, @{bin}/locale-check rix, @@ -40,12 +42,13 @@ profile sddm-xsession @{exec_path} { @{bin}/tcsh rix, @{bin}/tempfile rix, @{bin}/touch rix, + @{bin}/tr rix, @{bin}/which{,.debianutils} rix, - @{bin}/zsh rix, @{bin}/dbus-update-activation-environment rCx -> dbus, @{bin}/flatpak rPx, @{bin}/numlockx rPx, + @{bin}/xbrlapi rPx, @{bin}/xhost rPx, @{bin}/xrdb rPx, /etc/X11/Xsession rPx, @@ -60,7 +63,9 @@ profile sddm-xsession @{exec_path} { @{system_share_dirs}/im-config/data/{,*} r, @{system_share_dirs}/im-config/xinputrc.common r, + @{system_share_dirs}/libdebuginfod-common/debuginfod.sh r, + /etc/debuginfod/{,**} r, /etc/default/{,*} r, /etc/X11/{,**} r, @@ -71,7 +76,7 @@ profile sddm-xsession @{exec_path} { owner @{tmp}/xsess-env-* rw, owner @{tmp}/file* rw, - audit owner @{tmp}/tmp.* rw, + owner @{tmp}/tmp.@{rand10} rw, owner @{PROC}/@{pid}/loginuid r, @@ -133,6 +138,8 @@ profile sddm-xsession @{exec_path} { @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/task/@{tid}/comm rw, + owner @{HOME}/.xsession-errors w, + /dev/tty@{int} rw, owner /dev/pts/@{int} rw, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 651061aa9..5db93719c 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -36,6 +36,7 @@ profile startplasma @{exec_path} { @{lib}/@{multiarch}/libexec/plasma-sourceenv.sh r, + /usr/share/byobu/desktop/{,**} r, /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices{5,6}/{,**} r, diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index aab520a72..a78225b67 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -80,6 +80,7 @@ profile systemsettings @{exec_path} { owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/ksvg-elements.lock rwlk, owner @{user_cache_dirs}/plasma_theme_*.kcache rw, + owner @{user_cache_dirs}/plasma-svgelements r, owner @{user_cache_dirs}/systemsettings/ rw, owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 124cf2fda..56914137b 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -13,14 +13,29 @@ profile wayland-session @{exec_path} { @{exec_path} mr, - @{shells_path} rix, - @{bin}/id rix, - - @{lib}/plasma-dbus-run-session-if-needed rix, - @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed rix, - @{bin}/startplasma-wayland rPx, - + @{shells_path} rix, + @{bin}/cat ix, + @{bin}/dpkg-query px, + @{bin}/gettext ix, + @{bin}/gettext.sh r, + @{bin}/id ix, + @{bin}/locale ix, + @{bin}/locale-check ix, + @{bin}/sed ix, + @{bin}/tr ix, + + @{bin}/startplasma-wayland Px, + @{lib}/@{multiarch}/libexec/plasma-dbus-run-session-if-needed ix, + @{lib}/plasma-dbus-run-session-if-needed ix, + + /usr/share/im-config/{,**} r, + /usr/share/libdebuginfod-common/debuginfod.sh r, + + /etc/debuginfod/{,**} r, + /etc/default/im-config r, /etc/machine-id r, + /etc/X11/xinit/xinputrc r, + /etc/X11/Xsession.d/*im-config_launch r, owner @{user_share_dirs}/sddm/wayland-session.log rw, diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index b768e2630..93259822e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -16,6 +16,7 @@ profile xembedsniproxy @{exec_path} { include include include + include @{exec_path} mr, diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd index 7cebbb43c..1adbf1d9f 100644 --- a/apparmor.d/groups/kde/xsettingsd +++ b/apparmor.d/groups/kde/xsettingsd @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/xsettingsd profile xsettingsd @{exec_path} { include + include signal (receive) set=hup peer=kded, From 7e79d5abefa13bd226d4b1f5671b238d168590b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:15:24 +0200 Subject: [PATCH 441/798] feat(profile): improve support for ubuntu & kubuntu. --- apparmor.d/abstractions/bus/org.a11y | 10 ++++++++++ apparmor.d/abstractions/graphics-full | 4 ++++ apparmor.d/abstractions/kde-strict | 3 ++- apparmor.d/abstractions/mesa.d/complete | 2 ++ apparmor.d/groups/apt/dpkg-script-linux | 2 ++ apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/apt/unattended-upgrade | 12 ++++++----- apparmor.d/groups/bluetooth/blueman-mechanism | 1 + apparmor.d/groups/bluetooth/obexd | 3 ++- apparmor.d/groups/browsers/chromium-wrapper | 1 + apparmor.d/groups/browsers/firefox-glxtest | 2 ++ apparmor.d/groups/bus/dbus-accessibility | 7 ++++--- apparmor.d/groups/bus/ibus-memconf | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 6 ++---- .../groups/freedesktop/xdg-desktop-portal | 4 ++++ .../freedesktop/xdg-desktop-portal-gnome | 4 ++++ apparmor.d/groups/freedesktop/xrandr | 4 ++++ apparmor.d/groups/freedesktop/xwayland | 3 ++- apparmor.d/groups/gnome/deja-dup-monitor | 6 ++++++ apparmor.d/groups/gnome/gdm-generate-config | 3 +-- apparmor.d/groups/gnome/gjs-console | 11 +++++++++- apparmor.d/groups/gnome/yelp | 6 ++++-- apparmor.d/groups/snap/snap | 6 +++++- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snapd | 1 - apparmor.d/groups/ssh/sshd-session | 1 + apparmor.d/groups/ubuntu/apport-gtk | 20 +++++++++++++++++-- apparmor.d/groups/ubuntu/apt_news | 1 + apparmor.d/groups/ubuntu/ubuntu-fan-net | 12 +++++++++++ apparmor.d/groups/ubuntu/update-notifier | 2 +- .../groups/ubuntu/update-notifier-crash | 2 +- apparmor.d/groups/utils/login | 1 + apparmor.d/groups/virt/cockpit-tls | 2 +- .../groups/virt/cockpit-wsinstance-factory | 13 +++++++++++- apparmor.d/profiles-a-f/dhclient-script | 19 +++++++++++++----- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-g-l/kernel | 4 ++++ apparmor.d/profiles-g-l/lsb-release | 1 + apparmor.d/profiles-m-r/initramfs-hooks | 2 +- apparmor.d/profiles-m-r/motd | 10 +++++++++- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-m-r/qdbus | 1 + apparmor.d/profiles-s-z/switcheroo-control | 1 + apparmor.d/profiles-s-z/update-info-dir | 2 ++ apparmor.d/profiles-s-z/whoopsie | 10 ++++++++++ apparmor.d/profiles-s-z/wsdd | 1 + apparmor.d/profiles-s-z/xbrlapi | 2 ++ 47 files changed, 179 insertions(+), 39 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y index 2677d2f61..c99f5f8bd 100644 --- a/apparmor.d/abstractions/bus/org.a11y +++ b/apparmor.d/abstractions/bus/org.a11y @@ -31,6 +31,11 @@ member=Embed peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry), + # Session bus dbus send bus=session path=/org/a11y/bus @@ -38,6 +43,11 @@ member=GetAll peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + dbus send bus=session path=/org/a11y/bus interface=org.a11y.Bus member=Get diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1f2b0ffd2..eb60edb4d 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -6,6 +6,10 @@ include + @{sys}/devices/@{pci}/numa_node r, + + @{PROC}/devices r, + /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-uvm rw, /dev/nvidia-uvm-tools rw, diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 428aa93f3..fd994d12d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -20,6 +20,7 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu /etc/xdg/baloofilerc r, /etc/xdg/kcminputrc r, @@ -44,7 +45,7 @@ owner @{user_config_dirs}/menus/ r, owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, + owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete index 1d718c0b1..02a48114c 100644 --- a/apparmor.d/abstractions/mesa.d/complete +++ b/apparmor.d/abstractions/mesa.d/complete @@ -42,4 +42,6 @@ @{PROC}/sys/dev/xe/observation_paranoid r, + /dev/udmabuf rw, # In upstream, but not released yet + # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux index b294b928b..af578be50 100644 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ b/apparmor.d/groups/apt/dpkg-script-linux @@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} { include include + capability dac_read_search, + @{exec_path} mrix, @{bin}/cat ix, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 9be1f3258..7d2073768 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -168,6 +168,7 @@ profile dpkg-scripts @{exec_path} { /usr/local/ r, /usr/local/lib/ r, + /var/cache/ldconfig/ rw, owner /var/cache/ldconfig/aux-cache* rw, include if exists diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index 0d4d2ee33..d501a325f 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{bin}/touch ix, @{bin}/uname ix, - @{bin}/dpkg-deb px, @{bin}/apt-listchanges Px, + @{bin}/df Px, + @{bin}/dmesg Px, @{bin}/dpkg Px, + @{bin}/dpkg-deb px, @{bin}/dpkg-divert Px, @{bin}/etckeeper Px, @{bin}/ischroot Px, @@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/pki/fwupd/{,**} r, /etc/profile.d/* r, /etc/ssh/moduli r, - /etc/ssh/ssh_config r, + @{etc_ro}/ssh/sshd_config r, + @{etc_ro}/ssh/sshd_config.d/{,*} r, /etc/ufw/{,**} r, /etc/update-manager/{,**} r, /etc/update-motd.d/{,**} r, @@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /etc/vmware-tools/{,**} r, /var/log/unattended-upgrades/{,**} rw, - /var/crash/*.crash w, + /var/crash/*.crash rw, /var/lib/apt/periodic/unattended-upgrades-stamp w, /var/lib/dpkg/info/{,*} r, @@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /var/lib/apt/lists/ rw, /var/lib/apt/lists/partial/ rw, /var/lib/apt/periodic/ w, - /var/log/apt/{term,history}.log w, - /var/log/apt/eipp.log.xz w, + /var/log/apt/*.log* rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/unattended-upgrades.lock rwk, diff --git a/apparmor.d/groups/bluetooth/blueman-mechanism b/apparmor.d/groups/bluetooth/blueman-mechanism index ffdda336e..9b4800210 100644 --- a/apparmor.d/groups/bluetooth/blueman-mechanism +++ b/apparmor.d/groups/bluetooth/blueman-mechanism @@ -11,6 +11,7 @@ include profile blueman-mechanism @{exec_path} flags=(attach_disconnected) { include include + include include include diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index efb5f42e4..65ad4c0e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -10,8 +10,9 @@ include @{exec_path} = @{lib}/bluetooth/obexd profile obexd @{exec_path} { include - include include + include + include include network bluetooth stream, diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper index dea35ae1a..d29dcc630 100644 --- a/apparmor.d/groups/browsers/chromium-wrapper +++ b/apparmor.d/groups/browsers/chromium-wrapper @@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) { # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest index 30281f2f4..f9470a59b 100644 --- a/apparmor.d/groups/browsers/firefox-glxtest +++ b/apparmor.d/groups/browsers/firefox-glxtest @@ -21,6 +21,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + / r, + owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r, owner @{cache_dirs}/firefox/*/startupCache/startupCache* r, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index ee787e4e1..f876d1210 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -23,8 +23,9 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal (receive) set=(term hup kill) peer=dbus-session, - signal (receive) set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=dbus-session, + signal receive set=(term hup kill) peer=gdm{,-session-worker}, + signal receive set=(term hup kill) peer=gnome-session-binary, unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), @@ -71,10 +72,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, + @{PROC}/@{pid}/cmdline r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 803f28a4a..5233f8603 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -11,6 +11,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include + include include include @@ -27,8 +28,6 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner /dev/tty@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 25569cd68..80c3135f5 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -76,10 +76,8 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/1/cgroup r, - @{PROC}/1/cmdline r, - owner @{PROC}/@{pid}/cgroup r, - owner @{PROC}/@{pid}/cmdline r, + @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5e27ac845..35c81f0bc 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -45,6 +45,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.NetworkMonitor + member=GetStatus + peer=(name=@{busname}, label=snap.*), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 6ee4cab6d..bed83627a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -47,6 +47,10 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { member=GetAll peer=(name=:*, label=gnome-shell), + dbus send bus=session path=/org/gnome/Shell + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=PropertiesChanged diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr index fc1935c4b..ed9e7a030 100644 --- a/apparmor.d/groups/freedesktop/xrandr +++ b/apparmor.d/groups/freedesktop/xrandr @@ -12,8 +12,12 @@ profile xrandr @{exec_path} { include include + capability dac_read_search, + @{exec_path} mr, + @{run}/sddm/xauth_@{rand6} r, + owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland index e8c94916d..a8950dbc6 100644 --- a/apparmor.d/groups/freedesktop/xwayland +++ b/apparmor.d/groups/freedesktop/xwayland @@ -20,7 +20,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term hup) peer=kwin_wayland, signal (receive) set=(term hup) peer=login, - unix type=stream addr=none peer=(label=gnome-shell, addr=none), + unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=kwin_wayland), @{exec_path} mrix, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index af7fa51b0..ac5d6af81 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -33,10 +33,16 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=:*, label=NetworkManager), + dbus send bus=system path=/org/freedesktop/UPower/PowerProfiles + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=power-profiles-daemon), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, + @{bin}/deja-dup Px, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index d48b9eff6..9d910cdd2 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -18,7 +18,7 @@ profile gdm-generate-config @{exec_path} { capability setgid, capability setuid, - ptrace read, + # ptrace read, @{exec_path} mr, @@ -45,7 +45,6 @@ profile gdm-generate-config @{exec_path} { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/stat r, - @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index fdaa4e825..0cfd4c420 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -64,6 +64,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, + /usr/share/thumbnailers/{,**} r, /tmp/ r, /var/tmp/ r, @@ -76,9 +77,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { owner @{HOME}/ r, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +98,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { /dev/ r, /dev/tty rw, + deny @{user_share_dirs}/gvfs-metadata/* r, + include if exists } diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp index 058b9697a..1f2fc39d3 100644 --- a/apparmor.d/groups/gnome/yelp +++ b/apparmor.d/groups/gnome/yelp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/yelp @{bin}/gnome-help -profile yelp @{exec_path} { +profile yelp @{exec_path} flags=(attach_disconnected) { include include include @@ -30,7 +30,9 @@ profile yelp @{exec_path} { /etc/xml/{,**} r, - @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/firmware/acpi/pm_profile r, + @{sys}/devices/virtual/dmi/id/chassis_type r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r, diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 425d5cd66..ef0a086a8 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -68,9 +68,13 @@ profile snap @{exec_path} flags=(attach_disconnected) { /var/cache/snapd/names r, @{DESKTOP_HOME}/snap/{,**} rw, - @{HOME}/snap/{,**} rw, /snap/{,**} rw, + @{HOME}/snap/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/.snap.mkdir-new/ rw, + owner @{HOME}/.snap/{,**} rw, + owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 7857bcc6a..9605c544a 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -9,7 +9,7 @@ include @{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp -profile snap-seccomp @{exec_path} { +profile snap-seccomp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 0f975b3b0..7e2c288b6 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -34,7 +34,6 @@ profile snapd @{exec_path} { capability setuid, capability sys_admin, capability sys_ptrace, - capability sys_resource, network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ssh/sshd-session b/apparmor.d/groups/ssh/sshd-session index e953834a7..ab86f3ad1 100644 --- a/apparmor.d/groups/ssh/sshd-session +++ b/apparmor.d/groups/ssh/sshd-session @@ -55,6 +55,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/@{shells} Ux, #aa:exclude RBAC + @{bin}/userdbctl Px, @{lib}/{openssh,ssh}/sshd-auth Px, @{etc_rw}/motd r, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 4940653a3..271ff23e4 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -29,10 +29,12 @@ profile apport-gtk @{exec_path} { network inet6 stream, network inet dgram, network inet6 dgram, + network netlink raw, @{exec_path} mr, @{sh_path} rix, + @{python_path} rix, @{bin}/{f,}grep rix, @{bin}/apt-cache rPx, @{bin}/cut rix, @@ -43,20 +45,24 @@ profile apport-gtk @{exec_path} { @{bin}/gsettings rPx, @{bin}/ischroot rPx, @{bin}/journalctl rPx, - @{sbin}/killall5 rix, @{bin}/kmod rPx, @{bin}/ldd rix, @{bin}/lsb_release rPx, @{bin}/md5sum rix, @{bin}/pkexec rCx -> pkexec, + @{bin}/readlink rix, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-detect-virt rPx, @{bin}/uname rix, @{bin}/which{,.debianutils} rix, + @{sbin}/killall5 rix, @{lib}/{,colord/}colord-sane rPx, @{lib}/@{multiarch}/ld*.so* rix, /usr/share/apport/root_info_wrapper rix, + @{bin}/* r, + @{sbin}/* r, + /usr/share/apport/{,**} r, /usr/share/apport/general-hooks/*.py r, @@ -79,9 +85,10 @@ profile apport-gtk @{exec_path} { /var/crash/ rw, owner /var/crash/*.@{uid}.{crash,upload} rw, + @{run}/cloud-init/cloud.cfg r, @{run}/snapd.socket rw, - owner @{tmp}/@{rand8} rw, + owner @{tmp}/@{word8} rw, owner @{tmp}/apport_core_@{rand8} rw, owner @{tmp}/launchpadlib.cache.@{rand8}/ rw, owner @{tmp}/tmp@{rand8}/{,**} rw, @@ -135,6 +142,15 @@ profile apport-gtk @{exec_path} { include include + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.freedesktop.systemd1, label=unconfined), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnitFileState + peer=(name=org.freedesktop.systemd1, label=unconfined), + include if exists } diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 7f4e8fbe2..9734803e4 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -14,6 +14,7 @@ profile apt_news @{exec_path} flags=(attach_disconnected) { include capability chown, + capability fowner, capability kill, capability setgid, capability setuid, diff --git a/apparmor.d/groups/ubuntu/ubuntu-fan-net b/apparmor.d/groups/ubuntu/ubuntu-fan-net index 74fe83551..ab83ebed4 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-fan-net +++ b/apparmor.d/groups/ubuntu/ubuntu-fan-net @@ -14,10 +14,22 @@ profile ubuntu-fan-net @{exec_path} { @{sh_path} mr, @{bin}/{m,g,}awk ix, + @{bin}/kmod Cx -> kmod, @{bin}/{,e}grep ix, @{bin}/networkctl Px, @{sbin}/fanctl Px, + profile kmod { + include + include + + capability sys_module, + + @{sys}/module/compression r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 361290980..9754aa231 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -25,7 +25,7 @@ profile update-notifier @{exec_path} { unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, #aa:dbus talk bus=system name=org.debian.apt label=apt - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell + #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash index d65c77a08..4926c0b1c 100644 --- a/apparmor.d/groups/ubuntu/update-notifier-crash +++ b/apparmor.d/groups/ubuntu/update-notifier-crash @@ -16,7 +16,7 @@ profile update-notifier-crash @{exec_path} { @{bin}/{,e}grep ix, @{bin}/groups Px, @{bin}/systemctl Cx -> systemctl, - @{bin}/which{,.debianutils} ix, + @{bin}/which{,.debianutils} rix, @{sh_path} mr, /usr/share/apport/apport-checkreports Px, diff --git a/apparmor.d/groups/utils/login b/apparmor.d/groups/utils/login index c35001498..cf9663e8e 100644 --- a/apparmor.d/groups/utils/login +++ b/apparmor.d/groups/utils/login @@ -54,6 +54,7 @@ profile login @{exec_path} flags=(attach_disconnected) { /etc/shells r, /var/lib/faillock/@{user} rwk, + /var/lib/lastlog/ r, /var/log/btmp{,.@{int}} r, owner @{user_cache_dirs}/motd.legal-displayed rw, diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls index 7bf43ed4a..8a345588a 100644 --- a/apparmor.d/groups/virt/cockpit-tls +++ b/apparmor.d/groups/virt/cockpit-tls @@ -17,7 +17,7 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) { /etc/cockpit/ws-certs.d/{,**} r, - @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r, + @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock rw, @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw, owner @{run}/cockpit/tls/{,**} rw, diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory index 99db4d614..248ca43e8 100644 --- a/apparmor.d/groups/virt/cockpit-wsinstance-factory +++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory @@ -11,12 +11,23 @@ profile cockpit-wsinstance-factory @{exec_path} { include include + capability net_admin, + unix bind type=stream addr=@@{udbus}/bus/cockpit-wsinsta/system, - capability net_admin, + dbus receive bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=JobRemoved + peer=(name=@{busname}, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, + @{run}/cockpit/wsinstance/https-factory.sock w, + include if exists } diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script index 3967512b8..9d84a4065 100644 --- a/apparmor.d/profiles-a-f/dhclient-script +++ b/apparmor.d/profiles-a-f/dhclient-script @@ -46,18 +46,18 @@ profile dhclient-script @{exec_path} { @{bin}/rm rix, @{bin}/run-parts rCx -> run-parts, @{bin}/sed rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/tr rix, @{bin}/xxd rix, + @{etc_rw}/resolv.conf rw, + @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, + @{etc_rw}/samba/dhcp.conf{,.new} rw, /etc/default/ddclient r, /etc/dhcp/{,**} r, /etc/fstab r, /etc/iproute2/rt_tables r, /etc/iproute2/rt_tables.d/{,*} r, - @{etc_rw}/resolv.conf rw, - @{etc_rw}/resolv.conf.dhclient-new.@{pid} rw, - @{etc_rw}/samba/dhcp.conf{,.new} rw, /var/lib/dhcp/dhclient.leases r, /var/lib/samba/dhcp.conf{,.new} rw, @@ -71,7 +71,16 @@ profile dhclient-script @{exec_path} { @{sys}/devices/virtual/dmi/id/board_vendor r, owner @{PROC}/@{pid}/loginuid r, - @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/net/ipv6/conf/*/stable_secret w, + + include if exists + } profile run-parts { include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index 6deb06eb6..e99760a73 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -13,6 +13,8 @@ profile dracut-install @{exec_path} { @{exec_path} mr, + @{bin}/cp rix, + /etc/modprobe.d/{,**} r, @{sys}/devices/platform/{,**/} r, diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index 41098ab4b..c46b5556e 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -67,6 +67,10 @@ profile kernel @{exec_path} { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index 23bada3ec..d2d52d362 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -17,6 +17,7 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, + @{bin}/ r, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cut rix, diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index a4fc278f0..cae5c1c3d 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -17,7 +17,7 @@ profile initramfs-hooks @{exec_path} { @{sh_path} rix, @{coreutils_path} rix, @{bin}/cpio ix, - @{bin}/dpkg Cx -> child-dpkg, + @{bin}/dpkg Px, @{bin}/fc-cache ix, @{bin}/ischroot Px, @{bin}/ldd Cx -> ldd, diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 67f216212..6cdb0fbf8 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -9,9 +9,13 @@ include @{exec_path} = /etc/update-motd.d/* profile motd @{exec_path} { include + include capability net_admin, + network inet6 stream, + network inet6 stream, + @{exec_path} mr, @{bin}/ r, @@ -44,7 +48,7 @@ profile motd @{exec_path} { /var/lib/ubuntu-advantage/messages/motd-esm-announce r, /var/lib/cloud/instances/nocloud/cloud-config.txt r, - # /tmp/tmp.@{rand10} rw, + /tmp/tmp.@{rand10} rw, @{run}/cloud-init/cloud.cfg r, @{run}/motd.d/{,*} r, @@ -62,6 +66,8 @@ profile motd @{exec_path} { include include + capability net_admin, + network inet dgram, network inet stream, network inet6 dgram, @@ -70,6 +76,8 @@ profile motd @{exec_path} { @{bin}/wget mr, + /etc/wgetrc r, + /tmp/tmp.@{rand10} rw, include if exists diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index b8f50ff7c..178bf28c6 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -38,10 +38,10 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, + @{sys}/devices/**/status r, @{sys}/devices/**/power_supply/*/scope r, @{sys}/devices/**/uevent r, @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r, - @{sys}/devices/system/cpu/*_pstate/status r, @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw, @{sys}/devices/system/cpu/cpufreq/ r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw, diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus index fa67bad97..6816079ac 100644 --- a/apparmor.d/profiles-m-r/qdbus +++ b/apparmor.d/profiles-m-r/qdbus @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/qdbus @{lib}/qt{5,6}/bin/qdbus profile qdbus @{exec_path} { include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index e1b9ab7de..eecb98b28 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -12,6 +12,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_nice, network netlink raw, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index 7c835023f..fe06b32af 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -18,6 +18,8 @@ profile update-info-dir @{exec_path} { @{bin}/find ix, @{bin}/rm ix, + /etc/environment r, + include if exists } diff --git a/apparmor.d/profiles-s-z/whoopsie b/apparmor.d/profiles-s-z/whoopsie index 0c03f4a76..8a2c83904 100644 --- a/apparmor.d/profiles-s-z/whoopsie +++ b/apparmor.d/profiles-s-z/whoopsie @@ -10,10 +10,17 @@ include profile whoopsie @{exec_path} { include include + include capability setgid, capability setuid, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 dgram, + network netlink raw, + @{exec_path} mr, /var/crash/ r, @@ -22,6 +29,9 @@ profile whoopsie @{exec_path} { /var/lib/whoopsie/whoopsie-id rw, /var/lib/whoopsie/whoopsie-id.@{rand6} rw, + /var/crash/*.@{uid}.crash r, + owner /var/crash/*.@{uid}.uploaded rw, + owner @{run}/lock/whoopsie/ rw, owner @{run}/lock/whoopsie/lock rwk, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index 20575b2a8..fc6955793 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -27,6 +27,7 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, + @{run}/uuidd/request rw, owner @{run}/user/@{uid}/gvfsd/wsdd w, include if exists diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi index 4ce252e10..b2f94975f 100644 --- a/apparmor.d/profiles-s-z/xbrlapi +++ b/apparmor.d/profiles-s-z/xbrlapi @@ -16,6 +16,8 @@ profile xbrlapi @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + owner @{HOME}/.xsession-errors w, + include if exists } From 4dba131fb38418b898a02aaec92e977fe7a0a4c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:16:24 +0200 Subject: [PATCH 442/798] feat(profile): parser: move sysctl to its own subprofile. --- apparmor.d/groups/apparmor/apparmor.systemd | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd index cb862ff48..f58512a02 100644 --- a/apparmor.d/groups/apparmor/apparmor.systemd +++ b/apparmor.d/groups/apparmor/apparmor.systemd @@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} { @{bin}/sed rix, @{bin}/cat rix, @{bin}/sort rix, - @{sbin}/sysctl rix, + @{sbin}/sysctl rCx -> sysctl, @{bin}/systemd-detect-virt rPx, @{bin}/xargs rix, @@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} { @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/mounts r, - @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, /dev/tty rw, + profile sysctl { + include + + @{sbin}/sysctl mr, + + @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r, + + include if exists + } + include if exists } From ba16e3c3405d8d801dfbe332e1a77507be3ea879 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:20:08 +0200 Subject: [PATCH 443/798] feat(profile): cleanup log from well known programs. --- apparmor.d/groups/freedesktop/xdg-mime | 6 ++++++ apparmor.d/groups/utils/blkid | 5 +++-- apparmor.d/groups/utils/lspci | 4 +++- apparmor.d/profiles-g-l/gsettings | 8 ++++++++ 4 files changed, 20 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime index 15b73a2d1..9e6dbc2e0 100644 --- a/apparmor.d/groups/freedesktop/xdg-mime +++ b/apparmor.d/groups/freedesktop/xdg-mime @@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) { /dev/tty rw, + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** rw, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + profile bus flags=(complain) { include include diff --git a/apparmor.d/groups/utils/blkid b/apparmor.d/groups/utils/blkid index 3eee035fe..4105a7419 100644 --- a/apparmor.d/groups/utils/blkid +++ b/apparmor.d/groups/utils/blkid @@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) { @{run}/blkid/blkid.tab{,-@{rand6}} rw, @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab, - @{run}/cloud-init/ds-identify.log w, # file_inherit - @{PROC}/@{pid}/mounts r, @{PROC}/partitions r, @{PROC}/swaps r, @@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + # file_inherit + deny @{run}/cloud-init/ds-identify.log w, + include if exists } diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci index e8ba89298..c6ac0fdcd 100644 --- a/apparmor.d/groups/utils/lspci +++ b/apparmor.d/groups/utils/lspci @@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) { @{PROC}/cmdline r, @{PROC}/ioports r, - deny @{user_share_dirs}/gvfs-metadata/* r, + # file_inherit + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_cache_dirs}/*/** rw, include if exists } diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index bbdb3da62..849599977 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + # file_inherit + deny network netlink raw, + deny /etc/nsswitch.conf r, + deny /etc/passwd r, + deny /opt/*/** r, + deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + include if exists } From 7f9664c51f0aec674bee24a6460323b78e08735e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 17:51:10 +0200 Subject: [PATCH 444/798] feat(profile): add profile for mpris-proxy. --- apparmor.d/profiles-m-r/mpris-proxy | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mpris-proxy diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy new file mode 100644 index 000000000..2f31aea79 --- /dev/null +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/mpris-proxy +profile mpris-proxy @{exec_path} { + include + include + include + include + include + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 952c4e91a118d8a92f15fef49024665482a8f23d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 20:50:00 +0200 Subject: [PATCH 445/798] feat(aa): add aa --enforce and aa --complain. These are small dev tools, not installed by default. --- cmd/aa/main.go | 131 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 122 insertions(+), 9 deletions(-) diff --git a/cmd/aa/main.go b/cmd/aa/main.go index 5d32e9331..b0737de77 100644 --- a/cmd/aa/main.go +++ b/cmd/aa/main.go @@ -8,6 +8,9 @@ import ( "flag" "fmt" "os" + "os/exec" + "regexp" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/aa" @@ -15,12 +18,14 @@ import ( "github.com/roddhjav/apparmor.d/pkg/paths" ) -const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...] +const usage = `aa [-h] [--lint | --format | --tree | --complain | --enfore] [-s] [-F file] [profiles...] Various AppArmor profiles development tools Options: -h, --help Show this help message and exit. + -e, --enforce Switch the given profile(s) to enforce mode. + -c, --complain Switch the given profile(s) to complain mode. -f, --format Format the AppArmor profiles. -l, --lint Lint the AppArmor profiles. -t, --tree Generate a tree of visited profiles. @@ -31,12 +36,19 @@ Options: // Command line options var ( - help bool - path string - systemd bool - lint bool - format bool - tree bool + help bool + path string + systemd bool + enforce bool + complain bool + lint bool + format bool + tree bool +) + +var ( + regFlags = regexp.MustCompile(`flags=\(([^)]+)\) `) + regProfileHeader = regexp.MustCompile(` {\n`) ) type kind uint8 @@ -60,6 +72,10 @@ func init() { flag.StringVar(&path, "file", "", "Set a logfile or a suffix to the default log file.") flag.BoolVar(&systemd, "s", false, "Parse systemd logs from journalctl.") flag.BoolVar(&systemd, "systemd", false, "Parse systemd logs from journalctl.") + flag.BoolVar(&enforce, "e", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&enforce, "enforce", false, "Switch the given profile to enforce mode.") + flag.BoolVar(&complain, "c", false, "Switch the given profile to complain mode.") + flag.BoolVar(&complain, "complain", false, "Switch the given profile to complain mode.") } func getIndentationLevel(input string) int { @@ -111,7 +127,7 @@ func formatFile(kind kind, profile string) (string, error) { for idx, rules := range rulesByParagraph { aa.IndentationLevel = getIndentationLevel(paragraphs[idx]) rules = rules.Merge().Sort().Format() - profile = strings.ReplaceAll(profile, paragraphs[idx], rules.String()+"\n") + fmt.Printf(rules.String() + "\n") } return profile, nil } @@ -152,17 +168,95 @@ func aaFormat(files paths.PathList) error { return nil } +func aaLint(files paths.PathList) error { + for _, file := range files { + fmt.Printf("wip: %v\n", file) + } + return nil +} + +func setFlag(profile string, flag string) (string, error) { + f := aa.DefaultTunables() + if _, err := f.Parse(profile); err != nil { + return profile, err + } + + flags := f.GetDefaultProfile().Flags + switch flag { + case "enforce": + if len(flags) == 0 || slices.Contains(flags, "enforce") { + return profile, nil // Nothing to do + } + idx := slices.Index(flags, "complain") + if idx == -1 { + return profile, nil // No complain flag, nothing to do + } + flags = slices.Delete(flags, idx, idx+1) + + case "complain": + if slices.Contains(flags, "complain") { + return profile, nil // Nothing to do + } + flags = append(flags, "complain") + + default: + return profile, fmt.Errorf("unknown flag: %s", flag) + } + strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" + + // Remove all flags definition, then the new flags + profile = regFlags.ReplaceAllLiteralString(profile, "") + if len(flags) > 0 { + profile = regProfileHeader.ReplaceAllLiteralString(profile, strFlags) + } + return profile, nil +} + +func aaSetFlag(files paths.PathList, flag string) error { + for _, file := range files { + profile, err := file.ReadFileAsString() + if err != nil { + return err + } + profile, err = setFlag(profile, flag) + if err != nil { + return err + } + if err = file.WriteFile([]byte(profile)); err != nil { + return err + } + if err = reloadProfile(file); err != nil { + return err + } + } + return nil +} + func aaTree() error { return nil } +func reloadProfile(file *paths.Path) error { + cmd := exec.Command("apparmor_parser", "--replace", file.String()) + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + if err := cmd.Run(); err != nil { + return fmt.Errorf("apparmor_parser failed: %w", err) + } + return nil +} + func pathsFromArgs() (paths.PathList, error) { res := paths.PathList{} for _, arg := range flag.Args() { path := paths.New(arg) switch { case !path.Exist(): - return nil, fmt.Errorf("file %s not found", path) + if aa.MagicRoot.Join(arg).Exist() { + res = append(res, aa.MagicRoot.Join(arg)) + } else { + return nil, fmt.Errorf("file %s not found", path) + } case path.IsDir(): files, err := path.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories(), @@ -190,7 +284,26 @@ func main() { var err error var files paths.PathList switch { + case enforce: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "enforce") + + case complain: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaSetFlag(files, "complain") + case lint: + files, err = pathsFromArgs() + if err != nil { + logging.Fatal("%s", err.Error()) + } + err = aaLint(files) case format: files, err = pathsFromArgs() From 24f629d326692965d2a17fe948f9500c04e5122b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 17 Aug 2025 21:43:23 +0200 Subject: [PATCH 446/798] fix(profile): few fixes related to reattached paths. See #816 --- apparmor.d/abstractions/common/app | 5 +++++ apparmor.d/groups/flatpak/flatpak | 1 + apparmor.d/groups/flatpak/flatpak-app | 2 ++ apparmor.d/groups/hyprland/hyprland | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 3b425e505..b6e6734e6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -114,6 +114,7 @@ @{PROC}/sys/kernel/sched_autogroup_enabled r, @{PROC}/sys/kernel/yama/ptrace_scope r, @{PROC}/sys/net/core/bpf_jit_enable r, + @{PROC}/sys/net/core/somaxconn r, @{PROC}/uptime r, @{PROC}/version r, @{PROC}/zoneinfo r, @@ -131,10 +132,14 @@ owner @{PROC}/@{pid}/net/if_inet6 r, owner @{PROC}/@{pid}/oom_score_adj rw, owner @{PROC}/@{pid}/pagemap r, + owner @{PROC}/@{pid}/smaps_rollup r, owner @{PROC}/@{pid}/statm r, owner @{PROC}/@{pid}/task/ r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{att}/dev/dri/card@{int} rw, + @{att}/dev/dri/renderD128 rw, + @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index fca84002a..6b671f0e0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -85,6 +85,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{user_games_dirs}/{,**/} w, owner @{user_documents_dirs}/ w, + @{user_config_dirs}/dconf/user r, owner @{user_cache_dirs}/flatpak/{,**} rw, owner @{user_config_dirs}/pulse/client.conf r, owner @{user_config_dirs}/user-dirs.dirs r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index 4199e92b1..f2cd0295a 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -83,6 +83,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { /var/lib/flatpak/app/{,**} r, /var/lib/flatpak/exports/** rw, + owner @{att}/@{HOME}/.var/app/** rwlkmix, + @{run}/parent/** r, @{run}/parent/app/.ref rk, @{run}/parent/usr/.ref rk, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index c1e6da4d8..cd3270e49 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -38,7 +38,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpaper_* rw, owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, - owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From 5e5fde7741402aac6648f6ee6fa4f7bf531e9004 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 21:43:20 +0200 Subject: [PATCH 447/798] feat(abs): add the sqlite abstraction. --- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/sqlite | 23 +++++++++++++++++++ apparmor.d/groups/gnome/gnome-music | 3 +-- apparmor.d/groups/gnome/localsearch | 4 +--- apparmor.d/groups/gnome/tracker-miner | 4 +--- apparmor.d/profiles-a-f/dropbox | 3 +-- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-g-l/gpo | 8 +++---- apparmor.d/profiles-g-l/gpodder | 4 +--- .../profiles-m-r/protonmail-bridge-core | 3 +-- apparmor.d/profiles-m-r/psi | 2 +- apparmor.d/profiles-m-r/psi-plus | 2 +- apparmor.d/profiles-m-r/quiterss | 3 +-- apparmor.d/profiles-s-z/strawberry | 2 +- apparmor.d/profiles-s-z/syncthing | 4 +--- apparmor.d/profiles-s-z/wechat-appimage | 4 +--- apparmor.d/tunables/multiarch.d/system | 3 --- 18 files changed, 41 insertions(+), 37 deletions(-) create mode 100644 apparmor.d/abstractions/sqlite diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index b6e6734e6..5072cadfd 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,6 +28,7 @@ include include include + include include include @@ -63,7 +64,6 @@ owner @{tmp}/** rmwk, owner /dev/shm/** rwlk -> /dev/shm/**, owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**, - owner /var/tmp/etilqs_@{sqlhex} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/abstractions/sqlite b/apparmor.d/abstractions/sqlite new file mode 100644 index 000000000..690417f87 --- /dev/null +++ b/apparmor.d/abstractions/sqlite @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# SQlite temporary files (hexadecimal from 12 to 16 characters) + + abi , + + owner /var/tmp/etilqs_@{hex12} rw, + owner /var/tmp/etilqs_@{hex12}@{h} rw, + owner /var/tmp/etilqs_@{hex12}@{hex2} rw, + owner /var/tmp/etilqs_@{hex15} rw, + owner /var/tmp/etilqs_@{hex16} rw, + + owner @{tmp}/etilqs_@{hex12} rw, + owner @{tmp}/etilqs_@{hex12}@{h} rw, + owner @{tmp}/etilqs_@{hex12}@{hex2} rw, + owner @{tmp}/etilqs_@{hex15} rw, + owner @{tmp}/etilqs_@{hex16} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music index 511a48987..2f9795ceb 100644 --- a/apparmor.d/groups/gnome/gnome-music +++ b/apparmor.d/groups/gnome/gnome-music @@ -17,6 +17,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, @@ -51,8 +52,6 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 88e2bf327..049b3c402 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -23,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -56,9 +57,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index d35f6467f..6b358c8b0 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -21,6 +21,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, @@ -63,9 +64,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - # Allow to search user files owner @{HOME}/{,**} r, owner @{MOUNTS}/{,**} r, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index 15f86bcf5..f40d69799 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -23,6 +23,7 @@ profile dropbox @{exec_path} { include include include + include include @{exec_path} mr, @@ -61,8 +62,6 @@ profile dropbox @{exec_path} { # Dropbox first tries the /tmp/ dir, and if it's denied it uses the /var/tmp/ dir instead owner @{tmp}/dropbox-antifreeze-* rw, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 40001da68..a7222a664 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -13,6 +13,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { owner @{tmp}/.@{rand6} rw, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/@{rand6} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{run}/user/@{uid}/fractal/{,**} rw, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 7a00455a6..58ba493cc 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -18,6 +18,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -77,7 +78,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, /var/lib/flatpak/exports/share/mime/mime.cache r, - /var/tmp/etilqs_@{sqlhex} rw, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo index cebfc955f..46ff3eec5 100644 --- a/apparmor.d/profiles-g-l/gpo +++ b/apparmor.d/profiles-g-l/gpo @@ -11,10 +11,11 @@ include profile gpo @{exec_path} { include include - include include - include + include + include include + include network inet dgram, network inet6 dgram, @@ -36,9 +37,6 @@ profile gpo @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, include if exists diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder index dd7a20eb7..e60034172 100644 --- a/apparmor.d/profiles-g-l/gpodder +++ b/apparmor.d/profiles-g-l/gpodder @@ -14,6 +14,7 @@ profile gpodder @{exec_path} { include include include + include include include @@ -47,9 +48,6 @@ profile gpodder @{exec_path} { owner @{HOME}/gPodder/ rw, owner @{HOME}/gPodder/** rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index 45c6766e3..ca9680aea 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -17,6 +17,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, @@ -43,8 +44,6 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw, owner @{tmp}/bridge@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/ r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi index 02bf3bc56..2ff7b4e71 100644 --- a/apparmor.d/profiles-m-r/psi +++ b/apparmor.d/profiles-m-r/psi @@ -18,6 +18,7 @@ profile psi @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi @{exec_path} { owner @{user_share_dirs}/psi/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus index a455df0e9..f72147cc6 100644 --- a/apparmor.d/profiles-m-r/psi-plus +++ b/apparmor.d/profiles-m-r/psi-plus @@ -18,6 +18,7 @@ profile psi-plus @{exec_path} { include include include + include include include include @@ -54,7 +55,6 @@ profile psi-plus @{exec_path} { owner @{user_share_dirs}/psi+/** rwk, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/Psi+.* rwl -> /tmp/#@{int}, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss index d1194abf5..73b8f7488 100644 --- a/apparmor.d/profiles-m-r/quiterss +++ b/apparmor.d/profiles-m-r/quiterss @@ -18,6 +18,7 @@ profile quiterss @{exec_path} { include include include + include include include @@ -47,8 +48,6 @@ profile quiterss @{exec_path} { owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw, owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, @{PROC}/sys/kernel/random/boot_id r, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry index 611c8462d..ae22e1f1d 100644 --- a/apparmor.d/profiles-s-z/strawberry +++ b/apparmor.d/profiles-s-z/strawberry @@ -21,6 +21,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include @@ -68,7 +69,6 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.*/s rw, owner @{tmp}/*= w, owner @{tmp}/#@{int} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, owner @{tmp}/kdsingleapp-*-strawberry w, owner @{tmp}/kdsingleapp-*-strawberry.lock rwk, owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 4553ac1e9..83e1b2f45 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -12,6 +12,7 @@ profile syncthing @{exec_path} { include include include + include include network inet dgram, @@ -35,9 +36,6 @@ profile syncthing @{exec_path} { /home/ r, @{user_sync_dirs}/{,**} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - owner @{tmp}/etilqs_@{sqlhex} rw, - @{PROC}/@{pids}/net/route r, @{PROC}/bus/pci/devices r, @{PROC}/modules r, diff --git a/apparmor.d/profiles-s-z/wechat-appimage b/apparmor.d/profiles-s-z/wechat-appimage index 98ce53f07..335860d07 100755 --- a/apparmor.d/profiles-s-z/wechat-appimage +++ b/apparmor.d/profiles-s-z/wechat-appimage @@ -19,6 +19,7 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, network netlink dgram, @@ -59,9 +60,6 @@ profile wechat-appimage @{exec_path} flags=(attach_disconnected) { owner @{user_documents_dirs}/xwechat_files/{,**} rwk, - owner @{tmp}/etilqs_@{sqlhex} rw, - owner /var/tmp/etilqs_@{sqlhex} rw, - /dev/fuse rw, /dev/tty rw, diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index 288665770..cf8575db0 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -56,9 +56,6 @@ # System Internal # --------------- -# SQlite temporary files (hexadecimal from 12 to 16 characters) -@{sqlhex}=@{hex12} @{hex12}@{h} @{hex12}@{hex2} @{hex15} @{hex16} - # Shortcut for PCI device @{pci_id}=@{hex}:@{hex2}:@{hex2}.@{h} @{pci_bus}=pci@{hex4}:@{hex2} From c806ec44eb43bd494672f990e49e29426eb087b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:56:07 +0200 Subject: [PATCH 448/798] feat(profile): update virt profiles. --- apparmor.d/groups/virt/cockpit-bridge | 7 +++++++ apparmor.d/groups/virt/cockpit-session | 7 +++++++ apparmor.d/groups/virt/cockpit-ws | 4 +++- apparmor.d/groups/virt/dockerd | 9 +++++++++ apparmor.d/groups/virt/libvirt-dbus | 9 ++++++--- apparmor.d/groups/virt/libvirtd | 14 ++++++++++---- apparmor.d/groups/virt/virt-aa-helper | 24 ++++++++++++++++++++++-- apparmor.d/groups/virt/virtiofsd | 4 ++-- 8 files changed, 66 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index b6111750b..bf3d48204 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/cockpit-bridge profile cockpit-bridge @{exec_path} { include + include + include include include include @@ -33,6 +35,9 @@ profile cockpit-bridge @{exec_path} { signal send set=term peer=unconfined, signal (send receive) set=term peer=cockpit-bridge//sudo, + #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + @{exec_path} mr, @{bin}/cat ix, @@ -126,6 +131,8 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/n@{int} r, # For network interfaces + include if exists } diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 8eafd25a0..3fbefadb7 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -14,10 +14,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { include capability audit_write, + capability chown, capability dac_read_search, capability net_admin, capability setgid, capability setuid, + capability sys_resource, network netlink raw, @@ -26,6 +28,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, + @{bin}/ssh-agent rPx, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, @@ -47,6 +50,10 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { /var/log/lastlog rw, /var/log/wtmp rwk, + /var/lib/lastlog/ r, + /var/lib/lastlog/lastlog2.db rwk, + /var/lib/lastlog/lastlog2.db-journal rw, + owner @{PROC}/@{pid}/loginuid rw, owner @{PROC}/@{pid}/uid_map r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws index 8e3478072..d4fb299fe 100644 --- a/apparmor.d/groups/virt/cockpit-ws +++ b/apparmor.d/groups/virt/cockpit-ws @@ -18,9 +18,11 @@ profile cockpit-ws @{exec_path} flags=(attach_disconnected) { @{lib}/cockpit/cockpit-session rPx, /usr/share/cockpit/{,**} r, + /etc/cockpit/ws-certs.d/{,**} r, /usr/share/pixmaps/{,**} r, - /etc/cockpit/ws-certs.d/ r, + /usr/share/plymouth/{,**} r, + @{run}/cockpit/session rw, @{run}/cockpit/wsinstance/https@@{hex64}.sock r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index aa0a9ed58..0a214ccd1 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -69,6 +69,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{bin}/docker-init rCx -> init, @{lib}/docker/docker-init rCx -> init, @{bin}/docker-proxy rPx, + @{bin}/tini-static rCx -> tini, @{bin}/git rCx -> git, @{bin}/kmod rCx -> kmod, @{bin}/ps rPx, @@ -172,6 +173,14 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { include if exists } + profile tini { + include + + @{bin}/tini-static mr, + + include if exists + } + profile init flags=(attach_disconnected) { include diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index 303e906c2..f3bbaf019 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -25,9 +25,12 @@ profile libvirt-dbus @{exec_path} { owner @{user_cache_dirs}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/ rw, - @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, - @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + @{run}/libvirt/libvirt-sock rw, + + @{run}/user/@{uid}/libvirt/ rw, + @{run}/user/@{uid}/libvirt/libvirtd.lock rwk, + @{run}/user/@{uid}/libvirt/virtqemud.lock rwk, + owner @{run}/user/@{uid}/libvirt/libvirt-sock rw, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node*/meminfo r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index fa3005a65..44d6962f5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,6 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -47,12 +48,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { capability sys_pacct, capability sys_ptrace, capability sys_rawio, - capability sys_resource, + capability sys_resource, # Needed for vfio - network inet stream, network inet dgram, - network inet6 stream, + network inet stream, network inet6 dgram, + network inet6 stream, network netlink raw, network packet dgram, network packet raw, @@ -146,7 +147,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/xml/catalog r, /var/cache/libvirt/{,**} rw, - /var/lib/libvirt/{,**} rwk, + /var/lib/libvirt/ rw, + /var/lib/libvirt/** rwk, /var/log/swtpm/libvirt/{,**} rw, # User VM images and share @@ -155,6 +157,9 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, + owner @{run}/user/@{uid}/libvirt/** rwk, + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/libvirt/ rw, @@ -223,6 +228,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{PROC}/devices r, @{PROC}/mtrr w, @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/uptime r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper index 53afe6012..b49368f07 100644 --- a/apparmor.d/groups/virt/virt-aa-helper +++ b/apparmor.d/groups/virt/virt-aa-helper @@ -21,14 +21,34 @@ profile virt-aa-helper @{exec_path} { @{sbin}/apparmor_parser rPx, - /etc/apparmor.d/libvirt/* r, + @{etc_rw}/apparmor.d/libvirt/* r, @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw, + @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid}.files rw, /etc/libnl{,-3}/classid r, # Allow reading libnl's classid file # System VM images /var/lib/libvirt/images/{,**} r, - /var/lib/nova/instances/_base/* r, + + # Openstack Nova base images & snapshots (LP: #907269 #1244694 #1644507) + /var/lib/nova/images/{,**} r, + /var/lib/nova/instances/_base/{,**} r, + /var/lib/nova/instances/snapshots/{,**} r, + /var/snap/nova-hypervisor/common/instances/_base/{,**} r, + /var/snap/nova-hypervisor/common/instances/snapshots/{,**} r, + + # Eucalyptus disks & loader (LP: #564914 #637544) + /var/lib/eucalyptus/instances/**/disk* r, + /var/lib/eucalyptus/instances/**/loader* r, + + # For uvtool + /var/lib/uvtool/libvirt/images/{,**} r, + + # For multipass + /var/snap/multipass/common/data/multipassd/vault/instances/{,**} r, + + # Common mount directories + @{MOUNTDIRS}/{,**} r, # User VM images @{user_share_dirs}/ r, diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd index 899ecae04..ae7ac5fa9 100644 --- a/apparmor.d/groups/virt/virtiofsd +++ b/apparmor.d/groups/virt/virtiofsd @@ -6,8 +6,8 @@ abi , include -@{exec_path} = @{lib}/{,qemu/}virtiofsd @{bin}/virtiofsd -profile virtiofsd @{exec_path} { +@{exec_path} = @{lib}/virtiofsd @{lib}/qemu/virtiofsd @{bin}/virtiofsd +profile virtiofsd @{exec_path} flags=(attach_disconnected) { include userns, From f3d209e42a0abaabb0a34491b645f653fc035f16 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 19 Aug 2025 22:58:46 +0200 Subject: [PATCH 449/798] feat(profile): ensure nautilus can access root files. --- apparmor.d/groups/gvfs/gvfsd-admin | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 4f845f316..e1b16cac3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -22,14 +22,15 @@ profile gvfsd-admin @{exec_path} { /usr/share/mime/mime.cache r, - @{MOUNTS}/{,**} rw, - - @{run}/mount/utab r, - @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/stat r, + #aa:lint ignore=too-wide + # Full access to system's data, but no write access to sensitive system directories + / r, + /*/ r, + /*/** rw, + deny @{sys}/** w, + deny @{PROC}/** w, + deny @{efi}/** w, + deny /dev/** w, include if exists } From 5d7646d9ccfe75becdb2276f77c03088b4cb8616 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:05:34 +0200 Subject: [PATCH 450/798] Update mandb ALLOWED mandb exec @{bin}/bzip2 -> mandb//null-@{bin}/bzip2 comm=mandb requested_mask=x denied_mask=x ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /var/cache/man/52062 comm=bzip2 requested_mask=wr denied_mask=wr ALLOWED mandb//null-@{bin}/bzip2 file_mmap @{bin}/bzip2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfsd.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 file_inherit /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r ALLOWED mandb//null-@{bin}/bzip2 getattr /usr/share/man/man8/grub-btrfs.8.bz2 comm=bzip2 requested_mask=r denied_mask=r --- apparmor.d/profiles-m-r/mandb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb index cd825471d..551a6fec0 100644 --- a/apparmor.d/profiles-m-r/mandb +++ b/apparmor.d/profiles-m-r/mandb @@ -17,6 +17,8 @@ profile mandb @{exec_path} { @{exec_path} mr, + @{bin}/bzip2 rix, + /etc/man_db.conf r, /etc/manpath.config r, From 4d15570ff1dd23566ab4a9a79f84424791ef86e1 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:20:06 +0200 Subject: [PATCH 451/798] Update grub-mkrelpath ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.byRQTjiteL/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-20T16:43@{busname}.488Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-08-18T13:49@{busname}.739Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_2025-04-11T11@{busname}:58.643Z/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r ALLOWED grub-mkrelpath open /tmp/grub-btrfs.Xj00SFNAa3/@_backup_@{int16}5/boot/ comm=grub-mkrelpath requested_mask=r denied_mask=r --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 789f68287..7b5f7eaa1 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_@{int}/boot/ r, + /tmp/grub-btrfs.*/@_backup_**/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From 2c64ab91cb58f56590dd9b8a4cfb878da05769ba Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:33:55 +0200 Subject: [PATCH 452/798] Update grub-mkrelpath --- apparmor.d/groups/grub/grub-mkrelpath | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath index 7b5f7eaa1..d4508b4c5 100644 --- a/apparmor.d/groups/grub/grub-mkrelpath +++ b/apparmor.d/groups/grub/grub-mkrelpath @@ -26,7 +26,7 @@ profile grub-mkrelpath @{exec_path} { /tmp/grub-btrfs.*/@snapshots/@{int}/snapshot/boot/ r, /tmp/grub-btrfs.*/@/.snapshots/@{int}/snapshot/boot/ r, - /tmp/grub-btrfs.*/@_backup_**/boot/ r, + /tmp/grub-btrfs.*/@_backup_*/boot/ r, /tmp/grub-btrfs.*/ r, @{PROC}/@{pids}/mountinfo r, From b3dd09ce0198d0724d1f43b099b4e205a5ec9b5b Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 14:13:22 +0200 Subject: [PATCH 453/798] Update gnome-boxes ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa.rdfs comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open /usr/share/ladspa/rdf/ladspa-rubberband.rdf comm=gst-plugin-scan requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb2/2-3/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-6/1-6.2/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-14/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r ALLOWED gnome-boxes open @{sys}/devices/@{pci}/usb1/1-13/bConfigurationValue comm=gnome-boxes requested_mask=r denied_mask=r --- apparmor.d/groups/gnome/gnome-boxes | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 2462c2071..16aa4e862 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -36,6 +36,7 @@ profile gnome-boxes @{exec_path} { @{bin}/virsh rCx -> virsh, @{bin}/virtqemud rPUx, + /usr/share/ladspa/rdf/{,*} r, /usr/share/osinfo/{,**} r, /usr/share/gnome-boxes/{,**} r, @@ -55,6 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, + owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, owner @{tmp}/*.svg-@{rand6} rw, @@ -66,6 +69,7 @@ profile gnome-boxes @{exec_path} { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci}/usb@{int}/** r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From ddee0512797143a1b31dbdf41c965234fc61f8b2 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Fri, 22 Aug 2025 15:35:42 +0200 Subject: [PATCH 454/798] Update gnome-boxes --- apparmor.d/groups/gnome/gnome-boxes | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 16aa4e862..1447715b7 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -56,7 +56,8 @@ profile gnome-boxes @{exec_path} { owner @{user_config_dirs}/gnome-boxes/ rw, owner @{user_config_dirs}/gnome-boxes/** rwk, - owner @{user_share_dirs}/gnome-boxes/images/ rw, + owner @{user_share_dirs}/gnome-boxes/ rw, + owner @{user_share_dirs}/gnome-boxes/** rwk, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/*.iso-@{rand6} rw, From 8b49f9ebf5c85f2ca94a8e111b1161e2ebc258ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:52:57 +0200 Subject: [PATCH 455/798] feat(profile): update telegram path fix #821 --- apparmor.d/profiles-s-z/telegram-desktop | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index d967f4229..c1544af72 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/telegram-desktop +@{exec_path} = @{bin}/telegram-desktop @{bin}/Telegram profile telegram-desktop @{exec_path} { include include @@ -35,10 +35,11 @@ profile telegram-desktop @{exec_path} { network netlink dgram, network netlink raw, - @{exec_path} mr, + @{exec_path} mrix, @{sh_path} rix, @{open_path} rPx -> child-open-strict, + @{bin}/systemd-detect-virt rPx, owner @{user_share_dirs}/TelegramDesktop/ rw, owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**, From 0f017048e445cb21f764e480d332f64d79b0907d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 17:57:40 +0200 Subject: [PATCH 456/798] fix(profile): fix att path in flatpak fix #820 --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-portal | 4 ++-- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 4 ++-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 6b671f0e0..4122e8055 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -77,6 +77,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{HOME}/.var/ w, owner @{HOME}/.var/app/{,**} rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, # Can create dotfile directories for any app owner @{user_cache_dirs}/*/ w, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index 84e2d7964..ac1e41894 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -34,8 +34,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner /att/**/ r, owner @{att}/.flatpak-info r, - owner @{HOME}/.var/app/*/**/.ref rw, - owner @{HOME}/.var/app/*/**/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_share_dirs}/mime/mime.cache r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c6efaf360..be66f7484 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -29,8 +29,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{att}/@{HOME}/.var/app/** r, - owner @{HOME}/.var/app/*/.local/share/*/logs/* rw, - owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/logs/* rw, + owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw, From e7a91b307e025498c37b15302f5c8e63d027938d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:01:31 +0200 Subject: [PATCH 457/798] fix(profile): fusermount with fsarchiver fix #817 --- apparmor.d/groups/filesystem/ntfs-3g | 2 ++ apparmor.d/profiles-a-f/fusermount | 1 + 2 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/filesystem/ntfs-3g b/apparmor.d/groups/filesystem/ntfs-3g index d94d7a0f2..e4749177c 100644 --- a/apparmor.d/groups/filesystem/ntfs-3g +++ b/apparmor.d/groups/filesystem/ntfs-3g @@ -34,6 +34,8 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) { mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/, mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/, + mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /tmp/fsa/*/, # fsarchiver + umount @{MOUNTDIRS}/, umount @{MOUNTS}/, umount @{MOUNTS}/*/, diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount index 3df041e64..a84b85322 100644 --- a/apparmor.d/profiles-a-f/fusermount +++ b/apparmor.d/profiles-a-f/fusermount @@ -30,6 +30,7 @@ profile fusermount @{exec_path} { umount /tmp/.mount_*/, umount @{run}/user/@{uid}/*/, umount /var/tmp/flatpak-cache-*/*/, + umount /tmp/fsa/*/, # fsarchiver @{exec_path} mr, From ec73d8349e1461995817bfeb5303dd85ea165543 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:05:05 +0200 Subject: [PATCH 458/798] fix(profile): gnome access to chromium shared. fix #806 --- apparmor.d/groups/gnome/gnome-shell | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 95874290f..0f91b7283 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -303,6 +303,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/.X@{int}-lock rw, /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, From ba217a261ed39ad0ec20e909a89ac3618c8fd180 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:15:38 +0200 Subject: [PATCH 459/798] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 9 ++++----- apparmor.d/groups/flatpak/flatpak-app | 4 ++++ apparmor.d/groups/flatpak/flatpak-portal | 6 ++++++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4122e8055..c540b9db8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,14 +40,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, - #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" + #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" - dbus send bus=session path=/org/freedesktop/portal/documents - interface=org.freedesktop.portal.Documents - member=GetMountPoint - peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"), + #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper + #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @{exec_path} mr, @@ -138,6 +136,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgconf mr, @{bin}/gpgsm mr, @{bin}/gpg-agent rix, + @{lib}/gnupg/scdaemon rix, @{HOME}/@{XDG_GPG_DIR}/*.conf r, diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index f2cd0295a..e8fe195fb 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -48,6 +48,10 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { signal receive set=(int term) peer=flatpak-portal, signal receive set=(int term) peer=flatpak-session-helper, + unix type=seqpacket peer=(label=dbus-session), + # unix type=seqpacket peer=(label=unconfined), + unix type=seqpacket peer=(label=xdg-dbus-proxy), + @{bin}/** rmix, @{lib}/** rmix, /app/** rmix, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index ac1e41894..b86f0a4fd 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -10,6 +10,7 @@ include profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include + include include capability sys_ptrace, @@ -22,6 +23,11 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/flatpak rPx, From 2d3831221af1662619f74f10a208aff01c599665 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:16:43 +0200 Subject: [PATCH 460/798] feat(profile): update cups profiles. --- apparmor.d/groups/cups/cups-browsed | 5 ++++- apparmor.d/groups/cups/ippfind | 22 ++++++++++++++++++++++ apparmor.d/groups/cups/print-backends-cups | 19 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/cups/ippfind create mode 100644 apparmor.d/groups/cups/print-backends-cups diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 9498f245a..a7773a57f 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -38,7 +38,7 @@ profile cups-browsed @{exec_path} { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=PrinterDeleted + member={PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), @{exec_path} mr, @@ -52,7 +52,10 @@ profile cups-browsed @{exec_path} { /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + owner @{tmp}/@{hex} rw, + @{run}/cups/certs/* r, + @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind new file mode 100644 index 000000000..c2a944b11 --- /dev/null +++ b/apparmor.d/groups/cups/ippfind @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/ippfind +profile ippfind @{exec_path} { + include + include + include + + @{exec_path} mr, + + @{bin}/echo rix, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/print-backends-cups b/apparmor.d/groups/cups/print-backends-cups new file mode 100644 index 000000000..6ab6007cb --- /dev/null +++ b/apparmor.d/groups/cups/print-backends-cups @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/@{multiarch}/print-backends/cups +profile print-backends-cups @{exec_path} { + include + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor From 46d4207d716dc895d2ec2405f80ea04fbc2bf336 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:22:59 +0200 Subject: [PATCH 461/798] feat(profile): makepkg: handle lsb_release and pager. --- apparmor.d/groups/pacman/makepkg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg index 583d0b9c0..84136638c 100644 --- a/apparmor.d/groups/pacman/makepkg +++ b/apparmor.d/groups/pacman/makepkg @@ -29,9 +29,11 @@ profile makepkg @{exec_path} { file, + @{pager_path} Px -> child-pager, @{bin}/gpg{,2} Cx -> gpg, @{bin}/gpgconf Cx -> gpg, @{bin}/gpgsm Cx -> gpg, + @{bin}/lsb_release Px, @{bin}/sudo Cx -> sudo, deny capability sys_ptrace, From fb82d8d0d60f9c0bc7726c1084bbad3b1b2f26b2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:27:22 +0200 Subject: [PATCH 462/798] feat(profile): small gnome related improvement. --- apparmor.d/groups/gnome/evolution-addressbook-factory | 8 ++++---- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gsd-print-notifications | 4 ++-- apparmor.d/groups/gnome/papers | 4 ++++ apparmor.d/groups/network/ModemManager | 1 + apparmor.d/groups/network/mullvad-daemon | 1 + 8 files changed, 15 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 3d83232e1..98c94c79e 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -30,7 +30,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* @@ -38,12 +38,12 @@ profile evolution-addressbook-factory @{exec_path} { dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties - peer=(name=:*, label=evolution-*), + peer=(name=@{busname}, label=evolution-*), dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), + peer=(name=@{busname}, label=evolution-source-registry), dbus send bus=session path=/org/gnome/evolution/dataserver/** interface=org.freedesktop.DBus.Properties @@ -53,7 +53,7 @@ profile evolution-addressbook-factory @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 435d055fa..4c84fe822 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -20,6 +20,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability fsetid, capability kill, capability net_admin, + capability sys_admin, capability sys_nice, capability sys_tty_config, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 64568eab0..8887ce797 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -72,6 +72,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{run}/user/@{uid}/gsconnect/{,**} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index c10261c02..7e817f490 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -37,6 +37,7 @@ profile gnome-software @{exec_path} { /usr/share/app-info/{,**} r, /usr/share/appdata/{,**} r, + /usr/share/byobu/desktop/{,**} r, /usr/share/flatpak/remotes.d/ r, /usr/share/metainfo/{,**} r, /usr/share/swcatalog/{,**} r, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index f8d4280a0..af5ff2f05 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -20,8 +20,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { network inet stream, network inet6 stream, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(hup) peer=gsd-printer, + signal receive set=(term, hup) peer=gdm*, + signal send set=(hup) peer=gsd-printer, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.PrintNotifications diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 27000b93a..6f5a137a3 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -25,6 +25,10 @@ profile papers @{exec_path} { owner @{user_share_dirs}/gvfs-metadata/{,*} r, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, + owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, + owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager index 8220516bf..22b94effd 100644 --- a/apparmor.d/groups/network/ModemManager +++ b/apparmor.d/groups/network/ModemManager @@ -17,6 +17,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, network qipcrtr dgram, network netlink raw, diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index 735154b7e..d5c93fc5c 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -62,6 +62,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw, @{sys}/fs/cgroup/system.slice/cpu.max r, @{sys}/fs/cgroup/system.slice/mullvad-daemon.service/cpu.max r, + @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, From b53e0b7d395ee15c7a79c6ce896e4d871d4103d4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:30:44 +0200 Subject: [PATCH 463/798] feat(abs): add the oneapi abs. --- apparmor.d/abstractions/oneapi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/oneapi diff --git a/apparmor.d/abstractions/oneapi b/apparmor.d/abstractions/oneapi new file mode 100644 index 000000000..17225ef03 --- /dev/null +++ b/apparmor.d/abstractions/oneapi @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Intel oneAPI compiler libraries + + abi , + + /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, + /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr, + + include if exists + +# vim:syntax=apparmor From 81636262f18b65bc1bf0b09a48fce1df6d9f7b0a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:42:38 +0200 Subject: [PATCH 464/798] feat(abs): add the java abstraction. --- apparmor.d/abstractions/java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/java diff --git a/apparmor.d/abstractions/java b/apparmor.d/abstractions/java new file mode 100644 index 000000000..91472d21e --- /dev/null +++ b/apparmor.d/abstractions/java @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/java/{,**} r, + + /etc/java/{,**} r, + /etc/java-*/{,**} r, + + include if exists + +# vim:syntax=apparmor From fbb1768aa699b3f68c4d682b7dacfd362a1d091c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:46:26 +0200 Subject: [PATCH 465/798] feat(abs): add the amdgpu abstraction. --- apparmor.d/abstractions/amdgpu | 30 +++++++++++++++++++++++++++ apparmor.d/abstractions/graphics-full | 2 ++ 2 files changed, 32 insertions(+) create mode 100644 apparmor.d/abstractions/amdgpu diff --git a/apparmor.d/abstractions/amdgpu b/apparmor.d/abstractions/amdgpu new file mode 100644 index 000000000..181d86864 --- /dev/null +++ b/apparmor.d/abstractions/amdgpu @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Kernel Fusion Driver for AMD GPUs + + abi , + + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + + @{sys}/devices/virtual/kfd/kfd/dev r, + @{sys}/devices/virtual/kfd/kfd/topology/ r, + @{sys}/devices/virtual/kfd/kfd/topology/generation_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{sys}/devices/virtual/kfd/kfd/topology/system_properties r, + @{sys}/devices/virtual/kfd/kfd/uevent r, + @{sys}/module/amdgpu/initstate r, + + /dev/kfd rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index eb60edb4d..1e2c97224 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -4,7 +4,9 @@ abi , + include include + include @{sys}/devices/@{pci}/numa_node r, From 0817911b579fa417a46fd03f9dbec5398bc3180e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 18:48:36 +0200 Subject: [PATCH 466/798] feat(abs): add more core abstractions They will at term replace the freedesktop abstraction. --- apparmor.d/abstractions/desktop-files | 22 ++++++++++++++++++++++ apparmor.d/abstractions/gsettings | 13 +++++++++++++ apparmor.d/abstractions/icons | 26 ++++++++++++++++++++++++++ apparmor.d/abstractions/mime | 17 +++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 apparmor.d/abstractions/desktop-files create mode 100644 apparmor.d/abstractions/gsettings create mode 100644 apparmor.d/abstractions/icons create mode 100644 apparmor.d/abstractions/mime diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files new file mode 100644 index 000000000..d616dad83 --- /dev/null +++ b/apparmor.d/abstractions/desktop-files @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/applications/{,**} r, + @{system_share_dirs}/*ubuntu/applications/{,**} r, + @{system_share_dirs}/gnome/applications/{,**} r, + @{system_share_dirs}/xfce4/applications/{,**} r, + + /etc/gnome/defaults.list r, + /etc/xfce4/defaults.list r, + + /var/lib/snapd/desktop/applications/{,**} r, + + owner @{user_share_dirs}/applications/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings new file mode 100644 index 000000000..788b14486 --- /dev/null +++ b/apparmor.d/abstractions/gsettings @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/glib-2.0/schemas/ r, + @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons new file mode 100644 index 000000000..0dd44e33c --- /dev/null +++ b/apparmor.d/abstractions/icons @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/icons/{,**} r, + @{system_share_dirs}/pixmaps/{,**} r, + + /opt/**/share/icons/{,**} r, + /opt/*/**.desktop r, + /opt/*/**/*.png r, + + /var/lib/snapd/desktop/icons/{,**} r, + + owner @{HOME}/.icons/{,**} r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/icons/{,**} r, + owner @{user_share_dirs}/mime/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime new file mode 100644 index 000000000..6622c99dd --- /dev/null +++ b/apparmor.d/abstractions/mime @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + @{system_share_dirs}/ r, + @{system_share_dirs}/mime/{,**} r, + + /etc/mime.types r, + + owner @{user_share_dirs}/mime/mime.cache r, + + include if exists + +# vim:syntax=apparmor From 3b2f745bcaa126150e8f3f8f4bda6150a63e950c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 19:25:00 +0200 Subject: [PATCH 467/798] feat(abs): use the new core abs in desktop. --- apparmor.d/abstractions/desktop | 21 ++++++++------------- apparmor.d/abstractions/desktop-files | 5 +++++ apparmor.d/abstractions/gnome-strict | 14 +++++++------- apparmor.d/abstractions/gsettings | 1 + apparmor.d/abstractions/icons | 3 --- apparmor.d/abstractions/kde-strict | 10 +++++----- apparmor.d/abstractions/mime | 7 ++++++- apparmor.d/abstractions/recently-used | 21 +++++++++++++++++++++ 8 files changed, 53 insertions(+), 29 deletions(-) create mode 100644 apparmor.d/abstractions/recently-used diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 878f6f794..4a32a1aa7 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,10 +9,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -24,16 +28,11 @@ member=Introspect peer=(name=@{busname}, label=gnome-shell), - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{version}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - /var/cache/gio-@{version}/gnome-mimeapps.list r, - - / r, # deny? + / r, owner @{user_share_dirs}/gnome-shell/session.gvdb rw, @@ -49,8 +48,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -65,8 +62,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/@{profile_name}* rwlk, owner @{user_config_dirs}/session/#@{int} rw, @@ -82,7 +77,7 @@ # end /usr/share/desktop-base/{,**} r, - /usr/share/hwdata/*.ids r, + /usr/share/hwdata/*.ids r, # FIXME: a bit too wide /usr/share/icu/@{int}.@{int}/*.dat r, include if exists diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index d616dad83..9c0a8b941 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -12,11 +12,16 @@ /etc/gnome/defaults.list r, /etc/xfce4/defaults.list r, + /etc/xdg/menus/ r, + /etc/xdg/menus/applications-merged/{,**} r, /var/lib/snapd/desktop/applications/{,**} r, owner @{user_share_dirs}/applications/{,**} r, + owner @{user_config_dirs}/menus/ r, + owner @{user_config_dirs}/menus/applications-merged/{,**} r, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index fadaedcbf..445c62e6b 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,9 +4,14 @@ abi , + include include - include + include include + include + include + include + include include include include @@ -20,14 +25,9 @@ /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/{local/,}share/ r, - /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r, - /usr/{local/,}share/gvfs/remote-volume-monitors/{,*} r, + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, /etc/gnome/* r, - /etc/xdg/{,*-}mimeapps.list r, - - /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r, / r, diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gsettings index 788b14486..4d22f080b 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gsettings @@ -5,6 +5,7 @@ abi , + @{system_share_dirs}/ r, @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/abstractions/icons b/apparmor.d/abstractions/icons index 0dd44e33c..6a721b837 100644 --- a/apparmor.d/abstractions/icons +++ b/apparmor.d/abstractions/icons @@ -16,10 +16,7 @@ owner @{HOME}/.icons/{,**} r, - owner @{user_config_dirs}/mimeapps.list r, - owner @{user_share_dirs}/icons/{,**} r, - owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index fd994d12d..5fbdd7869 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,10 +4,14 @@ abi , + include include - include + include include + include + include include + include include include include @@ -26,8 +30,6 @@ /etc/xdg/kcminputrc r, /etc/xdg/kdeglobals r, /etc/xdg/kwinrc r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/ r, owner @{user_cache_dirs}/#@{int} rw, owner @{user_cache_dirs}/icon-cache.kcache rw, @@ -42,8 +44,6 @@ owner @{user_config_dirs}/kdedefaults/kwinrc r, owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/menus/ r, - owner @{user_config_dirs}/menus/applications-merged/ r, owner @{user_config_dirs}/session/ rw, owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, owner @{user_config_dirs}/session/#@{int} rw, diff --git a/apparmor.d/abstractions/mime b/apparmor.d/abstractions/mime index 6622c99dd..9a70edaf8 100644 --- a/apparmor.d/abstractions/mime +++ b/apparmor.d/abstractions/mime @@ -9,8 +9,13 @@ @{system_share_dirs}/mime/{,**} r, /etc/mime.types r, + /etc/xdg/{,*-}mimeapps.list r, - owner @{user_share_dirs}/mime/mime.cache r, + /var/cache/gio-@{version}/{,*-}-mimeapps.list r, + + owner @{user_config_dirs}/mimeapps.list r, + + owner @{user_share_dirs}/mime/{,**} r, include if exists diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used new file mode 100644 index 000000000..d3a7ec289 --- /dev/null +++ b/apparmor.d/abstractions/recently-used @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2009 Canonical Ltd. +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + owner @{HOME}/.recently-used.xbel rw, + owner @{HOME}/.recently-used.xbel.@{rand6} rwl, + owner @{HOME}/.recently-used.xbel.lock rwk, + + owner @{user_share_dirs}/#@{int} rw, + owner @{user_share_dirs}/recently-used.xbel rw, + owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, + owner @{user_share_dirs}/recently-used.xbel.lock rwk, + + owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? + + include if exists + +# vim:syntax=apparmor From 1506ae04d8c24763cc83779c14ff321afef458a2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:03:19 +0200 Subject: [PATCH 468/798] fix(profile): /att/**/ instead of @{att}/ --- apparmor.d/groups/freedesktop/pipewire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 97e3c6119..02a370cdc 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -40,7 +40,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { /etc/pipewire/{,**} r, / r, - @{att}/ r, + /att/**/ r, owner @{att}/.flatpak-info r, owner @{user_config_dirs}/pipewire/{,**} r, From cea9fd56141484f5bf3a2b6bf16970789f563e38 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:37:48 +0200 Subject: [PATCH 469/798] feat(profile): improve kde integration see #559 --- apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/kde/kded | 3 +++ apparmor.d/groups/kde/kioworker | 1 + .../groups/kde/kscreen_backend_launcher | 2 +- .../groups/kde/ksmserver-logout-greeter | 2 +- apparmor.d/groups/kde/kwalletd | 2 +- apparmor.d/groups/kde/kwin_wayland | 19 ++++++++++++++++++- apparmor.d/groups/kde/plasmashell | 7 ++++--- apparmor.d/groups/kde/sddm | 1 + apparmor.d/groups/kde/wayland-session | 3 +-- 10 files changed, 32 insertions(+), 9 deletions(-) diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 861132887..2307c709f 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -39,6 +39,7 @@ profile DiscoverNotifier @{exec_path} { @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, + /usr/share/flatpak/remotes.d/{,**} r, /usr/share/metainfo/{,**} r, /etc/machine-id r, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index f2f2489ab..e8be8a0dd 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -182,6 +182,9 @@ profile kded @{exec_path} { @{sys}/class/leds/ r, + @{run}/udev/data/b8:@{int} r, # for /dev/sd* + @{run}/udev/data/b259:@{int} r, # Block Extended Major + @{PROC}/ r, @{PROC}/@{pids}/cmdline/ r, @{PROC}/@{pids}/fd/ r, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 69b735310..71465df97 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -49,6 +49,7 @@ profile kioworker @{exec_path} { /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes{5,6}/*.desktop r, /usr/share/remoteview/* r, + /usr/share/thumbnailers/{,**} r, /etc/fstab r, /etc/xdg/kioslaverc r, diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 7df07f64b..00b4c9630 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -13,8 +13,8 @@ profile kscreen_backend_launcher @{exec_path} { include include include + include include - include #aa:dbus own bus=session name=org.kde.KScreen #aa:dbus talk bus=system name=org.kde.kf5auth path=/ label=kde-powerdevil diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index 67e56c3c6..e5ea15c29 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ksmserver-logout-greeter @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter -profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) { +profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index ad96cb512..de175635a 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -45,7 +45,7 @@ profile kwalletd @{exec_path} { owner @{user_share_dirs}/kwalletd/ rw, owner @{user_share_dirs}/kwalletd/** rwkl -> @{user_share_dirs}/kwalletd/#@{int}, - owner @{run}/user/@{uid}/kwallet{5,6}.socket r, + owner @{run}/user/@{uid}/kwallet{5,6}.socket rw, owner @{tmp}/kwalletd5.* rw, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 243e0adfe..c11f951be 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/kwin_wayland -profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { +profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -46,6 +46,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi, /etc/xdg/Xwayland-session.d/00-pulseaudio-x11 Cx -> pulseaudio, + /etc/xdg/Xwayland-session.d/10-ibus-x11 Cx -> ibus, #aa:exec kscreenlocker_greet /usr/share/color-schemes/*.colors r, @@ -53,6 +54,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { /usr/share/kglobalaccel/{,**} r, /usr/share/kservices{5,6}/{,**} r, /usr/share/kservicetypes5/{,*.desktop} r, + /usr/share/kwin-wayland/{,**} r, /usr/share/kwin/{,**} r, /usr/share/libinput-*/{,**} r, /usr/share/libinput/{,**} r, @@ -179,6 +181,21 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) { include if exists } + profile ibus { + include + include + + @{sh_path} r, + @{lib}/{,ibus/}ibus-x11 rPx, + + /etc/xdg/Xwayland-session.d/10-ibus-x11 r, + + /home/ r, + owner @{HOME}/ r, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 68ea4fc0c..e767d7bb5 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -70,7 +70,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { @{lib}/libheif/{,**} mr, @{bin}/dolphin rPx, - @{bin}/ksysguardd rix, + @{bin}/ksysguardd rPUx, @{bin}/plasma-discover rPUx, @{bin}/xrdb rPx, @{lib}/kf{5,6}/kdesu{,d} rix, @@ -104,7 +104,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/appstream.conf r, /etc/fstab r, - /etc/ksysguarddrc r, /etc/machine-id r, /etc/os-release r, /etc/sensors.d/ r, @@ -166,6 +165,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/klipperrc r, owner @{user_config_dirs}/kmail2.notifyrc r, + owner @{user_config_dirs}/knfsshare r, owner @{user_config_dirs}/korganizerrc r, owner @{user_config_dirs}/krunnerrc r, owner @{user_config_dirs}/ksmserverrc r, @@ -200,9 +200,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { owner @{user_share_dirs}/wallpapers/{,**} rw, owner @{user_state_dirs}/#@{int} rw, + owner @{user_state_dirs}/plasma/* r, owner @{user_state_dirs}/plasmashellstaterc rw, - owner @{user_state_dirs}/plasmashellstaterc.lock rwk, owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl, + owner @{user_state_dirs}/plasmashellstaterc.lock rwk, /tmp/.mount_nextcl@{rand6}/{,*} r, owner @{tmp}/#@{int} rw, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b62116704..b9d07e380 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -92,6 +92,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/flatpak rPx, @{bin}/gnome-keyring-daemon rPx, @{bin}/Hyprland rPx, + @{bin}/ksecretd rPUx, @{bin}/kwalletd{5,6} rPx, @{bin}/kwin_wayland rPx, @{bin}/labwc rPx, diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session index 56914137b..c07b06815 100644 --- a/apparmor.d/groups/kde/wayland-session +++ b/apparmor.d/groups/kde/wayland-session @@ -9,6 +9,7 @@ include @{exec_path} = @{etc_ro}/sddm/wayland-session profile wayland-session @{exec_path} { include + include include @{exec_path} mr, @@ -39,8 +40,6 @@ profile wayland-session @{exec_path} { owner @{user_share_dirs}/sddm/wayland-session.log rw, - /dev/tty rw, - include if exists } From f18fc88253b82ca04bb92c2b68f2efb75afc55b7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:39:18 +0200 Subject: [PATCH 470/798] feat(profile): kde: improve dbus rules. --- apparmor.d/groups/kde/baloorunner | 3 +++ apparmor.d/groups/kde/kaccess | 1 + apparmor.d/groups/kde/kactivitymanagerd | 1 + apparmor.d/groups/kde/kde-powerdevil | 1 + apparmor.d/groups/kde/kded | 1 + apparmor.d/groups/kde/kglobalacceld | 2 ++ apparmor.d/groups/kde/ksmserver-logout-greeter | 9 +++++++++ apparmor.d/groups/kde/ksplashqml | 1 + apparmor.d/groups/kde/kwin_wayland | 2 +- apparmor.d/groups/kde/sddm | 1 + 10 files changed, 21 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 702288a1f..64372f497 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,6 +10,9 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include + include + include + include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 65582d1ba..4b1e734ed 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -18,6 +18,7 @@ profile kaccess @{exec_path} { include #aa:dbus own bus=session name=org.kde.kaccess + #aa:dbus talk bus=session name=org.kde.kglobalaccel path=/kglobalaccel label=kglobalacceld @{exec_path} mr, diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index 1cc6b41d1..ead285e5f 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,6 +11,7 @@ include profile kactivitymanagerd @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index c961ed7a3..01706e649 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -28,6 +28,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) network netlink raw, #aa:dbus own bus=system name=org.freedesktop.Policy.Power + #aa:dbus own bus=system name=org.kde.kf5auth path=/ #aa:dbus own bus=session name=local.org_kde_powerdevil #aa:dbus own bus=session name=org.freedesktop.PowerManagement diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index e8be8a0dd..93c70329e 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -68,6 +68,7 @@ profile kded @{exec_path} { #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd + #aa:dbus talk bus=session name=org.kde.NightColor path=/ColorCorrect label="{kwin_wayland,kwin_x11}" #aa:dbus talk bus=session name=org.kde.KGlobalAccel path=/ label="{kglobalacceld,kwin_wayland}" dbus receive bus=system path=/ diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index 156bdf928..b9c09d0c6 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,7 +9,9 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include + include include + include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e5ea15c29..e46237c2a 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,6 +11,10 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include + include + include + include include include include @@ -18,6 +22,11 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate include include + #aa:dbus own bus=session name=org.kde.LogoutPrompt path=/LogoutPrompt + + #aa:dbus talk bus=session name=org.kde.LogoutPrompt path=/Shutdown label=plasma-shutdown + #aa:dbus talk bus=session name=org.kde.KWin label=kwin_wayland + @{exec_path} mr, @{lib}/os-release r, diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index e1d5d7394..ea80e28cd 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -11,6 +11,7 @@ profile ksplashqml @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index c11f951be..51f09c8c4 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -35,7 +35,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { unix type=stream peer=(label=xwayland), #aa:dbus own bus=session name=org.freedesktop.ScreenSaver - #aa:dbus own bus=session name=org.kde.kglobalaccel + #aa:dbus own bus=session name=org.kde.kglobalaccel path=/kglobalaccel #aa:dbus own bus=session name=org.kde.KWin #aa:dbus own bus=session name=org.kde.NightColor path=/ColorCorrect #aa:dbus own bus=session name=org.kde.screensaver diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index b9d07e380..08835eaf0 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -55,6 +55,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=system name=org.freedesktop.DisplayManager #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}" + #aa:dbus talk bus=system name=org.freedesktop.login1 interface=org.freedesktop.login1.Manager label="@{p_systemd_logind}" @{exec_path} mr, From 53df40b8ac3b95eab40ed8e4ffe41f9c4f52d2eb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 20:40:36 +0200 Subject: [PATCH 471/798] feat(profile) gvfs: more dbus integration. --- apparmor.d/groups/gvfs/gvfsd-dnssd | 5 +++++ apparmor.d/groups/gvfs/gvfsd-http | 1 + apparmor.d/groups/gvfs/gvfsd-network | 10 ++++++++++ apparmor.d/groups/gvfs/gvfsd-recent | 5 +++++ apparmor.d/groups/gvfs/gvfsd-sftp | 26 ++++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-wsdd | 13 ++++++++++++- 6 files changed, 59 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index 6c61dbba4..ab786106c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -38,6 +38,11 @@ profile gvfsd-dnssd @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 5812c8a6e..f51ef2afe 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,6 +11,7 @@ include profile gvfsd-http @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index cd64d81ad..1af0a2b37 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -32,6 +32,16 @@ profile gvfsd-network @{exec_path} { member={MountLocation,LookupMount,RegisterMount} peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}), + @{exec_path} mr, /usr/share/glib-2.0/schemas/gschemas.compiled r, diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 042b66a68..1219c8cbd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -33,6 +33,11 @@ profile gvfsd-recent @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, # Full access to user's data diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 157af621c..76bb55e98 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -10,10 +10,36 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-sftp profile gvfsd-sftp @{exec_path} { include + include + include include include include + #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gnome-extension-gsconnect), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=nautilus), + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=:*, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/mounttracker + interface=org.gtk.vfs.MountTracker + member=RegisterMount + peer=(name=:*, label=gvfsd), + @{exec_path} mr, @{bin}/ssh rPx, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 209971ac2..0dee4e73b 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -13,6 +13,7 @@ profile gvfsd-wsdd @{exec_path} { include include include + include network netlink raw, @@ -31,9 +32,19 @@ profile gvfsd-wsdd @{exec_path} { member=RegisterMount peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-network), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - @{bin}/env r, + @{bin}/env mr, @{bin}/wsdd rPx, @{run}/mount/utab r, From 15b8a6cea4dbdbd34a103f643ea13b085e424987 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 22 Aug 2025 21:22:25 +0200 Subject: [PATCH 472/798] fix: linter issue. --- apparmor.d/groups/kde/kwin_wayland | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 51f09c8c4..e2e3ecfe0 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -184,7 +184,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile ibus { include include - + @{sh_path} r, @{lib}/{,ibus/}ibus-x11 rPx, From bfe35f254e31557bdc75f08a6c0f02f005291b75 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:40:48 +0200 Subject: [PATCH 473/798] feat(profile): small improvement for snap. --- apparmor.d/groups/snap/snap | 16 +++++++++++----- apparmor.d/groups/snap/snap-seccomp | 6 +++++- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index ef0a086a8..564fd9151 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability chown, + capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, @@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{DESKTOP_HOME}/snap/{,**} rw, /snap/{,**} rw, - @{HOME}/snap/{,**} rw, - owner @{HOME}/ r, - owner @{HOME}/.snap.mkdir-new/ rw, - owner @{HOME}/.snap/{,**} rw, + @{HOME}/ r, + @{HOME}/.snap.mkdir-new/ rw, + @{HOME}/.snap/{,**} rw, + @{HOME}/snap/{,**} rw, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, /dev/ttyS@{int} rw, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gvfs-metadata/* r, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, profile gpg { include diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 9605c544a..2a14fd583 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pids}/mountinfo r, - deny @{user_share_dirs}/gvfs-metadata/* r, + /apparmor/.null rw, + + # file_inherit, safe to deny + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + deny owner @{user_share_dirs}/gvfs-metadata/* r, include if exists } From 7b0a78b1f13743eae7f59efbaf501654955e7372 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 17:42:49 +0200 Subject: [PATCH 474/798] feat(abs): improve dbus core abstractions --- apparmor.d/abstractions/bus/org.freedesktop.Accounts | 4 ++-- apparmor.d/abstractions/bus/org.freedesktop.Avahi | 2 +- .../abstractions/bus/org.freedesktop.portal.Desktop | 10 +++++----- apparmor.d/abstractions/bus/org.freedesktop.secrets | 4 ++-- .../abstractions/bus/org.gnome.Mutter.IdleMonitor | 4 ++-- apparmor.d/abstractions/bus/org.gnome.SessionManager | 5 +++++ apparmor.d/abstractions/bus/org.gtk.Notifications | 2 +- apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker | 2 +- 8 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts index d15288d46..e77f17b88 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts +++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts @@ -8,8 +8,8 @@ dbus send bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member={FindUserByName,ListCachedUsers} - peer=(name="@{busname}", label="@{p_accounts_daemon}"), + member={FindUserByName,ListCachedUsers,FindUserById} + peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"), dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi index aa48e69b1..4ddf95af3 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi @@ -23,7 +23,7 @@ dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,AllForNow,CacheExhausted} + member={ItemNew,ItemRemove,AllForNow,CacheExhausted} peer=(name="@{busname}", label="@{p_avahi_daemon}"), dbus receive bus=system path=/ diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 2753a6602..4d4faf688 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -14,22 +14,22 @@ dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member=SettingChanged - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), - dbus receive bus=session path=/org/freedesktop/portal/desktop + dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**} interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings member={Read,ReadAll} - peer=(name="@{busname}", label=xdg-desktop-portal), + peer=(name=@{busname}, label=xdg-desktop-portal), dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets index a2389a68a..e30e7b1c2 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.secrets +++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets @@ -8,8 +8,8 @@ dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service - member={OpenSession,GetSecrets,SearchItems,ReadAlias} - peer=(name="@{busname}", label=gnome-keyring-daemon), + member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets/aliases/default interface=org.freedesktop.Secret.Collection diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 3eb301f18..8eb573f7e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -13,8 +13,8 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor - member={AddIdleWatch,AddUserActiveWatch,RemoveWatch} - peer=(name="@{busname}", label=gnome-shell), + member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} + peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager index 0683a98fb..a532b67f2 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager @@ -13,6 +13,11 @@ member={RegisterClient,IsSessionRunning} peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member={Inhibit,Uninhibit} + peer=(name="@{busname}", label=gnome-session-binary), + dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/org.gtk.Notifications index b9229f204..ad1a1ffad 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/org.gtk.Notifications @@ -8,7 +8,7 @@ dbus send bus=session path=/org/gtk/Notifications interface=org.gtk.Notifications - member=RemoveNotification + member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker index d88afd0ee..c455d4f18 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker @@ -21,7 +21,7 @@ dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=Mounted + member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), include if exists From e9f0b77f2d00d748841dd78832368671a3549936 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 23 Aug 2025 18:59:08 +0200 Subject: [PATCH 475/798] feat(profile): update btop. --- apparmor.d/profiles-a-f/btop | 42 ++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index bab483dde..4910629ce 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -10,15 +10,16 @@ include profile btop @{exec_path} { include include - include include + capability kill, + capability perfmon, capability sys_ptrace, network netlink raw, - signal (send), - ptrace (read), + signal send, + ptrace read, @{exec_path} mr, @@ -27,33 +28,42 @@ profile btop @{exec_path} { /etc/fstab r, owner @{user_config_dirs}/btop/{,**} rw, + owner @{user_state_dirs}/btop.log rw, @{sys}/bus/pci/devices/ r, @{sys}/class/hwmon/ r, @{sys}/class/power_supply/ r, - @{sys}/devices/@{pci}/**/stat r, + @{sys}/devices/@{pci}/ r, + @{sys}/devices/@{pci}/{,**}/ r, @{sys}/devices/@{pci}/net/*/{,**} r, + @{sys}/devices/@{pci}/nvme/nvme@{int}/ r, + @{sys}/devices/@{pci}/stat r, @{sys}/devices/@{pci}/usb@{int}/**/power_supply/** r, @{sys}/devices/**/hwmon@{int}/{,*} r, @{sys}/devices/**/power_supply/{AC,BAT@{int}}/{,**} r, + @{sys}/devices/*/events/{,*} r, + @{sys}/devices/platform/*/ r, + @{sys}/devices/power/{,**} r, @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r, @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, - @{PROC} r, - @{PROC}/@{pid}/statm r, - @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/comm r, - @{PROC}/@{pids}/io r, - @{PROC}/@{pids}/stat r, - @{PROC}/devices r, - @{PROC}/driver/nvidia/capabilities/mig/monitor r, - @{PROC}/loadavg r, - @{PROC}/spl/kstat/zfs/arcstats r, - @{PROC}/uptime r, - owner @{PROC}/@{pid}/mounts r, + @{PROC} r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/task/@{tid}/comm rw, + @{PROC}/devices r, + @{PROC}/driver/nvidia/capabilities/mig/config r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/loadavg r, + @{PROC}/spl/kstat/zfs/arcstats r, + @{PROC}/uptime r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From d6885803cbfe3d420b1eb15b9562aae68228ad9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:32:51 +0200 Subject: [PATCH 476/798] fear(abs): update dbus core abs. --- .../bus/org.freedesktop.ColorManager | 7 ++++ .../bus/org.freedesktop.FileManager1 | 5 +++ .../abstractions/bus/org.freedesktop.UPower | 10 ++++- .../bus/org.freedesktop.hostname1 | 1 + .../bus/org.freedesktop.portal.Desktop | 15 +++++++ .../abstractions/bus/org.freedesktop.resolve1 | 6 +-- .../bus/org.gnome.Mutter.IdleMonitor | 2 +- .../bus/org.gnome.Shell.SearchProvider2 | 10 +++++ .../abstractions/bus/org.gtk.vfs.Daemon | 2 +- .../bus/org.kde.StatusNotifierItem | 24 +++++++++++ .../bus/org.kde.StatusNotifierWatcher | 42 ++++++++++++++++++- .../bus/org.mpris.MediaPlayer2.Player | 27 +++++++----- 12 files changed, 133 insertions(+), 18 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 3a63d95dc..e23092429 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow for color managed applications to communicate with colord + abi , #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -21,6 +23,11 @@ member={DeviceAdded,DeviceRemoved} peer=(name="@{busname}", label="@{p_colord}"), + dbus (receive, send) bus=system path=/org/freedesktop/ColorManager + interface=org.freedesktop.ColorManager + member=FindDeviceByProperty + peer=(name="@{busname}", label="@{p_colord}"), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 index 76095edaf..a08c98b26 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 @@ -6,6 +6,11 @@ #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus + dbus send bus=session path=/org/freedesktop/FileManager1 + interface=org.freedesktop.FileManager1 + member=ShowItems + peer=(name=org.freedesktop.FileManager1, label=nautilus), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower index d82fbdef0..64b400a3e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower @@ -2,10 +2,13 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can query UPower for power devices, history and statistics. + abi , #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + # Find all devices monitored by UPower dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.UPower member=EnumerateDevices @@ -13,7 +16,12 @@ dbus send bus=system path=/org/freedesktop/UPower interface=org.freedesktop.DBus.Properties - member=GetDisplayDevice + member={GetDisplayDevice,GetCriticalAction} + peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), + + dbus send bus=system path=/org/freedesktop/UPower/devices/** + interface=org.freedesktop.UPower.Device + member={GetHistory,Refresh} peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"), dbus receive bus=system path=/org/freedesktop/UPower diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 index 0a8d86be1..165e3ae6e 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1 @@ -5,6 +5,7 @@ abi , #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" + dbus send bus=system path=/org/freedesktop/hostname1 interface=org.freedesktop.DBus.Properties member=Get diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop index 4d4faf688..4778dd6dc 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop +++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop @@ -11,6 +11,11 @@ member=Read peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=xdg-desktop-portal), + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Settings member={Read,ReadAll} @@ -41,6 +46,16 @@ member=Response peer=(name=@{busname}, label=xdg-desktop-portal), + dbus receive bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Inhibit + member={StateChanged,CreateMonitor} + peer=(name=@{busname}, label=xdg-desktop-portal), + + dbus receive bus=session path=/org/freedesktop/portal/desktop/session/** + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 index e2c4b3886..fe6d52dc6 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 @@ -4,12 +4,12 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" dbus send bus=system path=/org/freedesktop/resolve1 interface=org.freedesktop.resolve1.Manager - member={SetLink*,ResolveHostname} - peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"), + member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} + peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor index 8eb573f7e..d1ff350fc 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor @@ -14,7 +14,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime} - peer=(name="@{busname},org.gnome.Mutter.IdleMonitor", label=gnome-shell), + peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell), dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 index baa96cc78..ae8b68448 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 +++ b/apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2 @@ -6,6 +6,16 @@ #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas} + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session path=/org/gnome/Characters/SearchProvider + interface=org.gnome.Shell.SearchProvider2 + member=*Cancel + peer=(name=@{busname}, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon index 66910007b..93ad35fe5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon @@ -7,7 +7,7 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member={GetConnection,ListMonitorImplementations,ListMountableInfo} - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem index 43947d52a..87fd06727 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem @@ -4,6 +4,30 @@ abi , + include + + dbus bind bus=session name=org.kde.StatusNotifierItem-@{int}, + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.kde.StatusNotifierWatcher + member=RegisterStatusNotifierItem + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*} + interface=org.kde.StatusNotifierItem + member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher index d9ca82881..90a78d2ed 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher +++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher @@ -2,14 +2,52 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to display Status Notifier Items in the KDE Plasma systray + abi , - #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus send bus=session path=/StatusNotifierWatcher + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(label="@{pp_app_indicator}"), + + + dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu} + interface=com.canonical.dbusmenu + member={LayoutUpdated,ItemsPropertiesUpdated} + peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), + + dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**} + interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu} + member={Get*,AboutTo*,Event*} + peer=(label="@{pp_app_indicator}"), dbus send bus=session path=/StatusNotifierWatcher interface=org.kde.StatusNotifierWatcher member=RegisterStatusNotifierItem - peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/StatusNotifierItem + interface=org.kde.StatusNotifierItem + member={ProvideXdgActivationToken,Activate} + peer=(label="@{pp_app_indicator}"), + + dbus receive bus=session path=/MenuBar + interface=com.canonical.dbusmenu + member={AboutToShow,GetLayout,Event} + peer=(label="@{pp_app_indicator}"), include if exists diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player index d8581be07..d71b7ac1e 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player @@ -4,27 +4,34 @@ abi , - #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined + # DBus.Properties: read all properties from the interface + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name=@{busname}), + # DBus.Properties: receive property changed events dbus receive bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member=PropertiesChanged peer=(name=@{busname}), - dbus receive bus=session path=/org/mpris/MediaPlayer2 - interface=org.mpris.MediaPlayer2.Player - member=Seeked + # DBus.Introspectable: allow clients to introspect the service + dbus send bus=system path=/org/mpris/MediaPlayer2 + interface=org.freedesktop.DBus.Introspectable + member=Introspect peer=(name=@{busname}), - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=Get + dbus receive bus=session path=/org/mpris/MediaPlayer2 + interface=org.mpris.MediaPlayer2.Player + member={Seeked,Next,PlayPause} peer=(name=@{busname}), + # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}), + interface=org.mpris.MediaPlayer2.Player + member=Seeked + peer=(name=org.freedesktop.DBus), include if exists From eb2def65a1900c681bfc43fd9d4dbb450fc4f4be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 21:47:00 +0200 Subject: [PATCH 477/798] feat(abs): move some dbus abs to the session subfolder. --- .../{own-accessibility => accessibility/own} | 2 +- .../bus/org.freedesktop.systemd1-session | 16 ------------ .../bus/session/org.freedesktop.systemd1 | 26 +++++++++++++++++++ .../bus/{own-session => session/own} | 2 +- .../bus/{own-system => system/own} | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-session-binary | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/kde/kcminit | 2 +- apparmor.d/profiles-s-z/spotify | 1 + pkg/prebuild/directive/dbus.go | 2 +- 11 files changed, 35 insertions(+), 24 deletions(-) rename apparmor.d/abstractions/bus/{own-accessibility => accessibility/own} (93%) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.systemd1-session create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 rename apparmor.d/abstractions/bus/{own-session => session/own} (93%) rename apparmor.d/abstractions/bus/{own-system => system/own} (93%) diff --git a/apparmor.d/abstractions/bus/own-accessibility b/apparmor.d/abstractions/bus/accessibility/own similarity index 93% rename from apparmor.d/abstractions/bus/own-accessibility rename to apparmor.d/abstractions/bus/accessibility/own index cd8e42e52..d1eab1ce7 100644 --- a/apparmor.d/abstractions/bus/own-accessibility +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session deleted file mode 100644 index 577cc3ed9..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" - - dbus send bus=session path=/org/freedesktop/systemd1 - interface=org.freedesktop.systemd1.Manager - member=GetUnit - peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 new file mode 100644 index 000000000..0c8185be6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.systemd1 @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=GetUnit + peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1/unit/app_* + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + dbus send bus=session path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member=StartTransientUnit + peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-session b/apparmor.d/abstractions/bus/session/own similarity index 93% rename from apparmor.d/abstractions/bus/own-session rename to apparmor.d/abstractions/bus/session/own index 91515adb0..d975ebb48 100644 --- a/apparmor.d/abstractions/bus/own-session +++ b/apparmor.d/abstractions/bus/session/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/own-system b/apparmor.d/abstractions/bus/system/own similarity index 93% rename from apparmor.d/abstractions/bus/own-system rename to apparmor.d/abstractions/bus/system/own index d48931f4f..2b1130b32 100644 --- a/apparmor.d/abstractions/bus/own-system +++ b/apparmor.d/abstractions/bus/system/own @@ -20,6 +20,6 @@ member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 4e3440656..9a42bcdf1 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal (receive) set=(hup term) peer=gdm-session-worker, signal (receive) set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 8b0ea6307..447c030d6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,7 +14,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index b8da39a4d..35f43a93e 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index bd01bf3c8..4f8b10a32 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -10,7 +10,7 @@ include profile kcminit @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 3c18059a9..0eb5eab43 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 06fedffb5..891eb9e1d 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -111,7 +111,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { res := aa.Rules{ &aa.Include{ - IsMagic: true, Path: "abstractions/bus/own-" + rules["bus"], + IsMagic: true, Path: "abstractions/bus/" + rules["bus"] + "/own", }, &aa.Dbus{ Access: []string{"bind"}, Bus: rules["bus"], Name: rules["name"], From 30618828097267ced9833cdf16de350eac1b05b1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:04:07 +0200 Subject: [PATCH 478/798] feat(profile): update dbus rules for Ubuntu. --- apparmor.d/groups/freedesktop/dconf | 1 + apparmor.d/groups/freedesktop/pipewire-pulse | 3 +++ .../polkit-kde-authentication-agent | 2 ++ apparmor.d/groups/freedesktop/wireplumber | 5 +++++ .../groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-document-portal | 3 ++- .../gnome/evolution-addressbook-factory | 5 +++++ apparmor.d/groups/gnome/gjs-console | 2 ++ apparmor.d/groups/gnome/gnome-calendar | 2 +- apparmor.d/groups/gnome/gnome-characters | 2 +- apparmor.d/groups/gnome/gnome-control-center | 5 ++--- .../groups/gnome/gnome-extension-gsconnect | 2 ++ apparmor.d/groups/gnome/gnome-shell | 4 ++-- apparmor.d/groups/gnome/gnome-software | 11 ++++++++++ apparmor.d/groups/gnome/gnome-system-monitor | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 14 +++++-------- apparmor.d/groups/gnome/gsd-power | 1 + .../groups/gnome/gsd-print-notifications | 20 ++++++++++++++++++- apparmor.d/groups/gnome/gsd-xsettings | 12 ++++++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 8 +++++++- apparmor.d/groups/gnome/papers | 1 + apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/gnome/ptyxis-agent | 5 ++++- apparmor.d/groups/network/wg-quick | 1 + apparmor.d/groups/polkit/polkit-agent-helper | 4 ++-- apparmor.d/groups/systemd/resolvectl | 7 +++++++ .../groups/ubuntu/software-properties-gtk | 6 +++++- apparmor.d/groups/ubuntu/update-notifier | 1 + apparmor.d/profiles-a-f/alacarte | 3 +++ apparmor.d/profiles-a-f/element-desktop | 1 + apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-m-r/pinentry-gnome3 | 4 +++- apparmor.d/profiles-s-z/spotify | 11 ++++++++++ apparmor.d/profiles-s-z/superproductivity | 11 +++++++++- 35 files changed, 142 insertions(+), 26 deletions(-) diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf index be4972f04..20b453df4 100644 --- a/apparmor.d/groups/freedesktop/dconf +++ b/apparmor.d/groups/freedesktop/dconf @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/dconf profile dconf @{exec_path} flags=(attach_disconnected) { include + include include capability sys_nice, diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse index fddbe02f7..e6e6e59c5 100644 --- a/apparmor.d/groups/freedesktop/pipewire-pulse +++ b/apparmor.d/groups/freedesktop/pipewire-pulse @@ -13,12 +13,15 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, ptrace read, + #aa:dbus own bus=session name=org.pulseaudio.Server + @{exec_path} mr, @{bin}/pactl rix, diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 8a08f02d0..5e7a75a8d 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,8 +11,10 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include + include include include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 80c3135f5..7aff8bdd2 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -32,6 +32,11 @@ profile wireplumber @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/midi{,server@{int}} + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label="@{p_bluetoothd}"), + @{exec_path} mr, /opt/intel/oneapi/{compiler,lib,mkl}/**/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 35c81f0bc..89acacd34 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal index d2db2612e..84c0fce42 100644 --- a/apparmor.d/groups/freedesktop/xdg-document-portal +++ b/apparmor.d/groups/freedesktop/xdg-document-portal @@ -30,7 +30,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) { unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount), - #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents + #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 98c94c79e..c9a9d72c9 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -55,6 +55,11 @@ profile evolution-addressbook-factory @{exec_path} { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus receive bus=session path=/org/gnome/evolution/dataserver/** + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=obexd), + @{exec_path} mr, @{exec_path}-subprocess rix, diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console index 0cfd4c420..6d6d6ea85 100644 --- a/apparmor.d/groups/gnome/gjs-console +++ b/apparmor.d/groups/gnome/gjs-console @@ -17,8 +17,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 235c0ce9e..7d6d5246d 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -23,7 +23,6 @@ profile gnome-calendar @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.Calendar - #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory @@ -32,6 +31,7 @@ profile gnome-calendar @{exec_path} { #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color + #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 9af2b7d5f..7ce936e52 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -11,13 +11,13 @@ profile gnome-characters @{exec_path} { include include include + include include include include include #aa:dbus own bus=session name=org.gnome.Characters - #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 41b62df09..1c35a8ec1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -42,9 +43,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8887ce797..3f57b3035 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -17,6 +17,8 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0f91b7283..b7706ccf4 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,7 +25,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -87,7 +86,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" - #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 7e817f490..71141595b 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -9,6 +9,12 @@ include @{exec_path} = @{bin}/gnome-software profile gnome-software @{exec_path} { include + include + include + include + include + include + include include include include @@ -24,6 +30,11 @@ profile gnome-software @{exec_path} { mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, + #aa:dbus own bus=session name=org.freedesktop.PackageKit + #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application + + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + @{exec_path} mr, @{bin}/baobab rPUx, diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a3d039dea..a99d566c0 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -9,6 +9,10 @@ include @{exec_path} = @{bin}/gnome-system-monitor profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include + include + include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 6cae2d49b..7f02d8bf4 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/gsd-media-keys profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -21,6 +20,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include @@ -38,7 +39,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/login1 interface=org.freedesktop.login1.Manager member=PowerOff - peer=(name=:*, label="@{p_systemd_logind}"), + peer=(name=@{busname}, label="@{p_systemd_logind}"), dbus send bus=session path=/ interface=org.freedesktop.DBus @@ -48,17 +49,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { dbus send bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label=gsd-power), + peer=(name=@{busname}, label=gsd-power), dbus receive bus=session path=/org/gnome/SettingsDaemon/Power interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-power), - - dbus send bus=session path=/org/mpris/MediaPlayer2 - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*), + peer=(name=@{busname}, label=gsd-power), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 2fa0b0b1f..379f7b814 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index af5ff2f05..59123f485 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member=ServerStarted + member={ServerStarted,PrinterDeleted,PrinterStopped} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session @@ -38,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label=avahi-daemon), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member={CacheExhausted,ItemNew} + peer=(name=@{busname}, label=avahi-daemon), + dbus receive bus=system path=/Client4/RecordBrowser3 + interface=org.freedesktop.Avahi.RecordBrowser + member=ItemNew + peer=(name=@{busname}, label=avahi-daemon), + @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index abf30bc40..2e21750b9 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -36,10 +36,20 @@ profile gsd-xsettings @{exec_path} { #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=GetId + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop/Accounts + interface=org.freedesktop.Accounts + member=UserAdded + peer=(name=@{busname}, label="@{p_accounts_daemon}"), + dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} interface=org.freedesktop.Accounts.User member=SetInputSources - peer=(name=:*, label="@{p_accounts_daemon}"), + peer=(name=@{busname}, label="@{p_accounts_daemon}"), @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d89d4d6f9..398b2b679 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -12,6 +12,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index fc9b923d8..17bdc5f13 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -31,9 +31,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { unix type=stream peer=(label=gnome-shell), #aa:dbus own bus=session name=org.freedesktop.FileManager1 - #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}" + #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions} #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 + #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell @@ -49,6 +50,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=Print peer=(name=@{busname}, label=nautilus), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 6f5a137a3..9a22e3de8 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/papers profile papers @{exec_path} { include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a6f7e5b63..a0a57d516 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include + include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index ce60a26c3..7a05b2254 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -9,9 +9,12 @@ include @{exec_path} = @{lib}/ptyxis-agent profile ptyxis-agent @{exec_path} { include + include + include include - include include + include + include signal send set=hup peer=unconfined, diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick index c89a12a47..33de68147 100644 --- a/apparmor.d/groups/network/wg-quick +++ b/apparmor.d/groups/network/wg-quick @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/wg-quick profile wg-quick @{exec_path} flags=(attach_disconnected) { include + include include include diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper index 5799ced5b..f761ecf29 100644 --- a/apparmor.d/groups/polkit/polkit-agent-helper +++ b/apparmor.d/groups/polkit/polkit-agent-helper @@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) { dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.DBus.Properties member=GetAll - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority member=AuthenticationAgentResponse2 - peer=(name=:*, label="@{p_polkitd}"), + peer=(name=@{busname}, label="@{p_polkitd}"), @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl index 58f2d88f8..3013d8ae6 100644 --- a/apparmor.d/groups/systemd/resolvectl +++ b/apparmor.d/groups/systemd/resolvectl @@ -21,8 +21,15 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, + unix bind type=stream addr=@@{udbus}/bus/resolvconf/system, + #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}" + dbus send bus=system path=/org/freedesktop/network1 + interface=org.freedesktop.network1.Manager + member=SetLinkDNSEx + peer=(name=org.freedesktop.network1), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index bb31d8867..15a49066c 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,19 +9,23 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} { include - include + include include include include include include + include + include include include include include #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties + #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon + #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 9754aa231..8e9cddd54 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,6 +14,7 @@ profile update-notifier @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index 700c6d517..b4cfb56e6 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,6 +9,9 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include + include + include + include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index 7891b67e1..ec7ee9c65 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -17,6 +17,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 4bed50f13..0a9e6dfc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,6 +18,8 @@ profile libreoffice @{exec_path} { include include include + include + include include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index a955a9c6d..f4a61b07b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,9 +10,11 @@ include profile pinentry-gnome3 @{exec_path} { include include + include + include include - signal (receive) set=(int) peer=gpg-agent, + signal receive set=int, @{exec_path} mr, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 0eb5eab43..f245e4312 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,10 +21,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include + include include include + include include include include @@ -36,8 +39,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify + #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Secret + member=RetrieveSecret + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mrix, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index c49a96621..73a86672f 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -6,7 +6,7 @@ abi , include -@{name} = super{p,P}roductivity +@{name} = super{p,P}roductivity Super?Productivity @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @@ -16,7 +16,16 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include + include include + include + include + include + include + include + include + include + include include network inet stream, From 0fccbef52b1e0d8b713c76d71220ae03bce8fb1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:06:34 +0200 Subject: [PATCH 479/798] feat(profile): improve firefox profiles. --- apparmor.d/abstractions/app/firefox | 4 +++- apparmor.d/groups/browsers/firefox | 8 ++++++-- apparmor.d/groups/browsers/firefox-crashhelper | 5 +++++ apparmor.d/profiles-s-z/thunderbird-glxtest | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 68fb14887..238bf9e8b 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -21,8 +21,9 @@ include include include - include + include include + include include include include @@ -98,6 +99,7 @@ /var/tmp/ r, owner @{tmp}/@{name}/ rw, owner @{tmp}/@{name}/* rwk, + owner @{tmp}/@{rand6}.tmp rw, owner @{tmp}/firefox/ rw, owner @{tmp}/firefox/* rwk, owner @{tmp}/mozilla* rw, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index bac81c847..f9ba190a3 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) { signal send set=(term, kill) peer=firefox//&keepassxc-proxy, + unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int}, + unix type=seqpacket peer=(label=firefox-crashhelper), + #aa:dbus own bus=session name=org.mozilla.firefox #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2 @@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, # Common extensions + @{bin}/browserpass rPx, + @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, + @{lib}/browserpass/browserpass-native rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, - @{bin}/browserpass rPx, - @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, diff --git a/apparmor.d/groups/browsers/firefox-crashhelper b/apparmor.d/groups/browsers/firefox-crashhelper index 55af7c2e2..8ffdccb67 100644 --- a/apparmor.d/groups/browsers/firefox-crashhelper +++ b/apparmor.d/groups/browsers/firefox-crashhelper @@ -15,11 +15,16 @@ include profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) { include + unix type=seqpacket peer=(label=firefox), + @{exec_path} mr, owner "@{config_dirs}/firefox/Crash Reports/" rw, owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest index 4dc891361..53fdb1ffd 100644 --- a/apparmor.d/profiles-s-z/thunderbird-glxtest +++ b/apparmor.d/profiles-s-z/thunderbird-glxtest @@ -18,6 +18,8 @@ profile thunderbird-glxtest @{exec_path} flags=(attach_disconnected) { include include + network netlink raw, + @{exec_path} mr, / r, From f21fecc25a60abd0a5d7921112e226c8745c4ce5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:07:09 +0200 Subject: [PATCH 480/798] feat(profile): update possible path for browserpass. --- apparmor.d/profiles-a-f/browserpass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass index ee7ff958c..c896e96f8 100644 --- a/apparmor.d/profiles-a-f/browserpass +++ b/apparmor.d/profiles-a-f/browserpass @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{bin}/browserpass +@{exec_path} = @{bin}/browserpass @{lib}/browserpass/browserpass-native profile browserpass @{exec_path} flags=(attach_disconnected) { include include From 1724040229186e798f0fd443a22e747e9f3d5b93 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:15:51 +0200 Subject: [PATCH 481/798] feat(profile): various ubuntu based improvements. --- .../freedesktop/xdg-desktop-portal-gnome | 2 + apparmor.d/groups/freedesktop/xkbcomp | 1 + .../groups/gnome/evolution-alarm-notify | 2 + apparmor.d/groups/gnome/gnome-system-monitor | 1 + apparmor.d/groups/gnome/mutter-x11-frames | 2 +- apparmor.d/groups/gnome/nautilus | 4 +- apparmor.d/groups/gnome/ptyxis | 7 ++- apparmor.d/groups/gnome/ptyxis-agent | 8 +++- apparmor.d/groups/snap/snap | 48 ++++++++++++++++++- apparmor.d/groups/snap/snap-update-ns | 1 + apparmor.d/groups/ssh/ssh | 4 +- apparmor.d/groups/systemd/systemd-coredump | 4 ++ apparmor.d/groups/systemd/systemd-udevd | 2 + apparmor.d/groups/ubuntu/apport | 5 ++ .../groups/ubuntu/software-properties-gtk | 7 ++- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 + apparmor.d/groups/utils/who | 2 + apparmor.d/profiles-a-f/fwupdmgr | 1 + apparmor.d/profiles-m-r/mkinitramfs | 7 +++ apparmor.d/profiles-m-r/motd | 1 + apparmor.d/profiles-m-r/on-ac-power | 1 + apparmor.d/profiles-s-z/swtpm_setup | 6 +-- 22 files changed, 107 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index bed83627a..ca5f62f82 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_share_dirs}/applications/{,**} r, owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp index 325d444f5..a99e12b7a 100644 --- a/apparmor.d/groups/freedesktop/xkbcomp +++ b/apparmor.d/groups/freedesktop/xkbcomp @@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) { unix (send,receive) type=stream addr=none peer=(label=gnome-shell), unix (send,receive) type=stream addr=none peer=(label=xwayland), + unix (send,receive) type=stream addr=none peer=(label=kwin_wayland), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index ce8f799bb..174cb323f 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} { /etc/timezone r, + owner @{user_share_dirs}/evolution/datetime-formats.ini r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index a99d566c0..e4ac12011 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{bin}/sed rix, @{bin}/tr rix, + /usr/share/byobu/desktop/{,**} r, /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r, / r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 2ad89fe0a..ae225aa65 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 17bdc5f13..5ad6bb7b5 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{bin}/file-roller rPx, @{bin}/firejail rPUx, @{bin}/net rPUx, - @{bin}/tracker3 rPUx, + + @{bin}/* r, + @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index a0a57d516..838dc940c 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -13,6 +13,10 @@ profile ptyxis @{exec_path} { include include + unix type=stream peer=(label=ptyxis-agent), + + #aa:dbus own bus=session name=org.gnome.Ptyxis + @{exec_path} mr, @{lib}/ptyxis-agent Px, @@ -25,11 +29,12 @@ profile ptyxis @{exec_path} { owner @{user_config_dirs}/org.gnome.Ptyxis/ rw, owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**, + owner @{user_config_dirs}/ubuntu-xdg-terminals.list r, owner @{user_share_dirs}/org.gnome.Ptyxis/ rw, owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**, - owner /tmp/#@{int} w, + owner /tmp/#@{int} rw, /dev/ptmx rw, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 7a05b2254..cf497e39f 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} { @{bin}/podman Px, @{bin}/systemd-run Cx -> shell, - /usr/share/glib-2.0/schemas/gschemas.compiled r, + owner @{user_share_dirs}/containers/ w, + owner @{user_share_dirs}/containers/storage/ w, + owner @{user_share_dirs}/containers/storage/overlay-containers/ w, @{PROC}/@{pid}/cmdline r, @@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} { signal send, + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + @{bin}/systemd-run mr, @{bin}/@{shells} Ux, + owner @{run}/user/@{uid}/systemd/private rw, + include if exists } diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 564fd9151..927d7a3da 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sh_path} mr, @{bin}/mount rix, @{bin}/getent rix, @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, + @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/xdg-settings rCx -> xdg-settings, @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/random/uuid r, @{PROC}/sys/kernel/seccomp/actions_avail r, @{PROC}/version r, - owner @{PROC}/@{pid}/attr/apparmor/current r, + @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/mounts r, /dev/tty@{int} rw, @@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) { include if exists } + profile xdg-settings { + include + include + + @{bin}/xdg-settings mr, + + @{sh_path} r, + @{bin}/{,e}grep rix, + @{bin}/basename rix, + @{bin}/cat ix, + @{bin}/cut rix, + @{bin}/head ix, + @{bin}/mkdir ix, + @{bin}/mktemp ix, + @{bin}/mv ix, + @{bin}/readlink ix, + @{bin}/realpath rix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/sleep ix, + @{bin}/sort ix, + @{bin}/touch ix, + @{bin}/tr ix, + @{bin}/uname ix, + @{bin}/wc ix, + + @{bin}/xdg-mime Px, + + include if exists + } + + profile run { + include + + unix bind type=stream addr=@@{udbus}/bus/systemd-run/, + + @{bin}/systemd-run mr, + + owner @{run}/user/@{uid}/systemd/private rw, + + include if exists + } + profile systemctl { include include diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 5d7c18d59..157651ac3 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} { @{sys}/fs/cgroup/{,**/} r, @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 03236196c..bf71a8463 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -45,8 +45,8 @@ profile ssh @{exec_path} { audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, - owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, + owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 54f366c2f..db1854f1f 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /opt/** r, /usr/share/*/** r, @{user_lib_dirs}/** r, + /snap/*/@{int}/opt/** r, + /snap/*/@{int}/usr/** r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, @@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted /var/lib/systemd/coredump/{,**} rwl, + owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r, + @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 9c993e0d5..62bada2a8 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, + unix type=stream addr=@@{udbus}/bus/udevadm/, + @{exec_path} mrix, @{sh_path} rix, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index fbc433c05..2fa7bb92a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { /var/lib/dpkg/info/ r, /var/lib/dpkg/info/*.list r, /var/lib/dpkg/info/*.md5sums r, + /var/lib/dpkg/diversions r, + /var/lib/dpkg/triggers/* r, + /var/lib/dpkg/updates/ r, + + /var/lib/systemd/coredump/*.zst r, /var/crash/ rw, /var/crash/*.@{uid}.crash rw, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 15a49066c..440ef4117 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/software-properties-gtk -profile software-properties-gtk @{exec_path} { +profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include @@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} { owner @{tmp}/tmp@{word8}/ rw, owner @{tmp}/tmp@{word8}/apt.conf rw, + /dev/shm/ r, + owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{rand8} rw, + owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, @{sys}/devices/ r, @@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} { owner @{PROC}/@{pid}/environ r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, # Silencer deny @{user_share_dirs}/gvfs-metadata/* r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index 34b697732..e8d847e92 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} { /etc/machine-id r, + owner @{user_cache_dirs}/ubuntu-pro/{,**} rw, + owner @{tmp}/tmp[0-9a-z]*/apt.conf r, owner @{tmp}/[0-9a-z]*{,/} rw, owner @{tmp}/[0-9a-z]*/apt-helper-output rw, diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index fd49b2bec..d951bfe03 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -20,6 +20,8 @@ profile who @{exec_path} { @{run}/systemd/sessions/* r, + # file_inherit + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, deny owner @{user_share_dirs}/zed/**/data.mdb rw, diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr index 5df66e6bd..2d781a734 100644 --- a/apparmor.d/profiles-a-f/fwupdmgr +++ b/apparmor.d/profiles-a-f/fwupdmgr @@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) { owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw, owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw, + owner /var/lib/fwupd/ w, owner /var/lib/fwupd/.cache/ w, @{user_cache_dirs}/dconf/user rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 42489117e..c6caf364f 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} { /usr/share/initramfs-tools/scripts/{,**/} r, /etc/initramfs-tools/scripts/{,**/} r, + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, include if exists @@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + @{sys}/module/compression r, include if exists diff --git a/apparmor.d/profiles-m-r/motd b/apparmor.d/profiles-m-r/motd index 6cdb0fbf8..de742b2c9 100644 --- a/apparmor.d/profiles-m-r/motd +++ b/apparmor.d/profiles-m-r/motd @@ -10,6 +10,7 @@ include profile motd @{exec_path} { include include + include capability net_admin, diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power index 16ccfd9da..d6426f717 100644 --- a/apparmor.d/profiles-m-r/on-ac-power +++ b/apparmor.d/profiles-m-r/on-ac-power @@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} { @{exec_path} r, @{sh_path} rix, + @{bin}/{,e}grep rix, @{bin}/{m,g,}awk rix, @{bin}/cat rix, diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup index 08ee1532e..5795ddfcc 100644 --- a/apparmor.d/profiles-s-z/swtpm_setup +++ b/apparmor.d/profiles-s-z/swtpm_setup @@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} { /var/log/swtpm/{,**} w, /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r, - owner @{tmp}/swtpm_setup.certs.*/ w, - owner @{tmp}/swtpm_setup.certs.*/*.cert rw, - owner @{tmp}/.swtpm_setup.pidfile* rw, + owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw, + owner @{tmp}/swtpm_setup.certs.@{rand6}/ w, + owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw, include if exists } From 9b7c1acb1bbad1465159935a0274991637d069c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:08 +0200 Subject: [PATCH 482/798] build: cosmetic on build task name. --- pkg/prebuild/builder/abi.go | 2 +- pkg/prebuild/builder/attach.go | 2 +- pkg/prebuild/builder/complain.go | 2 +- pkg/prebuild/builder/enforce.go | 2 +- pkg/prebuild/builder/fsp.go | 2 +- pkg/prebuild/builder/hotfix.go | 2 +- pkg/prebuild/builder/userspace.go | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index 492e3cc31..b0052d13f 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ Keyword: "abi3", - Msg: "Convert all profiles from abi 4.0 to abi 3.0", + Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) } diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index aeafcbf7d..d27908129 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -18,7 +18,7 @@ func init() { RegisterBuilder(&ReAttach{ Base: prebuild.Base{ Keyword: "attach", - Msg: "Re-attach disconnected path", + Msg: "Feat: re-attach disconnected path", }, }) } diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index dbd9b3478..8ee205564 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -25,7 +25,7 @@ func init() { RegisterBuilder(&Complain{ Base: prebuild.Base{ Keyword: "complain", - Msg: "Set complain flag on all profiles", + Msg: "Build: set complain flag on all profiles", }, }) } diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go index a7ce90a7a..3d3d218c6 100644 --- a/pkg/prebuild/builder/enforce.go +++ b/pkg/prebuild/builder/enforce.go @@ -19,7 +19,7 @@ func init() { RegisterBuilder(&Enforce{ Base: prebuild.Base{ Keyword: "enforce", - Msg: "All profiles have been enforced", + Msg: "Build: all profiles have been enforced", }, }) } diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go index 8f7fb4202..12dab15cd 100644 --- a/pkg/prebuild/builder/fsp.go +++ b/pkg/prebuild/builder/fsp.go @@ -23,7 +23,7 @@ func init() { RegisterBuilder(&FullSystemPolicy{ Base: prebuild.Base{ Keyword: "fsp", - Msg: "Prevent unconfined transitions in profile rules", + Msg: "Feat: prevent unconfined transitions in profile rules", }, }) } diff --git a/pkg/prebuild/builder/hotfix.go b/pkg/prebuild/builder/hotfix.go index f7e6143b1..be8750f26 100644 --- a/pkg/prebuild/builder/hotfix.go +++ b/pkg/prebuild/builder/hotfix.go @@ -26,7 +26,7 @@ func init() { RegisterBuilder(&Hotfix{ Base: prebuild.Base{ Keyword: "hotfix", - Msg: "Temporary fix for #74, #80 & #235", + Msg: "Fix: temporary solution for #74, #80 & #235", }, }) } diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go index 37bb3a978..70dff8ec9 100644 --- a/pkg/prebuild/builder/userspace.go +++ b/pkg/prebuild/builder/userspace.go @@ -27,7 +27,7 @@ func init() { RegisterBuilder(&Userspace{ Base: prebuild.Base{ Keyword: "userspace", - Msg: "Resolve variable in profile attachments", + Msg: "Fix: resolve variable in profile attachments", }, }) } From bfcf9f846cd5eee8500413ae785d389266070657 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 22:52:35 +0200 Subject: [PATCH 483/798] build: support for unconfined flag. --- pkg/prebuild/builder/complain.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go index 8ee205564..0d6a48f37 100644 --- a/pkg/prebuild/builder/complain.go +++ b/pkg/prebuild/builder/complain.go @@ -38,6 +38,9 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) { if slices.Contains(flags, "complain") { return profile, nil } + if slices.Contains(flags, "unconfined") { + return profile, nil + } } flags = append(flags, "complain") strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n" From 3a17dd33106a8e83d96c50e0522a7373967a6a0f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:08:41 +0200 Subject: [PATCH 484/798] feat(aa): add support for advanced network rule. --- pkg/aa/network.go | 66 ++++++++++++++++++++++---------- pkg/aa/rule_test.go | 11 ++++++ pkg/aa/templates/rule/network.j2 | 16 ++++++++ 3 files changed, 72 insertions(+), 21 deletions(-) diff --git a/pkg/aa/network.go b/pkg/aa/network.go index d5a2af70b..15dd4385e 100644 --- a/pkg/aa/network.go +++ b/pkg/aa/network.go @@ -33,34 +33,54 @@ func init() { } } -type AddressExpr struct { - Source string - Destination string - Port string +type LocalAddress struct { + IP string + Port string } -func newAddressExprFromLog(log map[string]string) AddressExpr { - return AddressExpr{ - Source: log["laddr"], - Destination: log["faddr"], - Port: log["lport"], +func newLocalAddressFromLog(log map[string]string) LocalAddress { + return LocalAddress{ + IP: log["laddr"], + Port: log["lport"], } } -func (r AddressExpr) Compare(other AddressExpr) int { - if res := compare(r.Source, other.Source); res != 0 { +func (r LocalAddress) Compare(other LocalAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } - if res := compare(r.Destination, other.Destination); res != 0 { + return compare(r.Port, other.Port) +} + +type PeerAddress struct { + IP string + Port string + Src string +} + +func newPeerAddressFromLog(log map[string]string) PeerAddress { + return PeerAddress{ + IP: log["faddr"], + Port: log["fport"], + Src: log["saddr"], + } +} + +func (r PeerAddress) Compare(other PeerAddress) int { + if res := compare(r.IP, other.IP); res != 0 { return res } - return compare(r.Port, other.Port) + if res := compare(r.Port, other.Port); res != 0 { + return res + } + return compare(r.Src, other.Src) } type Network struct { Base Qualifier - AddressExpr + LocalAddress + PeerAddress Domain string Type string Protocol string @@ -90,12 +110,13 @@ func newNetwork(q Qualifier, rule rule) (Rule, error) { func newNetworkFromLog(log map[string]string) Rule { return &Network{ - Base: newBaseFromLog(log), - Qualifier: newQualifierFromLog(log), - AddressExpr: newAddressExprFromLog(log), - Domain: log["family"], - Type: log["sock_type"], - Protocol: log["protocol"], + Base: newBaseFromLog(log), + Qualifier: newQualifierFromLog(log), + LocalAddress: newLocalAddressFromLog(log), + PeerAddress: newPeerAddressFromLog(log), + Domain: log["family"], + Type: log["sock_type"], + Protocol: log["protocol"], } } @@ -135,7 +156,10 @@ func (r *Network) Compare(other Rule) int { if res := compare(r.Protocol, o.Protocol); res != 0 { return res } - if res := r.AddressExpr.Compare(o.AddressExpr); res != 0 { + if res := r.LocalAddress.Compare(o.LocalAddress); res != 0 { + return res + } + if res := r.PeerAddress.Compare(o.PeerAddress); res != 0 { return res } return r.Qualifier.Compare(o.Qualifier) diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go index ee50532a9..ed6e7043d 100644 --- a/pkg/aa/rule_test.go +++ b/pkg/aa/rule_test.go @@ -216,6 +216,17 @@ var ( wMerge: false, wString: "network netlink raw,", }, + { + name: "network3", + fromLog: newNetworkFromLog, + log: network3Log, + rule: network3, + wValidErr: true, + other: network1, + wCompare: -7, + wMerge: false, + wString: "network dgram ip=127.0.0.1 port=57007 peer=(ip=127.0.0.53, port=53), # failed af match", + }, { name: "mount", fromLog: newMountFromLog, diff --git a/pkg/aa/templates/rule/network.j2 b/pkg/aa/templates/rule/network.j2 index 6f2503a8b..3694442be 100644 --- a/pkg/aa/templates/rule/network.j2 +++ b/pkg/aa/templates/rule/network.j2 @@ -15,6 +15,22 @@ {{ " " }}{{ . }} {{- end -}} {{- end -}} + {{- with .LocalAddress.IP -}} + {{ " ip=" }}{{ . }} + {{- end -}} + {{- with .LocalAddress.Port -}} + {{ " port=" }}{{ . }} + {{- end -}} + {{- if and .PeerAddress.IP .PeerAddress.Port -}} + {{ " peer=(ip=" }}{{ .PeerAddress.IP }}{{ ", port="}}{{ .PeerAddress.Port }}{{ ")" }} + {{- else -}} + {{- with .PeerAddress.IP -}} + {{ " peer=(ip=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- with .PeerAddress.Port -}} + {{ " peer=(port=" }}{{ . }}{{ ")" }} + {{- end -}} + {{- end -}} {{- "," -}} {{- template "comment" . -}} {{- end -}} \ No newline at end of file From 43f30333c6edd648c71789d1755a27b2c4381ac9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:14:52 +0200 Subject: [PATCH 485/798] feat(aa): add support for prompt and priority rule. --- pkg/aa/base.go | 6 +++++- pkg/aa/parse.go | 8 +++++++- pkg/aa/templates/rule/qualifier.j2 | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/pkg/aa/base.go b/pkg/aa/base.go index eaf69f71c..a712a5899 100644 --- a/pkg/aa/base.go +++ b/pkg/aa/base.go @@ -99,6 +99,7 @@ func (r Base) addLine(other Rule) bool { } type Qualifier struct { + Priority string Audit bool AccessType string } @@ -109,6 +110,9 @@ func newQualifierFromLog(log map[string]string) Qualifier { } func (r Qualifier) Compare(o Qualifier) int { + if r := compare(r.Priority, o.Priority); r != 0 { + return r + } if r := compare(r.Audit, o.Audit); r != 0 { return r } @@ -116,7 +120,7 @@ func (r Qualifier) Compare(o Qualifier) int { } func (r Qualifier) Equal(o Qualifier) bool { - return r.Audit == o.Audit && r.AccessType == o.AccessType + return r.Priority == o.Priority && r.Audit == o.Audit && r.AccessType == o.AccessType } func (r Qualifier) getLenAudit() int { diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go index e01696d74..3b737abfd 100644 --- a/pkg/aa/parse.go +++ b/pkg/aa/parse.go @@ -15,6 +15,8 @@ const ( tokALLOW = "allow" tokAUDIT = "audit" tokDENY = "deny" + tokPROMPT = "prompt" + tokPRIORITY = "priority" tokARROW = "->" tokEQUAL = "=" tokLESS = "<" @@ -524,7 +526,11 @@ func newRules(rules []rule) (Rules, error) { rule = rule[1:] goto qualifier // Qualifier - case tokALLOW, tokDENY: + case tokPRIORITY: + q.Priority = rule.GetValues(tokPRIORITY).GetString() + rule = rule[1:] + goto qualifier + case tokALLOW, tokDENY, tokPROMPT: q.AccessType = rule.Get(0) rule = rule[1:] goto qualifier diff --git a/pkg/aa/templates/rule/qualifier.j2 b/pkg/aa/templates/rule/qualifier.j2 index a0ff554ec..69181051a 100644 --- a/pkg/aa/templates/rule/qualifier.j2 +++ b/pkg/aa/templates/rule/qualifier.j2 @@ -3,6 +3,9 @@ {{- /* SPDX-License-Identifier: GPL-2.0-only */ -}} {{- define "qualifier" -}} + {{- with .Priority -}} + {{- "priority=" -}}{{ . }}{{ " " }} + {{- end -}} {{- if .Audit -}} {{- "audit " -}} {{- end -}} From 7d1f8852098deaaabbc29697d0111a44fb83e557 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:15:21 +0200 Subject: [PATCH 486/798] test(aa): add testdata for network rule. --- pkg/aa/data_test.go | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkg/aa/data_test.go b/pkg/aa/data_test.go index b96fd865f..28aa703d6 100644 --- a/pkg/aa/data_test.go +++ b/pkg/aa/data_test.go @@ -65,8 +65,34 @@ var ( "denied_mask": "create", "comm": "sddm-greeter", } + network3Log = map[string]string{ + "apparmor": "ALLOWED", + "class": "net", + "operation": "sendmsg", + "info": "failed af match", + "error": "-13", + "profile": "unattended-upgrade", + "comm": "unattended-upgr", + "laddr": "127.0.0.1", + "lport": "57007", + "faddr": "127.0.0.53", + "saddr": "127.0.0.1", + "src": "57007", + "fport": "53", + "sock_type": "dgram", + "protocol": "17", + "requested": "send", + "denied": "send", + } network1 = &Network{Domain: "netlink", Type: "raw", Protocol: "15"} network2 = &Network{Domain: "inet", Type: "dgram"} + network3 = &Network{ + Base: Base{Comment: " failed af match"}, + LocalAddress: LocalAddress{IP: "127.0.0.1", Port: "57007"}, + PeerAddress: PeerAddress{IP: "127.0.0.53", Port: "53", Src: "127.0.0.1"}, + Type: "dgram", + Protocol: "17", + } // Mount mount1Log = map[string]string{ From 157c365b261a8600404ee7c917b02d194725a6c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:17:10 +0200 Subject: [PATCH 487/798] fix(aa): ensure tokenization helper cleanup data. --- pkg/aa/util.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/aa/util.go b/pkg/aa/util.go index 5a7049d69..523eb99fe 100644 --- a/pkg/aa/util.go +++ b/pkg/aa/util.go @@ -148,9 +148,10 @@ func validateValues(kind Kind, key string, values []string) error { func tokenToSlice(token string) []string { res := []string{} - token = strings.Trim(token, "()\n") + token = strings.Trim(token, "()\n ") if strings.ContainsAny(token, ", ") { var sep string + token = strings.ReplaceAll(token, " ", " ") switch { case strings.Contains(token, ","): sep = "," From 107820975ded704279b68a40909a980c222a3da1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:18:41 +0200 Subject: [PATCH 488/798] feat(aa): add file kind. --- pkg/aa/apparmor.go | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go index 6119a0c91..94e232c81 100644 --- a/pkg/aa/apparmor.go +++ b/pkg/aa/apparmor.go @@ -5,12 +5,39 @@ package aa import ( + "strings" + "github.com/roddhjav/apparmor.d/pkg/paths" ) // MagicRoot is the default Apparmor magic directory: /etc/apparmor.d/. var MagicRoot = paths.New("/etc/apparmor.d") +// FileKind represents an AppArmor file kind. +type FileKind uint8 + +const ( + ProfileKind FileKind = iota + AbstractionKind + TunableKind +) + +func KindFromPath(file *paths.Path) FileKind { + dirname := file.Parent().String() + switch { + case strings.Contains(dirname, "abstractions"): + return AbstractionKind + case strings.Contains(dirname, "tunables"): + return TunableKind + case strings.Contains(dirname, "local"): + return AbstractionKind + case strings.Contains(dirname, "mappings"): + return AbstractionKind + default: + return ProfileKind + } +} + // AppArmorProfileFiles represents a full set of apparmor profiles type AppArmorProfileFiles map[string]*AppArmorProfileFile From 7aae9f0dd7a14bfd37246992f1c11a4c96bd8e21 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:30:54 +0200 Subject: [PATCH 489/798] build: add stacked-dbus builder Resolve peer label variable in dbus rules. It create a full dbus rule by item in a variable when it is used a peer label. For ubuntu with apparmor 4.1+ See https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 --- pkg/prebuild/builder/stacked-dbus.go | 105 +++++++++++++++++++++++++++ pkg/prebuild/cli/cli.go | 18 +++-- 2 files changed, 116 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/stacked-dbus.go diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go new file mode 100644 index 000000000..d572e9d31 --- /dev/null +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "slices" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/aa" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + resolve = map[string][]string{ + `"@{p_dbus_system}"`: {"dbus-system", "dbus-system//&unconfined"}, + `"@{p_dbus_session}"`: {"dbus-session", "dbus-session//&unconfined"}, + } +) + +// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +type StackedDbus struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&StackedDbus{ + Base: prebuild.Base{ + Keyword: "stacked-dbus", + Msg: "Fix: resolve peer label variable in dbus rules", + }, + }) +} + +func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { + var raw string + paragraphs := []string{} + rulesByParagraph := aa.ParaRules{} + + switch kind { + case aa.ProfileKind: + f := &aa.AppArmorProfileFile{} + nb, err := f.Parse(profile) + if err != nil { + return nil, nil, err + } + lines := strings.Split(profile, "\n") + raw = strings.Join(lines[nb:], "\n") + + case aa.AbstractionKind, aa.TunableKind: + raw = profile + } + raw = profile + + r, par, err := aa.ParseRules(raw) + if err != nil { + return nil, nil, err + } + rulesByParagraph = append(rulesByParagraph, r...) + paragraphs = append(paragraphs, par...) + return rulesByParagraph, paragraphs, nil +} + +func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { + kind := aa.KindFromPath(opt.File) + if kind == aa.TunableKind { + return profile, nil + } + + toResolve := []string{} + for k := range resolve { + toResolve = append(toResolve, k) + } + + rulesByParagraph, paragraphs, err := parse(kind, profile) // + if err != nil { + return "", err + } + for idx, rules := range rulesByParagraph { + changed := false + newRules := aa.Rules{} + for _, rule := range rules { + switch rule := rule.(type) { + case *aa.Dbus: + if slices.Contains(toResolve, rule.PeerLabel) { + changed = true + for _, label := range resolve[rule.PeerLabel] { + newRule := *rule + newRule.PeerLabel = label + newRules = append(newRules, &newRule) + } + } else { + newRules = append(newRules, rule) + } + default: + newRules = append(newRules, rule) + } + } + if changed { + profile = strings.ReplaceAll(profile, paragraphs[idx], newRules.String()+"\n") + } + } + return profile, nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index ab221e485..8abfb4323 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -108,16 +108,20 @@ func Configure() { case 3: builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 case 4: - // Re-attach disconnected path, ignored on ubuntu 25.04+ due to a memory leak - // that fully prevent profiles compilation with re-attached paths. - // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 - if prebuild.Distribution != "ubuntu" { - builder.Register("attach") - prepare.Register("attach") - } else if prebuild.Release["VERSION_CODENAME"] == "noble" { + // Re-attach disconnected path + if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { + // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent + // profiles compilation with re-attached paths. + // See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2098730 + + // Use stacked-dbus builder to resolve dbus rules + builder.Register("stacked-dbus") + + } else { builder.Register("attach") prepare.Register("attach") } + default: logging.Fatal("Invalid ABI version: %d", prebuild.ABI) } From 2fcf4c50119de50de5498f30ee7a7a2aff9b5cd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:38:15 +0200 Subject: [PATCH 490/798] ci(github): remove test now enabled by default. --- .github/workflows/main.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9f2addf88..90b709a31 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -47,11 +47,6 @@ jobs: if [[ ${{ matrix.mode }} == full-system-policy ]]; then sed -e "s/just complain/just fsp-complain/" -i debian/rules fi - if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then - # Test with Re-attach disconnected path - sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go - sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system - fi bash dists/build.sh dpkg - name: Install apparmor.d From bc270954d49993374b14bc2af6b89bb37d7d45ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 24 Aug 2025 23:53:12 +0200 Subject: [PATCH 491/798] feat(abs): add missing bus abs. --- .../bus/org.gnome.SettingsDaemon.MediaKeys | 23 ++++++++++++++++ .../bus/org.gnome.keyring.internal.Prompter | 26 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys create mode 100644 apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys new file mode 100644 index 000000000..3a461a85a --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + # DBus.Properties: read all properties from the interface + dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys + interface=org.gnome.SettingsDaemon.MediaKeys + peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter new file mode 100644 index 000000000..1c3e8f760 --- /dev/null +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow accessing the GNOME crypto services prompt APIs as used by +# applications using libgcr (such as pinentry-gnome3) for secure pin +# entry to unlock GPG keys etc. See: +# https://developer.gnome.org/gcr/unstable/GcrPrompt.html +# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html +# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 + + abi , + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=@{busname}, label=pinentry-*), + + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}, label=pinentry-*), + + include if exists + +# vim:syntax=apparmor From 068d205e13b333f077371bd4af37637902f29e7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:02:12 +0200 Subject: [PATCH 492/798] fix(prebuild): removce ineffectual assignment. --- pkg/prebuild/builder/stacked-dbus.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index d572e9d31..33af33df7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -51,7 +51,6 @@ func parse(kind aa.FileKind, profile string) (aa.ParaRules, []string, error) { case aa.AbstractionKind, aa.TunableKind: raw = profile } - raw = profile r, par, err := aa.ParseRules(raw) if err != nil { From 7ecc84d3b0e13f5d346a906dceda14321fddae1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 25 Aug 2025 00:04:15 +0200 Subject: [PATCH 493/798] feat(tunable): add pp tunable, improve dbus tunables. --- apparmor.d/tunables/multiarch.d/profiles | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index 6868ae87a..d4fefb0b0 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -16,8 +16,8 @@ # Name of the dbus daemon profiles @{p_dbus_accessibility}=dbus-accessibility #aa:only apparmor4.1 -@{p_dbus_system}={dbus-system,dbus-system//&unconfined} -@{p_dbus_session}={dbus-session,dbus-session//&unconfined} +@{p_dbus_system}={dbus-system,unconfined} +@{p_dbus_session}={dbus-session,unconfined} #aa:exclude apparmor4.1 @{p_dbus_system}=dbus-system @@ -68,5 +68,12 @@ @{p_upowerd}=upowerd @{p_xdg_desktop_portal}=xdg-desktop-portal +# Profiles Patterns +# Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution + +# Notification +@{pp_notification}={plasmashell,gjs-console} +@{pp_app_indicator}={plasmashell,gnome-shell} +@{pp_dbusmenu}={plasmashell,nautilus} # vim:syntax=apparmor From 1d51b1436da8c64232cebe31317bdbebc870bded Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:08:52 +0200 Subject: [PATCH 494/798] Small documentation improvements --- docs/development/workflow.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index 786d77c93..7cc7c5616 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -36,7 +36,7 @@ title: Workflow Here is the bare minimum for the program `foo`: ``` sh # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 You +# Copyright (C) 2025 You # SPDX-License-Identifier: GPL-2.0-only abi , @@ -130,7 +130,7 @@ For this individual profile installation to work, the full package needs to be i To discover the access needed by a program, you can use the following tools: -1. Star the program in *complain* mode, let it initialize itself, then close it. +1. Start the program in *complain* mode, let it initialize itself, then close it. 1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will: - Convert the logs to AppArmor rules. From 98034784e92400fd2241094f5ca8d85104f8b2f7 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:02:10 +0200 Subject: [PATCH 495/798] Add cider profile --- apparmor.d/profiles-a-f/cider | 61 +++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 apparmor.d/profiles-a-f/cider diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider new file mode 100644 index 000000000..f534a0034 --- /dev/null +++ b/apparmor.d/profiles-a-f/cider @@ -0,0 +1,61 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{domain} = sh.cider.genten org.chromium.Chromium +@{lib_dirs} = @{lib}/cider + +@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +profile cider @{exec_path} { + include + include + include + include + include + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mrix, + + @{lib_dirs}/ r, + @{lib_dirs}/** r, + @{lib_dirs}/libffmpeg.so mr, + @{lib_dirs}/chrome-sandbox rpx, + + @{bin}/xdg-settings rpx, + + owner @{user_config_dirs}/sh.cider.genten/ rw, + owner @{user_config_dirs}/sh.cider.genten/** rwk, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/oom_{,score_}adj rw, + owner @{PROC}/@{pid}/statm r, + + /usr/share/xkeyboard-config-2/** r, + + include if exists +} + +# vim:syntax=apparmor From f5970fcc6741419ea96ef5c9c36a321da532e127 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 06:12:18 +0200 Subject: [PATCH 496/798] Remove tabs --- apparmor.d/profiles-a-f/cider | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index f534a0034..71b27bce5 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -42,11 +42,11 @@ profile cider @{exec_path} { owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, - @{PROC}/ r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/task/ r, - @{PROC}/@{pid}/task/@{tid}/status r, - @{PROC}/sys/fs/inotify/max_user_watches r, + @{PROC}/ r, + @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/task/ r, + @{PROC}/@{pid}/task/@{tid}/status r, + @{PROC}/sys/fs/inotify/max_user_watches r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, From eedbc2223c1bc84e2e12deb2fd1e041422c5994d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 27 Aug 2025 15:52:00 +0200 Subject: [PATCH 497/798] cider-review-fixes --- apparmor.d/profiles-a-f/cider | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 71b27bce5..2b203e989 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -6,10 +6,13 @@ abi , include +@{name} = {C,c}ider sh.cider.genten @{domain} = sh.cider.genten org.chromium.Chromium @{lib_dirs} = @{lib}/cider +@{cache_dirs} = @{user_cache_dirs}/@{name} +@{config_dirs} = @{user_config_dirs}/@{name} -@{exec_path} = @{bin}/cider @{bin}/Cider @{lib_dirs}/Cider +@{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include include @@ -18,8 +21,9 @@ profile cider @{exec_path} { include include include - include + include include + include network inet dgram, network inet6 dgram, @@ -32,15 +36,13 @@ profile cider @{exec_path} { @{lib_dirs}/ r, @{lib_dirs}/** r, @{lib_dirs}/libffmpeg.so mr, - @{lib_dirs}/chrome-sandbox rpx, + @{lib_dirs}/chrome-sandbox rPx, - @{bin}/xdg-settings rpx, + @{bin}/xdg-settings rPx, owner @{user_config_dirs}/sh.cider.genten/ rw, owner @{user_config_dirs}/sh.cider.genten/** rwk, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_x64/libwidevinecdm.so mr, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/manifest.json r, - owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/latest-component-updated-widevine-cdm r, + owner @{user_config_dirs}/sh.cider.genten/WidevineCdm/*/_platform_specific/linux_@{arch}/libwidevinecdm.so mr, @{PROC}/ r, @{PROC}/@{pid}/stat r, @@ -53,8 +55,6 @@ profile cider @{exec_path} { owner @{PROC}/@{pid}/oom_{,score_}adj rw, owner @{PROC}/@{pid}/statm r, - /usr/share/xkeyboard-config-2/** r, - include if exists } From aec7d41a25647f9da3f0b13ddbe53d048bec3ee2 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:03:31 +0200 Subject: [PATCH 498/798] add profiles for wayland screen capture tools --- apparmor.d/profiles-g-l/grim | 21 +++++++++++++++++++++ apparmor.d/profiles-s-z/slurp | 23 +++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 apparmor.d/profiles-g-l/grim create mode 100644 apparmor.d/profiles-s-z/slurp diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim new file mode 100644 index 000000000..0ded3d315 --- /dev/null +++ b/apparmor.d/profiles-g-l/grim @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/grim +profile grim @{exec_path} { + include + include + + @{exec_path} mr, + + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp new file mode 100644 index 000000000..8d5bcc217 --- /dev/null +++ b/apparmor.d/profiles-s-z/slurp @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/slurp +profile slurp @{exec_path} { + include + + @{exec_path} mr, + + /usr/share/icons/{,**} r, + +# often used in combination with grim screen cature tool + owner /dev/shm/grim-@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 06f1c0538e9bca4ac1af6862c4553931b33ad108 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:15:04 +0200 Subject: [PATCH 499/798] remove whitespace --- apparmor.d/profiles-s-z/slurp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index 8d5bcc217..c4250275e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,12 +9,12 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include - + @{exec_path} mr, /usr/share/icons/{,**} r, -# often used in combination with grim screen cature tool + # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, include if exists From 9a302147bd3b2d6f02d715bcaa0e645f1680295b Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 6 Aug 2025 14:26:43 +0200 Subject: [PATCH 500/798] fix typo --- apparmor.d/profiles-g-l/grim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 0ded3d315..9f18db07b 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include - include + include @{exec_path} mr, From ec2c0b1c8e34273069a86caf5b7af3444d4a8e7c Mon Sep 17 00:00:00 2001 From: valoq Date: Sun, 24 Aug 2025 17:32:04 +0200 Subject: [PATCH 501/798] add default path for plain use --- apparmor.d/profiles-g-l/grim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9f18db07b..9e40a8aca 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -13,6 +13,10 @@ profile grim @{exec_path} { @{exec_path} mr, + owner @{user_config_dirs}/user-dirs.dirs r, + + owner @{HOME}/@{int8}_**_grim.png w, + owner /dev/shm/grim-@{rand6} rw, include if exists From 749ae318fca8bc9a8bed97bedeb883a326d95c13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:35:35 +0200 Subject: [PATCH 502/798] feat(profile): aa uses word8 as bug files. --- apparmor.d/groups/apparmor/aa-enforce | 2 +- apparmor.d/groups/apparmor/aa-notify | 2 +- apparmor.d/groups/apparmor/aa-unconfined | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-enforce b/apparmor.d/groups/apparmor/aa-enforce index 1743fd9d0..1f8368045 100644 --- a/apparmor.d/groups/apparmor/aa-enforce +++ b/apparmor.d/groups/apparmor/aa-enforce @@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} { owner /var/lib/snapd/apparmor/{,**} rw, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/groups/apparmor/aa-notify b/apparmor.d/groups/apparmor/aa-notify index 7cb64af80..07706d052 100644 --- a/apparmor.d/groups/apparmor/aa-notify +++ b/apparmor.d/groups/apparmor/aa-notify @@ -45,7 +45,7 @@ profile aa-notify @{exec_path} { owner @{HOME}/.terminfo/@{int}/dumb r, owner @{tmp}/@{word8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, @{PROC}/ r, @{PROC}/@{pid}/stat r, diff --git a/apparmor.d/groups/apparmor/aa-unconfined b/apparmor.d/groups/apparmor/aa-unconfined index 68729b7fe..7308a5ef0 100644 --- a/apparmor.d/groups/apparmor/aa-unconfined +++ b/apparmor.d/groups/apparmor/aa-unconfined @@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) { @{etc_ro}/inputrc r, owner @{tmp}/@{rand8} rw, - owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw, + owner @{tmp}/apparmor-bugreport-@{word8}.txt rw, owner /var/tmp/@{rand8} rw, @{PROC}/ r, From cf96e7b1d0d37d050fba5a0e758190dc2059443f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 00:39:28 +0200 Subject: [PATCH 503/798] feat(profile): smal snap improvements. --- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/snap/snap-update-ns | 5 +++++ apparmor.d/groups/snap/snapd | 7 ++++++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b7706ccf4..b34d18c00 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw, + owner @{run}/user/@{uid}/snap.*/wayland-cursor-shared-@{rand6} rw, owner @{run}/user/@{uid}/systemd/notify rw, owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 157651ac3..98ee0e5e7 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -40,11 +40,16 @@ profile snap-update-ns @{exec_path} { / r, /tmp/ r, + @{lib}/ r, /usr/ r, /usr/local/ r, /usr/local/share/ r, /usr/local/share/doc/ rw, /usr/local/share/fonts/ rw, + /usr/share/ r, + /usr/share/drirc.d w, + /usr/share/X11/ r, + /usr/share/X11/XErrorDB w, owner /snap/{,**} rw, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 7e2c288b6..06de56063 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -99,7 +99,8 @@ profile snapd @{exec_path} { /usr/share/bash-completion/{,**} r, /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, /usr/share/dbus-1/services/*snap* r, - /usr/share/polkit-1/actions/{,**/} r, + /usr/share/polkit-1/actions/{,**} r, + /usr/share/polkit-1/actions/snap.*.policy r, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -147,6 +148,7 @@ profile snapd @{exec_path} { @{run}/user/ r, @{run}/user/@{uid}/ r, + @{run}/user/@{uid}/snap.*/{,**} rw, @{run}/user/@{uid}/snapd-session-agent.socket rw, @{run}/user/snap.*/{,**} rw, @@ -227,6 +229,9 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, + @{bin}/tar ix, + + owner @{HOME}/snap/*/common/.cache/{,**} r, include if exists } From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:09:09 +0200 Subject: [PATCH 504/798] feat(profile): general update. --- apparmor.d/groups/bus/dbus-accessibility | 6 +++--- apparmor.d/groups/children/child-open-strict | 2 ++ apparmor.d/groups/gnome/gnome-software | 7 ++++++- apparmor.d/groups/gnome/loupe | 2 ++ apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/papers | 4 +++- apparmor.d/groups/gpg/gpg | 3 ++- apparmor.d/groups/pacman/paccache | 3 +++ apparmor.d/groups/pacman/pacman-hook-code | 1 + .../systemd-generator-user-autostart | 3 +-- apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-udevd | 1 + apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/usb/lsusb | 1 + apparmor.d/groups/utils/dmesg | 1 + apparmor.d/groups/utils/lsblk | 1 + apparmor.d/groups/virt/cockpit-bridge | 5 +++++ apparmor.d/groups/virt/cockpit-session | 4 +++- apparmor.d/groups/virt/libvirt-dbus | 5 +++++ apparmor.d/groups/virt/libvirtd | 7 +++++++ apparmor.d/profiles-a-f/borg | 1 + apparmor.d/profiles-a-f/btop | 2 +- apparmor.d/profiles-a-f/console-setup | 2 +- apparmor.d/profiles-a-f/deltachat-desktop | 6 +++--- apparmor.d/profiles-g-l/gitstatusd | 4 ++-- apparmor.d/profiles-g-l/homebank | 2 +- apparmor.d/profiles-g-l/landscape-sysinfo | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 ++ apparmor.d/profiles-g-l/linux-check-removal | 2 ++ apparmor.d/profiles-g-l/lsb-release | 14 ++++++++++---- apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mdadm | 2 +- apparmor.d/profiles-m-r/protonmail-bridge-core | 1 + apparmor.d/profiles-s-z/spotify | 4 ++++ apparmor.d/profiles-s-z/syncthing | 5 +---- apparmor.d/profiles-s-z/tomb | 4 +++- apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/virt-manager | 1 - apparmor.d/profiles-s-z/wemeet | 2 +- apparmor.d/profiles-s-z/which | 1 + 40 files changed, 89 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index f876d1210..a8c13b3fd 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include include network inet dgram, @@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mrix, @@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/machine-id r, /var/lib/dbus/machine-id r, diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 7faf52185..4296f03af 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { @{browsers_path} Px, @{file_explorers_path} Px, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, + include if exists include if exists } diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71141595b..f3845daef 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -33,7 +33,12 @@ profile gnome-software @{exec_path} { #aa:dbus own bus=session name=org.freedesktop.PackageKit #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application - #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}" + #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}" + + dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=Changed + peer=(name=@{busname}, label=polkitd), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 398b2b679..cabcca062 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal send set=kill peer=loupe//bwrap, + #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" dbus send bus=system path=/org/freedesktop/hostname1 diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 5ad6bb7b5..d8e7c3341 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2 #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*" + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 9a22e3de8..0318c7265 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/papers -profile papers @{exec_path} { +profile papers @{exec_path} flags=(attach_disconnected) { include include include @@ -16,6 +16,8 @@ profile papers @{exec_path} { include include + #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application + #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} mr, diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg index b65823520..40c23b660 100644 --- a/apparmor.d/groups/gpg/gpg +++ b/apparmor.d/groups/gpg/gpg @@ -29,7 +29,7 @@ profile gpg @{exec_path} { @{lib}/{,gnupg/}scdaemon rPx, /usr/share/terminfo/** r, - /usr/share/keyrings/** rw, #aa:only apt + /usr/share/keyrings/** rw, #aa:only apt /usr/share/pacman/keyrings/** r, #aa:only pacman /etc/inputrc r, @@ -39,6 +39,7 @@ profile gpg @{exec_path} { /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**, #aa:only apt + /etc/apt/trusted.gpg.d/{,*} r, owner /etc/apt/keyrings/ rw, owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**, diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache index 8331951e7..d68c0b832 100644 --- a/apparmor.d/groups/pacman/paccache +++ b/apparmor.d/groups/pacman/paccache @@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) { /var/cache/pacman/pkg/{,*} rw, /var/lib/pacman/{,**} r, + @{HOME}/@{XDG_GPG_DIR}/gpg.conf r, + @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r, + owner @{PROC}/@{pid}/fd/ r, /dev/tty rw, diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code index ee23781f4..3e916efe3 100644 --- a/apparmor.d/groups/pacman/pacman-hook-code +++ b/apparmor.d/groups/pacman/pacman-hook-code @@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} { @{python_path} rix, @{lib}/code/product.json rw, + @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w, /usr/share/code-{features,marketplace}{,-insiders}/{,*} r, /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index 8e3ebb6b3..ff4c74664 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -10,14 +10,13 @@ include profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) { include include + include include capability net_admin, @{exec_path} mr, - @{system_share_dirs}/applications/*.desktop r, - @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index d7c61e336..a55bf752d 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{sh_path} mr, + @{lib}/systemd/system-sleep/grub2.sleep rPx, @{lib}/systemd/system-sleep/hdparm rPx, @{lib}/systemd/system-sleep/nvidia rPx, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 62bada2a8..640e48f3f 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{run}/systemd/network/ r, @{run}/systemd/network/*.link rw, @{run}/systemd/notify rw, + @{run}/systemd/private rw, @{run}/systemd/seats/seat@{int} r, @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 440ef4117..af91c7eaa 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rw, + owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb index b5a24940d..a10659292 100644 --- a/apparmor.d/groups/usb/lsusb +++ b/apparmor.d/groups/usb/lsusb @@ -14,6 +14,7 @@ profile lsusb @{exec_path} { include capability net_admin, + capability sys_admin, network netlink raw, diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg index 14ace0dea..2976d1316 100644 --- a/apparmor.d/groups/utils/dmesg +++ b/apparmor.d/groups/utils/dmesg @@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, + capability sys_admin, capability syslog, @{exec_path} mr, diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk index 7559e4e48..6fc1d5bb2 100644 --- a/apparmor.d/groups/utils/lsblk +++ b/apparmor.d/groups/utils/lsblk @@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) { # File Inherit deny network inet stream, deny network inet6 stream, + deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw, include if exists } diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index bf3d48204..d8c71803d 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} { include include include + include + include include + include include include @@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} { #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/** label=packagekitd + #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd} + #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus @{exec_path} mr, diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session index 3fbefadb7..ba51fc8a5 100644 --- a/apparmor.d/groups/virt/cockpit-session +++ b/apparmor.d/groups/virt/cockpit-session @@ -10,6 +10,7 @@ include profile cockpit-session @{exec_path} flags=(attach_disconnected) { include include + include include include @@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) { @{shells_path} rix, @{bin}/cockpit-bridge rPx, @{lib}/cockpit/cockpit-pcp rPx, - @{bin}/ssh-agent rPx, + @{bin}/ssh-agent rPx, + @{bin}/ssh-add rix, @{etc_ro}/environment r, @{etc_ro}/security/limits.d/{,*.conf} r, diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus index f3bbaf019..971cdf55e 100644 --- a/apparmor.d/groups/virt/libvirt-dbus +++ b/apparmor.d/groups/virt/libvirt-dbus @@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} { #aa:dbus own bus=session name=org.libvirt #aa:dbus own bus=system name=org.libvirt + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{sbin}/libvirtd rPx, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 44d6962f5..f10da1798 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { # Allow changing to our UUID-based named profiles change_profile -> libvirt-@{uuid}, + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{lib}/libvirt/libvirt_iohelper rix, @@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{user_vm_dirs}/{,**} rwk, @{user_publicshare_dirs}/{,**} rwk, + owner @{user_config_dirs}/libvirt/{,**} rwk, + owner @{run}/user/@{uid}/libvirt/ rw, owner @{run}/user/@{uid}/libvirt/** rwk, diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg index 6d2683ade..544be3be0 100644 --- a/apparmor.d/profiles-a-f/borg +++ b/apparmor.d/profiles-a-f/borg @@ -33,6 +33,7 @@ profile borg @{exec_path} { @{bin}/cat rix, @{sbin}/ldconfig rix, @{bin}/uname rix, + @{bin}/ip rix, @{bin}/ccache rCx -> ccache, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop index 4910629ce..bac8aea75 100644 --- a/apparmor.d/profiles-a-f/btop +++ b/apparmor.d/profiles-a-f/btop @@ -48,7 +48,7 @@ profile btop @{exec_path} { @{sys}/devices/system/node/node@{int}/cpumap r, @{sys}/devices/virtual/block/dm-@{int}/stat r, @{sys}/devices/virtual/net/{,**} r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC} r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup index 7a11e407f..aa0a56648 100644 --- a/apparmor.d/profiles-a-f/console-setup +++ b/apparmor.d/profiles-a-f/console-setup @@ -13,7 +13,7 @@ profile console-setup @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/uname rPx, + @{bin}/uname rix, @{bin}/mkdir rix, @{run}/console-setup/ rw, diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop index 87c2bbaba..2e7723995 100644 --- a/apparmor.d/profiles-a-f/deltachat-desktop +++ b/apparmor.d/profiles-a-f/deltachat-desktop @@ -13,16 +13,16 @@ include @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop profile deltachat-desktop @{exec_path} { include + include include include - include - include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd index 579536674..aabde9cef 100644 --- a/apparmor.d/profiles-g-l/gitstatusd +++ b/apparmor.d/profiles-g-l/gitstatusd @@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} { include signal receive set=term peer=*//shell, - signal receive set=term peer=vscode, + signal receive set=term peer={,vs}code, @{exec_path} mr, owner @{user_projects_dirs}/{,**} r, - owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw, + owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw, owner @{HOME}/.gitconfig r, owner @{user_config_dirs}/git/{,*} r, diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank index cb459919f..7fbe74040 100644 --- a/apparmor.d/profiles-g-l/homebank +++ b/apparmor.d/profiles-g-l/homebank @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/homebank -profile homebank @{exec_path} { +profile homebank @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo index 2370271ec..47cbb22a2 100644 --- a/apparmor.d/profiles-g-l/landscape-sysinfo +++ b/apparmor.d/profiles-g-l/landscape-sysinfo @@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} { @{sys}/class/hwmon/ r, @{sys}/class/thermal/ r, - @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r, + @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r, @{PROC}/ r, @{PROC}/@{pids}/cmdline r, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 0a9e6dfc2..dfb9361f3 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -27,6 +27,7 @@ profile libreoffice @{exec_path} { include include include + include include include include @@ -107,6 +108,7 @@ profile libreoffice @{exec_path} { owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw, owner @{run}/user/@{uid}/#@{int} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, @{sys}/devices/system/cpu/cpu@{int}/microcode/version r, @{sys}/devices/virtual/block/**/queue/rotational r, diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal index 04d2f0330..f2895299f 100644 --- a/apparmor.d/profiles-g-l/linux-check-removal +++ b/apparmor.d/profiles-g-l/linux-check-removal @@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} { @{bin}/stty rix, + /etc/shadow r, + include if exists } diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release index d2d52d362..5214632dc 100644 --- a/apparmor.d/profiles-g-l/lsb-release +++ b/apparmor.d/profiles-g-l/lsb-release @@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) { #aa:only apt @{bin}/dpkg-query px, - /etc/ r, - /etc/*-release r, - /etc/lsb-release r, - /etc/lsb-release.d/{,*} r, + @{etc_ro}/ r, + @{etc_ro}/*-release r, + @{etc_ro}/lsb-release r, + @{etc_ro}/lsb-release.d/{,*} r, + + # file_inherit + deny /opt/*/** r, + deny owner @{user_config_dirs}/*/** r, + deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw, + deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index cae5c1c3d..136536764 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} { owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**, owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw, + owner /tmp/tmp.@{rand10}/modules_@{rand6} rw, @{sys}/firmware/efi/efivars/ r, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 15adcb9e6..4cc5fc9fb 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/mdadm -profile mdadm @{exec_path} { +profile mdadm @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core index ca9680aea..a9bd819e3 100644 --- a/apparmor.d/profiles-m-r/protonmail-bridge-core +++ b/apparmor.d/profiles-m-r/protonmail-bridge-core @@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) { /etc/lsb-release r, /etc/machine-id r, + /etc/os-release r, owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r, owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f245e4312..ed1ccfe1c 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-strict, + /usr/local/lib/spotify-adblock.so mr, + /etc/machine-id r, /etc/spotify-adblock/* r, /var/lib/dbus/machine-id r, @@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) { owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm, owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm, + owner @{tmp}/.@{domain}.@{rand6}/{,**} rw, + @{PROC}/@{pid}/net/unix r, @{PROC}/pressure/* r, owner @{PROC}/@{pid}/clear_refs w, diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing index 83e1b2f45..d504b0c15 100644 --- a/apparmor.d/profiles-s-z/syncthing +++ b/apparmor.d/profiles-s-z/syncthing @@ -11,6 +11,7 @@ include profile syncthing @{exec_path} { include include + include include include include @@ -26,10 +27,6 @@ profile syncthing @{exec_path} { @{open_path} rPx -> child-open, @{bin}/ip rix, - /usr/share/mime/{,**} r, - - /etc/mime.types r, - @{HOME}/ r, @{HOME}/** rwk, diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb index 9b0912bd9..df4258b8c 100644 --- a/apparmor.d/profiles-s-z/tomb +++ b/apparmor.d/profiles-s-z/tomb @@ -21,6 +21,7 @@ profile tomb @{exec_path} { capability sys_rawio, signal send set=cont peer=gpg, + signal send set=cont peer=pinentry-*, ptrace read peer=@{p_systemd_user}, @@ -43,11 +44,11 @@ profile tomb @{exec_path} { @{bin}/findmnt rix, @{bin}/getent rix, @{bin}/gettext rix, + @{bin}/head rix, @{bin}/hostname rix, @{bin}/id rix, @{bin}/kill rix, @{bin}/locate rix, - @{sbin}/losetup rix, @{bin}/ls rix, @{bin}/lsof rix, @{bin}/mkdir rix, @@ -64,6 +65,7 @@ profile tomb @{exec_path} { @{bin}/touch rix, @{bin}/tr rix, @{bin}/zsh rix, + @{sbin}/losetup rix, @{sbin}/btrfs rPx, @{sbin}/cryptsetup rPUx, diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 76ec27b68..9c686b19d 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} { /etc/udev/udev.conf r, @{sys}/devices/@{pci}/report_descriptor r, + @{sys}/devices/platform/**/report_descriptor r, @{sys}/devices/virtual/**/report_descriptor r, include if exists diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index aed85abe3..8a1b5f355 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/gtksourceview-4/{,**} r, /usr/share/ladspa/rdf/{,ladspa.rdfs} r, /usr/share/misc/*.ids r, /usr/share/osinfo/{,**} r, diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 3606533d7..0b83e44c8 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -13,10 +13,10 @@ include @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess profile wemeet @{exec_path} flags=(attach_disconnected) { include - include include include include + include include include include diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which index df049741f..c4de427ff 100644 --- a/apparmor.d/profiles-s-z/which +++ b/apparmor.d/profiles-s-z/which @@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) { owner /dev/tty@{int} rw, + deny @{user_share_dirs}/gnome-shell/session.gvdb rw, deny @{user_share_dirs}/gvfs-metadata/* r, include if exists From 4db65834a402444b18a10fc7e43b879dc79f5ff5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:15:42 +0200 Subject: [PATCH 505/798] feat(abs): glibc: restrict auxv maps and statux to owner. --- apparmor.d/abstractions/glibc | 12 +++++++++--- apparmor.d/groups/apt/apt-overlay | 1 - apparmor.d/groups/polkit/polkitd | 3 ++- apparmor.d/groups/procps/ps | 1 + apparmor.d/groups/systemd/systemd-journald | 1 + apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-m-r/mdevctl | 2 -- apparmor.d/profiles-s-z/syncoid | 2 -- 8 files changed, 14 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index aa6e14416..8536470bd 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -22,9 +22,15 @@ @{PROC}/stat r, # Glibc's *printf protections read the maps file - @{PROC}/@{pid}/auxv r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/status r, + owner @{PROC}/@{pid}/auxv r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/status r, + + # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, + # but in a format that is simpler to manage, because it doesn't require to + # parse the text data inside a file, but just reading the contents of + # a directory. + owner @{PROC}/@{pid}/map_files/ r, # Glibc statvfs @{PROC}/filesystems r, diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay index 4ba9e57d7..7f59635eb 100644 --- a/apparmor.d/groups/apt/apt-overlay +++ b/apparmor.d/groups/apt/apt-overlay @@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} { /root/ r, owner @{PROC}/@{pids}/loginuid r, - owner @{PROC}/@{pids}/maps r, include if exists } diff --git a/apparmor.d/groups/polkit/polkitd b/apparmor.d/groups/polkit/polkitd index c2de7f8b6..fa00311cd 100644 --- a/apparmor.d/groups/polkit/polkitd +++ b/apparmor.d/groups/polkit/polkitd @@ -65,8 +65,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pid}/fdinfo/@{int} r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/@{tid}/stat r, @{PROC}/1/environ r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 1d9ae50cb..7663cbf5d 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -34,6 +34,7 @@ profile ps @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, @{PROC}/@{pids}/task/@{tid}/cmdline r, @{PROC}/@{pids}/task/@{tid}/stat r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index ad3d96990..2765d8f10 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -82,6 +82,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/loginuid r, @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/status r, @{PROC}/pressure/* r, @{PROC}/sys/kernel/hostname r, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index f10da1798..2b0530ef5 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -284,7 +284,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /etc/qemu/{,**} r, - owner @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/status r, /dev/net/tun rw, diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl index 906dcf512..408947c83 100644 --- a/apparmor.d/profiles-m-r/mdevctl +++ b/apparmor.d/profiles-m-r/mdevctl @@ -19,8 +19,6 @@ profile mdevctl @{exec_path} { @{sys}/class/mdev_bus/ r, @{sys}/devices/@{pci}/mdev_supported_types/{,**} r, - @{PROC}/@{pids}/maps r, - include if exists } diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid index e275fb764..fc30c5fd6 100644 --- a/apparmor.d/profiles-s-z/syncoid +++ b/apparmor.d/profiles-s-z/syncoid @@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) { /etc/mbuffer.rc r, - @{PROC}/@{pids}/maps r, - include if exists } From 544204e511ce6938fb2da2b9f01d28fd3ce34338 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:22:22 +0200 Subject: [PATCH 506/798] feat(abs): add the user-dirs abstraction. --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/user-dirs | 14 ++++++++++++++ .../groups/freedesktop/xdg-user-dirs-gtk-update | 2 +- apparmor.d/groups/freedesktop/xdg-user-dirs-update | 4 +--- apparmor.d/groups/systemd/systemd-path | 3 +-- apparmor.d/profiles-g-l/grim | 3 +-- apparmor.d/profiles-s-z/spice-vdagent | 8 ++++---- 9 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/user-dirs diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 4a32a1aa7..1bb4c20ea 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -17,6 +17,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 445c62e6b..72d09126e 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 5fbdd7869..02a0bc9c5 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -12,6 +12,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs new file mode 100644 index 000000000..189f8eb38 --- /dev/null +++ b/apparmor.d/abstractions/user-dirs @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /etc/xdg/user-dirs.conf r, + /etc/xdg/user-dirs.defaults r, + + owner @{user_config_dirs}/user-dirs.dirs r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index b2ae65450..cf488af63 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -14,13 +14,13 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include + include @{exec_path} mr, @{bin}/xdg-user-dirs-update Px, owner @{user_config_dirs}/gtk-3.0/bookmarks* rw, - owner @{user_config_dirs}/user-dirs.dirs r, owner @{user_config_dirs}/user-dirs.locale r, owner @{tmp}/dirs-@{rand6} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update index 7177703a9..09c66d6ac 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update @@ -9,13 +9,11 @@ include @{exec_path} = @{bin}/xdg-user-dirs-update profile xdg-user-dirs-update @{exec_path} { include + include include @{exec_path} mr, - /etc/xdg/user-dirs.conf r, - /etc/xdg/user-dirs.defaults r, - owner @{desktop_config_dirs}/ rw, owner @{desktop_config_dirs}/user-dirs.dirs{,*} rw, owner @{desktop_config_dirs}/user-dirs.locale rw, diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path index 747527776..0d061d845 100644 --- a/apparmor.d/groups/systemd/systemd-path +++ b/apparmor.d/groups/systemd/systemd-path @@ -10,11 +10,10 @@ include profile systemd-path @{exec_path} { include include + include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - include if exists } diff --git a/apparmor.d/profiles-g-l/grim b/apparmor.d/profiles-g-l/grim index 9e40a8aca..5717837ec 100644 --- a/apparmor.d/profiles-g-l/grim +++ b/apparmor.d/profiles-g-l/grim @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/grim profile grim @{exec_path} { include + include include @{exec_path} mr, - owner @{user_config_dirs}/user-dirs.dirs r, - owner @{HOME}/@{int8}_**_grim.png w, owner /dev/shm/grim-@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index c73f5f678..158ea6a7f 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/spice-vdagent profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -20,10 +19,12 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include + include + include include + include dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime @@ -38,7 +39,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_config_dirs}/user-dirs.dirs r, @{run}/spice-vdagentd/spice-vdagent-sock rw, From e50e87bd618543d9a638b4512bf8d72b82eb9524 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:14 +0200 Subject: [PATCH 507/798] feat(abs): update base additions. --- apparmor.d/abstractions/base.d/complete | 30 +++++++++++++------------ 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete index ad3945eb9..d89688b70 100644 --- a/apparmor.d/abstractions/base.d/complete +++ b/apparmor.d/abstractions/base.d/complete @@ -8,20 +8,20 @@ signal receive peer=@{p_systemd_user}, # Allow to receive some signals from new well-known profiles - signal (receive) peer=btop, - signal (receive) peer=htop, - signal (receive) peer=pkill, - signal (receive) peer=sudo, - signal (receive) peer=top, - signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown, - signal (receive) set=(hup term) peer=login, - signal (receive) set=(hup) peer=xinit, - signal (receive) set=(term,kill) peer=gnome-shell, - signal (receive) set=(term,kill) peer=gnome-system-monitor, - signal (receive) set=(term,kill) peer=openbox, - signal (receive) set=(term,kill) peer=su, - - ptrace (readby) peer=@{p_systemd_coredump}, + signal receive peer=btop, + signal receive peer=htop, + signal receive peer=pkill, + signal receive peer=sudo, + signal receive peer=top, + signal receive set=(cont,term,kill,stop) peer=systemd-shutdown, + signal receive set=(hup term) peer=login, + signal receive set=(hup) peer=xinit, + signal receive set=(term,kill) peer=gnome-shell, + signal receive set=(term,kill) peer=gnome-system-monitor, + signal receive set=(term,kill) peer=openbox, + signal receive set=(term,kill) peer=su, + + ptrace readby peer=@{p_systemd_coredump}, @{etc_rw}/localtime r, /etc/locale.conf r, @@ -30,4 +30,6 @@ @{PROC}/sys/kernel/core_pattern r, + /apparmor/.null rw, + # vim:syntax=apparmor From 5faca8461df97d62d065ca8a7430405621d39e54 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:23:59 +0200 Subject: [PATCH 508/798] feat(abs): remove user-dirs from recently-used abs. --- apparmor.d/abstractions/recently-used | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/abstractions/recently-used b/apparmor.d/abstractions/recently-used index d3a7ec289..66a80867b 100644 --- a/apparmor.d/abstractions/recently-used +++ b/apparmor.d/abstractions/recently-used @@ -14,8 +14,6 @@ owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl, owner @{user_share_dirs}/recently-used.xbel.lock rwk, - owner @{user_config_dirs}/user-dirs.dirs r, # FIXME: not here? - include if exists # vim:syntax=apparmor From c9813dc34f241e392d055234d754b76a0e803102 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:26:17 +0200 Subject: [PATCH 509/798] feat(abs): improve dbus rules in open & common gnome abs. --- apparmor.d/abstractions/app/open | 3 ++- apparmor.d/abstractions/common/gnome | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 243d18261..3d91de235 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,6 +7,8 @@ abi , + include + include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -30,7 +32,6 @@ include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index 056f6581b..f0dd20f47 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -9,6 +9,8 @@ include include include + include + include include include include From 61d8cee932d7671302f786f8f7f2b84d0d057bdf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 28 Aug 2025 21:27:58 +0200 Subject: [PATCH 510/798] feat(profile): ssh: cleanup. --- apparmor.d/groups/ssh/ssh-agent | 1 + apparmor.d/groups/ssh/ssh-keygen | 3 ++- apparmor.d/groups/ssh/sshd | 2 +- apparmor.d/groups/ssh/sshfs | 2 +- 4 files changed, 5 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent index f6732b1cf..9fc2900b4 100644 --- a/apparmor.d/groups/ssh/ssh-agent +++ b/apparmor.d/groups/ssh/ssh-agent @@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} { include signal receive set=term peer=cockpit-bridge, + signal receive set=term peer=cockpit-session, signal receive set=term peer=gnome-keyring-daemon, @{exec_path} mr, diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index b55824e58..1b6dd5e98 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -18,7 +18,8 @@ profile ssh-keygen @{exec_path} { /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, - owner @{HOME}/@{XDG_SSH_DIR}/{,*} rw, + owner @{HOME}/@{XDG_SSH_DIR}/ rw, + owner @{HOME}/@{XDG_SSH_DIR}/* rwl -> @{HOME}/@{XDG_SSH_DIR}/*, owner /tmp/snapd@{int}/*_*{,.pub} w, owner /tmp/snapd@{int}/*.key{,.pub} w, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 63f2c1370..40cf0bca2 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -102,7 +102,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) { owner @{user_download_dirs}/{,**} rwl, owner @{user_sync_dirs}/{,**} rwl, - @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r, + @{HOME}/@{XDG_SSH_DIR}/authorized_keys* r, owner @{user_cache_dirs}/{,motd*} rw, @{att}/@{run}/systemd/sessions/@{int}.ref rw, diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs index 12e7d8930..ee6a2f903 100644 --- a/apparmor.d/groups/ssh/sshfs +++ b/apparmor.d/groups/ssh/sshfs @@ -18,7 +18,7 @@ profile sshfs @{exec_path} flags=(complain) { mount fstype=fuse.sshfs -> @{MOUNTS}/*/, mount fstype=fuse.sshfs -> @{MOUNTS}/*/*/, - unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none), + unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount"), @{exec_path} mr, From 5d1ef4087741d3acf84fe50b26c5669ade291f10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:55:42 +0200 Subject: [PATCH 511/798] feat(profile): add some missing proc access. Due to recent changes in base-strict. --- apparmor.d/abstractions/app/pgrep | 1 + apparmor.d/groups/gnome/gdm-generate-config | 7 ++++--- apparmor.d/groups/procps/htop | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep index 0ec14bea0..f563712ca 100644 --- a/apparmor.d/abstractions/app/pgrep +++ b/apparmor.d/abstractions/app/pgrep @@ -19,6 +19,7 @@ @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/environ r, diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 9d910cdd2..6e67866f5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,9 +42,10 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/stat r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index d59fde5e5..4937f6875 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -105,6 +105,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/comm r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/io r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mounts r, @{PROC}/@{pids}/net/dev r, @{PROC}/@{pids}/oom_{,score_}adj r, From be0d481068929ddd1787bbf8cb16a9cf4619deed Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 19:56:41 +0200 Subject: [PATCH 512/798] feat(profile): remove common/systemd from systemd-detect-virt. --- apparmor.d/groups/systemd/systemd-detect-virt | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 01e49025f..9b78b7c04 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -11,11 +11,10 @@ include profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { include include - include - capability net_admin, + capability sys_ptrace, - network netlink raw, + ptrace read peer=@{p_systemd}, @{exec_path} mr, @@ -32,7 +31,14 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { @{sys}/firmware/dmi/entries/*/raw r, @{sys}/firmware/uv/prot_virt_guest r, @{sys}/hypervisor/properties/features r, - + @{sys}/hypervisor/type r, + + @{PROC}/1/environ r, + @{PROC}/device-tree/ r, + @{PROC}/device-tree/compatible r, + @{PROC}/device-tree/hypervisor/compatible r, + @{PROC}/sys/kernel/osrelease r, + @{PROC}/sysinfo r, @{PROC}/xen/capabilities r, /dev/cpu/@{int}/msr r, From 2bb42bfca21bf7b372fccdeb763c33ef0f8875b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:14:12 +0200 Subject: [PATCH 513/798] build: add support for apparmor 5.0 (current master branch) --- dists/overwrite | 3 +++ pkg/prebuild/prepare/configure.go | 35 ++++++++++++++++++++++++------- 2 files changed, 31 insertions(+), 7 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index c8769ba54..16f8f4a19 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -38,3 +38,6 @@ openvpn remmina transmission wg-quick +systemd-detect-virt # Missing integration with @{p_systemd} +hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables + diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index a6e954485..cf16f5b8e 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -23,6 +23,15 @@ func init() { }) } +func removeFiles(files []string) error { + for _, name := range files { + if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { + return err + } + } + return nil +} + func (p Configure) Apply() ([]string, error) { res := []string{} @@ -57,19 +66,31 @@ func (p Configure) Apply() ([]string, error) { } - if prebuild.Version == 4.1 { - // Remove files upstreamed in 4.1 + if prebuild.Version >= 4.1 { remove := []string{ + // Remove files upstreamed in 4.1 "abstractions/devices-usb-read", "abstractions/devices-usb", "abstractions/nameservice-strict", "tunables/multiarch.d/base", - "wg", // Upstream version is identical + + // Direct upstream contributed profiles, similar to ours + "wg", } - for _, name := range remove { - if err := prebuild.RootApparmord.Join(name).RemoveAll(); err != nil { - return res, err - } + if err := removeFiles(remove); err != nil { + return res, err + } + } + if prebuild.Version >= 5.0 { + remove := []string{ + // Direct upstrem contributed profiles, similar to ours + "dig", + "free", + "nslookup", + "who", + } + if err := removeFiles(remove); err != nil { + return res, err } } return res, nil From 57251820e1bafa211deef302d907a21213a1b523 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 20:48:01 +0200 Subject: [PATCH 514/798] build: improve support for aa 5.0 --- dists/overwrite | 5 +++-- pkg/prebuild/prepare/configure.go | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/dists/overwrite b/dists/overwrite index 16f8f4a19..70ee1cc41 100644 --- a/dists/overwrite +++ b/dists/overwrite @@ -6,6 +6,7 @@ brave chrome chromium +cockpit-desktop element-desktop epiphany firefox @@ -29,8 +30,8 @@ unix-chkpwd # Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while # They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones: -# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile -# - Drop ours: when upstream profiles is better +# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile +# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go) fusermount3 lsblk lsusb diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go index cf16f5b8e..9ca3b14d3 100644 --- a/pkg/prebuild/prepare/configure.go +++ b/pkg/prebuild/prepare/configure.go @@ -6,6 +6,7 @@ package prepare import ( "fmt" + "strings" "github.com/roddhjav/apparmor.d/pkg/prebuild" ) @@ -92,6 +93,15 @@ func (p Configure) Apply() ([]string, error) { if err := removeFiles(remove); err != nil { return res, err } + + // @{pci_bus} was upstreamed in 5.0 + path := prebuild.RootApparmord.Join("tunables/multiarch.d/system") + out, err := path.ReadFileAsString() + if err != nil { + return res, err + } + out = strings.ReplaceAll(out, "@{pci_bus}=pci@{hex4}:@{hex2}", "") + return res, path.WriteFile([]byte(out)) } return res, nil } From a3fde24b3deb9ecbd0ddebdf920315b24af46182 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 29 Aug 2025 23:58:39 +0200 Subject: [PATCH 515/798] feat: add aliases for all coreutils. --- apparmor.d/tunables/alias.d/coreutils | 112 ++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 apparmor.d/tunables/alias.d/coreutils diff --git a/apparmor.d/tunables/alias.d/coreutils b/apparmor.d/tunables/alias.d/coreutils new file mode 100644 index 000000000..9fed4fefc --- /dev/null +++ b/apparmor.d/tunables/alias.d/coreutils @@ -0,0 +1,112 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# In ubuntu 25.10, to make room for the coming rust utils, classic coreutils has +# moved to /usr/bin/gnu* names. To avoid breaking existing profiles, we +# provide aliases for all the coreutils names to their gnu* counterpart. + + alias /{,usr/}bin/dd -> /usr/bin/gnudd, + alias /{,usr/}bin/tee -> /usr/bin/gnutee, + alias /{,usr/}bin/paste -> /usr/bin/gnupaste, + alias /{,usr/}bin/sha256sum -> /usr/bin/gnusha256sum, + alias /{,usr/}bin/env -> /usr/bin/gnuenv, + alias /{,usr/}bin/expr -> /usr/bin/gnuexpr, + alias /{,usr/}bin/sleep -> /usr/bin/gnusleep, + alias /{,usr/}bin/shred -> /usr/bin/gnushred, + alias /{,usr/}bin/dircolors -> /usr/bin/gnudircolors, + alias /{,usr/}bin/nohup -> /usr/bin/gnunohup, + alias /{,usr/}bin/stty -> /usr/bin/gnustty, + alias /{,usr/}bin/sha384sum -> /usr/bin/gnusha384sum, + alias /{,usr/}bin/pr -> /usr/bin/gnupr, + alias /{,usr/}bin/nice -> /usr/bin/gnunice, + alias /{,usr/}bin/basenc -> /usr/bin/gnubasenc, + alias /{,usr/}bin/sha224sum -> /usr/bin/gnusha224sum, + alias /{,usr/}bin/unexpand -> /usr/bin/gnuunexpand, + alias /{,usr/}bin/logname -> /usr/bin/gnulogname, + alias /{,usr/}bin/uniq -> /usr/bin/gnuuniq, + alias /{,usr/}bin/chown -> /usr/bin/gnuchown, + alias /{,usr/}bin/vdir -> /usr/bin/gnuvdir, + alias /{,usr/}bin/printf -> /usr/bin/gnuprintf, + alias /{,usr/}bin/true -> /usr/bin/gnutrue, + alias /{,usr/}bin/groups -> /usr/bin/gnugroups, + alias /{,usr/}bin/printenv -> /usr/bin/gnuprintenv, + alias /{,usr/}bin/truncate -> /usr/bin/gnutruncate, + alias /{,usr/}bin/md5sum -> /usr/bin/gnumd5sum, + alias /{,usr/}bin/pinky -> /usr/bin/gnupinky, + alias /{,usr/}bin/rm -> /usr/bin/gnurm, + alias /{,usr/}bin/cat -> /usr/bin/gnucat, + alias /{,usr/}bin/tac -> /usr/bin/gnutac, + alias /{,usr/}bin/b2sum -> /usr/bin/gnub2sum, + alias /{,usr/}bin/seq -> /usr/bin/gnuseq, + alias /{,usr/}bin/cut -> /usr/bin/gnucut, + alias /{,usr/}bin/csplit -> /usr/bin/gnucsplit, + alias /{,usr/}bin/split -> /usr/bin/gnusplit, + alias /{,usr/}bin/realpath -> /usr/bin/gnurealpath, + alias /{,usr/}bin/ptx -> /usr/bin/gnuptx, + alias /{,usr/}bin/who -> /usr/bin/gnuwho, + alias /{,usr/}bin/whoami -> /usr/bin/gnuwhoami, + alias /{,usr/}bin/cksum -> /usr/bin/gnucksum, + alias /{,usr/}bin/ls -> /usr/bin/gnuls, + alias /{,usr/}bin/runcon -> /usr/bin/gnuruncon, + alias /{,usr/}bin/arch -> /usr/bin/gnuarch, + alias /{,usr/}bin/head -> /usr/bin/gnuhead, + alias /{,usr/}bin/date -> /usr/bin/gnudate, + alias /{,usr/}bin/wc -> /usr/bin/gnuwc, + alias /{,usr/}bin/mktemp -> /usr/bin/gnumktemp, + alias /{,usr/}bin/pathchk -> /usr/bin/gnupathchk, + alias /{,usr/}bin/mkfifo -> /usr/bin/gnumkfifo, + alias /{,usr/}bin/du -> /usr/bin/gnudu, + alias /{,usr/}bin/cp -> /usr/bin/gnucp, + alias /{,usr/}bin/tty -> /usr/bin/gnutty, + alias /{,usr/}bin/sync -> /usr/bin/gnusync, + alias /{,usr/}bin/fold -> /usr/bin/gnufold, + alias /{,usr/}bin/users -> /usr/bin/gnuusers, + alias /{,usr/}bin/dirname -> /usr/bin/gnudirname, + alias /{,usr/}bin/nproc -> /usr/bin/gnunproc, + alias /{,usr/}bin/sort -> /usr/bin/gnusort, + alias /{,usr/}bin/[ -> /usr/bin/gnu[, + alias /{,usr/}bin/base64 -> /usr/bin/gnubase64, + alias /{,usr/}bin/od -> /usr/bin/gnuod, + alias /{,usr/}bin/tr -> /usr/bin/gnutr, + alias /{,usr/}bin/join -> /usr/bin/gnujoin, + alias /{,usr/}bin/sha512sum -> /usr/bin/gnusha512sum, + alias /{,usr/}bin/false -> /usr/bin/gnufalse, + alias /{,usr/}bin/expand -> /usr/bin/gnuexpand, + alias /{,usr/}bin/base32 -> /usr/bin/gnubase32, + alias /{,usr/}bin/chmod -> /usr/bin/gnuchmod, + alias /{,usr/}bin/rmdir -> /usr/bin/gnurmdir, + alias /{,usr/}bin/factor -> /usr/bin/gnufactor, + alias /{,usr/}bin/mknod -> /usr/bin/gnumknod, + alias /{,usr/}bin/chcon -> /usr/bin/gnuchcon, + alias /{,usr/}bin/basename -> /usr/bin/gnubasename, + alias /{,usr/}bin/chgrp -> /usr/bin/gnuchgrp, + alias /{,usr/}bin/sha1sum -> /usr/bin/gnusha1sum, + alias /{,usr/}bin/ln -> /usr/bin/gnuln, + alias /{,usr/}bin/tsort -> /usr/bin/gnutsort, + alias /{,usr/}bin/echo -> /usr/bin/gnuecho, + alias /{,usr/}bin/timeout -> /usr/bin/gnutimeout, + alias /{,usr/}bin/dir -> /usr/bin/gnudir, + alias /{,usr/}bin/numfmt -> /usr/bin/gnunumfmt, + alias /{,usr/}bin/touch -> /usr/bin/gnutouch, + alias /{,usr/}bin/mv -> /usr/bin/gnumv, + alias /{,usr/}bin/sum -> /usr/bin/gnusum, + alias /{,usr/}bin/stat -> /usr/bin/gnustat, + alias /{,usr/}bin/yes -> /usr/bin/gnuyes, + alias /{,usr/}bin/install -> /usr/bin/gnuinstall, + alias /{,usr/}bin/readlink -> /usr/bin/gnureadlink, + alias /{,usr/}bin/pwd -> /usr/bin/gnupwd, + alias /{,usr/}bin/tail -> /usr/bin/gnutail, + alias /{,usr/}bin/stdbuf -> /usr/bin/gnustdbuf, + alias /{,usr/}bin/comm -> /usr/bin/gnucomm, + alias /{,usr/}bin/shuf -> /usr/bin/gnushuf, + alias /{,usr/}bin/uname -> /usr/bin/gnuuname, + alias /{,usr/}bin/test -> /usr/bin/gnutest, + alias /{,usr/}bin/mkdir -> /usr/bin/gnumkdir, + alias /{,usr/}bin/link -> /usr/bin/gnulink, + alias /{,usr/}bin/df -> /usr/bin/gnudf, + alias /{,usr/}bin/unlink -> /usr/bin/gnuunlink, + alias /{,usr/}bin/hostid -> /usr/bin/gnuhostid, + alias /{,usr/}bin/fmt -> /usr/bin/gnufmt, + alias /{,usr/}bin/id -> /usr/bin/gnuid, + alias /{,usr/}bin/nl -> /usr/bin/gnunl, From 2bae05d30940d14ad09a86c5b666257e43c17058 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:05:19 +0200 Subject: [PATCH 516/798] feat(abs): add varianttable to apt common. --- apparmor.d/abstractions/common/apt | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index 5dd8b26bc..a267fd909 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -7,6 +7,7 @@ /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/varianttable r, /etc/apt/apt.conf r, /etc/apt/apt.conf.d/{,*} r, From 1122f28cacf84e4cfea8796d73d90a0a37b7fb6f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:46:40 +0200 Subject: [PATCH 517/798] tests(packer): cleanup package install process. - apparmor restart is handled by the package - it is a dev version, so it could fail. --- tests/packer/init.sh | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index bf75c0e1e..630da6b0f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -27,27 +27,21 @@ main() { case "$DISTRIBUTION" in arch) rm -f $SRC/*.sig # Ignore signature files - pacman --noconfirm -U $SRC/*.pkg.tar.zst + rm -f $SRC/*enforced* # Ignore enforced package + pacman --noconfirm -U $SRC/*.pkg.tar.zst || true ;; debian | ubuntu) - apt install -y apparmor-profiles + apt-get install -y apparmor-profiles dpkg -i $SRC/*.deb || true ;; opensuse*) mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias" - rpm -i $SRC/*.rpm + rpm -i $SRC/*.rpm || true ;; esac - - verb="start" - rm -rf /var/cache/apparmor/* || true - if systemctl is-active -q apparmor; then - verb="reload" - fi - systemctl "$verb" apparmor.service || journalctl -xeu apparmor.service } main "$@" From 94f01c68f696fd858ec65195113cad95f8d514fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 11:48:11 +0200 Subject: [PATCH 518/798] feat(tunable): update home dir for gdm & add desktop_state_dirs. --- apparmor.d/tunables/multiarch.d/system-users | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 885913da3..73a3267a0 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,11 +5,12 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ @@ -17,6 +18,7 @@ @{sddm_config_dirs}=@{SDDM_HOME}/.config/ @{sddm_local_dirs}=@{SDDM_HOME}/.local/ @{sddm_share_dirs}=@{SDDM_HOME}/.local/share/ +@{sddm_state_dirs}=@{SDDM_HOME}/.local/state/ # Full path of the LIGHTDM configuration directories @{LIGHTDM_HOME}=/var/lib/lightdm/ @@ -31,5 +33,6 @@ @{desktop_config_dirs}=@{gdm_config_dirs} @{sddm_config_dirs} @{lightdm_config_dirs} @{desktop_local_dirs}=@{gdm_local_dirs} @{sddm_local_dirs} @{lightdm_local_dirs} @{desktop_share_dirs}=@{gdm_share_dirs} @{sddm_share_dirs} @{lightdm_share_dirs} +@{desktop_state_dirs}=@{gdm_state_dirs} @{sddm_state_dirs} @{lightdm_state_dirs} # vim:syntax=apparmor From b5020eac891099c023aad7e3b51375fbe663e0ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:22:01 +0200 Subject: [PATCH 519/798] tests(packer): remobe sudo alias --- tests/packer/src/.bash_aliases | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/packer/src/.bash_aliases b/tests/packer/src/.bash_aliases index 27e05bf80..2580556fd 100644 --- a/tests/packer/src/.bash_aliases +++ b/tests/packer/src/.bash_aliases @@ -8,7 +8,6 @@ for nb in $(seq "$1"); do done } -alias sudo='sudo -E' alias aa-log='sudo aa-log' alias aa-status='sudo aa-status' alias c='clear' From 0ada92da328c830fddf1550352c02405d89f9ef8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:35:04 +0200 Subject: [PATCH 520/798] refractor(abs): gsettings -> gschemas. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/{gsettings => gschemas} | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) rename apparmor.d/abstractions/{gsettings => gschemas} (88%) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 1bb4c20ea..3bfbcc887 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -11,7 +11,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 72d09126e..4d2d390ee 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/abstractions/gsettings b/apparmor.d/abstractions/gschemas similarity index 88% rename from apparmor.d/abstractions/gsettings rename to apparmor.d/abstractions/gschemas index 4d22f080b..21a4d860c 100644 --- a/apparmor.d/abstractions/gsettings +++ b/apparmor.d/abstractions/gschemas @@ -9,6 +9,6 @@ @{system_share_dirs}/glib-2.0/schemas/ r, @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 02a0bc9c5..a06a29da4 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index a8c13b3fd..c254fcd2d 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -15,7 +15,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include network inet dgram, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index cf497e39f..982afd90d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -13,7 +13,7 @@ profile ptyxis-agent @{exec_path} { include include include - include + include include signal send set=hup peer=unconfined, From d6ddbf104cdfc07615b8f32c306d9db766a9ce77 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 12:56:05 +0200 Subject: [PATCH 521/798] refractor(profile): always use the gschemas abstraction. --- apparmor.d/groups/display-manager/xdm-xsession | 2 +- apparmor.d/groups/freedesktop/geoclue | 5 ++--- apparmor.d/groups/gnome/chrome-gnome-shell | 3 +-- apparmor.d/groups/gnome/deja-dup-monitor | 3 +-- apparmor.d/groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-calendar-factory | 3 +-- apparmor.d/groups/gnome/evolution-source-registry | 3 +-- apparmor.d/groups/gnome/gdm-xsession | 2 +- apparmor.d/groups/gnome/gnome-browser-connector-host | 3 +-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 2 -- apparmor.d/groups/gnome/gsd-a11y-settings | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 4 ++-- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 2 +- apparmor.d/groups/gnome/gsd-usb-protection | 3 +-- apparmor.d/groups/gnome/session-migration | 4 ++-- apparmor.d/groups/gvfs/gvfsd-network | 3 +-- apparmor.d/groups/gvfs/gvfsd-smb-browse | 3 +-- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/profiles-g-l/gsettings | 3 ++- apparmor.d/profiles-m-r/mission-control | 2 +- 22 files changed, 26 insertions(+), 37 deletions(-) diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession index d110fb83b..df17e0d9f 100644 --- a/apparmor.d/groups/display-manager/xdm-xsession +++ b/apparmor.d/groups/display-manager/xdm-xsession @@ -10,6 +10,7 @@ include profile xdm-xsession @{exec_path} { include include + include include include include @@ -58,7 +59,6 @@ profile xdm-xsession @{exec_path} { @{HOME}/.xinitrc rPix, # TODO: rCx @{lib}/xinit/xinitrc rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/mc/mc.sh r, /usr/share/terminfo/{,**} r, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 6332f49e2..fbc7a7582 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent profile geoclue @{exec_path} flags=(attach_disconnected) { include - include include include include include include + include + include include include include @@ -29,8 +30,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/geoclue/{,**} r, /etc/sysconfig/proxy r, diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell index 8c6372ba5..944d5e1d5 100644 --- a/apparmor.d/groups/gnome/chrome-gnome-shell +++ b/apparmor.d/groups/gnome/chrome-gnome-shell @@ -10,6 +10,7 @@ include profile chrome-gnome-shell @{exec_path} { include include + include include include include @@ -23,8 +24,6 @@ profile chrome-gnome-shell @{exec_path} { @{exec_path} mr, @{bin}/ r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, deny @{HOME}/.* r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index ac5d6af81..fcafbda5f 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -17,6 +17,7 @@ profile deja-dup-monitor @{exec_path} { include include include + include network netlink raw, @@ -44,8 +45,6 @@ profile deja-dup-monitor @{exec_path} { @{bin}/ionice rix, @{bin}/deja-dup Px, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /var/tmp/ r, /tmp/ r, diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index c9a9d72c9..b56af123d 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -15,6 +15,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include + include include include include @@ -63,7 +64,6 @@ profile evolution-addressbook-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/icu/@{int}.@{int}/*.dat r, owner @{user_share_dirs}/evolution/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index fba734ad4..3d1d00f28 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -14,6 +14,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include @@ -65,8 +66,6 @@ profile evolution-calendar-factory @{exec_path} { @{exec_path} mr, @{exec_path}-subprocess rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/calendar/{,**} rwk, owner @{user_cache_dirs}/evolution/tasks/{,**} rwk, diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index a5a1bd414..299d0738b 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -13,6 +13,7 @@ profile evolution-source-registry @{exec_path} { include include include + include include include include @@ -47,8 +48,6 @@ profile evolution-source-registry @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{user_cache_dirs}/evolution/{,**} rwk, owner @{user_config_dirs}/evolution/sources/{,*} rw, owner @{user_share_dirs}/evolution/{,**} r, diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession index 03e77816c..2882c3d9e 100644 --- a/apparmor.d/groups/gnome/gdm-xsession +++ b/apparmor.d/groups/gnome/gdm-xsession @@ -11,6 +11,7 @@ profile gdm-xsession @{exec_path} { include include include + include include include @@ -51,7 +52,6 @@ profile gdm-xsession @{exec_path} { @{etc_ro}/X11/xdm/Xsession rPx, @{lib}/gnome-session-binary rPx, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/im-config/data/{,*} r, /usr/share/im-config/xinputrc.common r, diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host index 95af09ed6..e95762b6a 100644 --- a/apparmor.d/groups/gnome/gnome-browser-connector-host +++ b/apparmor.d/groups/gnome/gnome-browser-connector-host @@ -11,6 +11,7 @@ profile gnome-browser-connector-host @{exec_path} { include include include + include @{exec_path} mr, @@ -19,8 +20,6 @@ profile gnome-browser-connector-host @{exec_path} { @{lib}/@{python_name}/site-packages/gnome_browser_connector/__pycache__/{,**} rw, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{PROC}/@{pid}/mounts r, include if exists diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 2f3e51670..6ddbd4b4c 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -35,8 +35,6 @@ profile gnome-shell-calendar-server @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/sysconfig/clock r, /etc/timezone r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 5f05c21da..34ce2884d 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-a11y-settings profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -27,7 +28,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0190ad9b3..af1784e68 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-datetime profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include network inet dgram, @@ -34,7 +35,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-settings-daemon/datetime/backward r, owner @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 45b3ea1b9..7b47b0676 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -9,12 +9,13 @@ include @{exec_path} = @{lib}/gsd-sharing profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include - include include include include include + include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -34,7 +35,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index bdacbfd00..98ce848ba 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -15,6 +15,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 871203e6c..2b64ddf06 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -15,6 +15,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include + include signal receive set=(term, hup) peer=gdm*, @@ -29,7 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 2359c9f39..3bfffdb6a 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -11,13 +11,12 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - include if exists } diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index aeb46f6c0..b31532cae 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -9,8 +9,9 @@ include @{exec_path} = @{bin}/session-migration profile session-migration @{exec_path} { include - include include + include + include include @{exec_path} mr, @@ -21,7 +22,6 @@ profile session-migration @{exec_path} { @{bin}/gsettings rPx, /usr/share/session-migration/scripts/* rix, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/session-migration/{,**} r, owner @{gdm_share_dirs}/ w, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 1af0a2b37..46f543fa4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -14,6 +14,7 @@ profile gvfsd-network @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} @@ -44,8 +45,6 @@ profile gvfsd-network @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - owner @{run}/user/@{uid}/gvfsd/ rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 59d778133..a90cddc50 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -13,6 +13,7 @@ profile gvfsd-smb-browse @{exec_path} { include include include + include include network netlink raw, @@ -35,8 +36,6 @@ profile gvfsd-smb-browse @{exec_path} { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, - /etc/samba/* r, /var/cache/samba/ rw, diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 271ff23e4..3d2cbd63d 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -117,7 +117,6 @@ profile apport-gtk @{exec_path} { /usr/share/gdb/python/{,**/}__pycache__/{,**} rw, /usr/share/gdb/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/gnome-shell/{,**} r, /usr/share/terminfo/** r, /usr/share/themes/{,**} r, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 849599977..2e0eb2cf7 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -9,9 +9,10 @@ include @{exec_path} = @{bin}/gsettings profile gsettings @{exec_path} flags=(attach_disconnected) { include - include include + include include + include @{exec_path} mr, diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control index b8e79c0dc..bf6c55093 100644 --- a/apparmor.d/profiles-m-r/mission-control +++ b/apparmor.d/profiles-m-r/mission-control @@ -10,13 +10,13 @@ include profile mission-control @{exec_path} flags=(attach_disconnected) { include include + include network netlink raw, @{exec_path} mr, /usr/share/telepathy/{,**} r, - /usr/share/glib-2.0/schemas/gschemas.compiled r, owner @{user_share_dirs}/telepathy/ rw, owner @{user_share_dirs}/telepathy/mission-control/ rw, From 4f1fddd2fb38dfc5a36bdf0ef32cd815fd380cfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 14:25:43 +0200 Subject: [PATCH 522/798] feat(profile): use natural transition instead of systemd drop in config when possible. As we can transition to the good profile naturally, do not use systemd for it. This bypass the apparmor error: `change_profile unprivileged unconfined converted to stacking`. Note: we cannot do the same for dbus-system and dbus-session are they have the same binary. --- systemd/default/user/at-spi-dbus-bus.service | 2 -- systemd/default/user/org.freedesktop.IBus.session.GNOME.service | 2 -- 2 files changed, 4 deletions(-) delete mode 100644 systemd/default/user/at-spi-dbus-bus.service delete mode 100644 systemd/default/user/org.freedesktop.IBus.session.GNOME.service diff --git a/systemd/default/user/at-spi-dbus-bus.service b/systemd/default/user/at-spi-dbus-bus.service deleted file mode 100644 index 9c1fad533..000000000 --- a/systemd/default/user/at-spi-dbus-bus.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=dbus-accessibility diff --git a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service b/systemd/default/user/org.freedesktop.IBus.session.GNOME.service deleted file mode 100644 index 818d5cdf3..000000000 --- a/systemd/default/user/org.freedesktop.IBus.session.GNOME.service +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -AppArmorProfile=ibus-daemon From f5e2572457acd411e3b0b7ec0f7725e4a64d0f99 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:37:47 +0200 Subject: [PATCH 523/798] feat(profile): cleanup usage of icons abs. --- apparmor.d/groups/freedesktop/xsetroot | 5 +---- apparmor.d/groups/gnome/gnome-control-center | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprpaper | 3 +-- apparmor.d/groups/hyprland/hyprpicker | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 1 - apparmor.d/groups/kde/plasmashell | 3 --- apparmor.d/groups/lxqt/lxqt-runner | 1 - 9 files changed, 3 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot index bc1291ef4..c0ddcb359 100644 --- a/apparmor.d/groups/freedesktop/xsetroot +++ b/apparmor.d/groups/freedesktop/xsetroot @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/xsetroot profile xsetroot @{exec_path} { include + include include capability dac_read_search, @@ -18,10 +19,6 @@ profile xsetroot @{exec_path} { @{exec_path} mr, - /usr/share/icons/{,**} r, - - owner @{HOME}/.icons/** r, - owner @{user_share_dirs}/sddm/xorg-session.log w, owner @{user_share_dirs}/sddm/wayland-session.log w, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 1c35a8ec1..fde43420a 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -88,7 +88,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-any, - /opt/**/share/icons/{,**} r, /snap/*/@{int}/**.png r, /usr/share/backgrounds/{,**} r, /usr/share/cups/data/testprint r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index b34d18c00..5eb78d8bb 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -187,7 +187,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /opt/**/share/icons/{,**} r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/**.@{image_ext} r, /usr/share/**/icons/{,**} r, diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper index 3cb8dca92..6d0674d9f 100644 --- a/apparmor.d/groups/hyprland/hyprpaper +++ b/apparmor.d/groups/hyprland/hyprpaper @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpaper profile hyprpaper @{exec_path} flags=(attach_disconnected) { include + include include @{exec_path} mr, - /usr/share/icons/** r, - owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r, owner @{user_config_dirs}/hypr/hyprpaper.conf r, diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker index a46d53f4c..7becc5fb6 100644 --- a/apparmor.d/groups/hyprland/hyprpicker +++ b/apparmor.d/groups/hyprland/hyprpicker @@ -9,12 +9,11 @@ include @{exec_path} = @{bin}/hyprpicker profile hyprpicker @{exec_path} { include + include @{exec_path} mr, @{bin}/wl-copy Px, - /usr/share/icons/** r, - owner @{run}/user/@{uid}/.hyprpicker* rw, owner /dev/shm/wlroots-@{rand6} r, owner /dev/shm/@{uuid} r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 4b1e734ed..b70d50666 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -24,8 +24,6 @@ profile kaccess @{exec_path} { @{bin}/gsettings rPx, - /usr/share/icons/{,**} r, - /etc/machine-id r, owner @{user_config_dirs}/breezerc r, diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index cf9646051..4560427ad 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,7 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/icons/breeze/index.theme r, /usr/share/mime/{,**} r, owner @{user_config_dirs}/#@{int} rw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index e767d7bb5..45f0d43e9 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -77,9 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { #aa:exec kioworker - /opt/**/share/icons/{,**} r, - /opt/*/**/*.desktop r, - /opt/*/**/*.png r, /snap/*/@{uid}/**.@{image_ext} r, /usr/share/*/icons/{,**} r, /usr/share/akonadi/{,**} r, diff --git a/apparmor.d/groups/lxqt/lxqt-runner b/apparmor.d/groups/lxqt/lxqt-runner index 9477c1bda..5783c1fa0 100644 --- a/apparmor.d/groups/lxqt/lxqt-runner +++ b/apparmor.d/groups/lxqt/lxqt-runner @@ -14,7 +14,6 @@ profile lxqt-runner @{exec_path} { @{exec_path} mr, - /usr/share/icons/ r, /usr/share/desktop-directories/ r, /usr/share/desktop-directories/{,**} r, From ac6eac13334224bc5c0273fcef673e6bcbf41a1a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:47:07 +0200 Subject: [PATCH 524/798] feat(profile): cleanup usage of mime abs. --- apparmor.d/groups/flatpak/flatpak-portal | 5 +---- apparmor.d/groups/flatpak/flatpak-system-helper | 2 +- apparmor.d/groups/freedesktop/colord | 4 +--- apparmor.d/groups/gnome/gnome-photos-thumbnailer | 3 +-- apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer | 3 +-- apparmor.d/groups/gvfs/gvfsd-admin | 3 +-- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kiod | 2 -- apparmor.d/groups/kde/startplasma | 2 -- apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/lxqt/startlxqt | 1 - apparmor.d/groups/virt/cni-calico | 3 +-- apparmor.d/groups/virt/k3s | 1 - apparmor.d/groups/virt/libvirtd | 2 +- apparmor.d/profiles-a-f/evince-thumbnailer | 2 +- apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-g-l/hugo | 2 +- apparmor.d/profiles-m-r/mimetype | 11 +---------- 18 files changed, 12 insertions(+), 40 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index b86f0a4fd..fdbdb9189 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -32,11 +33,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { @{bin}/flatpak rPx, - /usr/share/mime/mime.cache r, /usr/share/xdg-desktop-portal/portals/{,*.portal} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, - owner /att/**/ r, owner @{att}/.flatpak-info r, @@ -44,7 +42,6 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { owner @{att}/@{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw, owner @{user_config_dirs}/user-dirs.dirs r, - owner @{user_share_dirs}/mime/mime.cache r, owner @{run}/user/@{uid}/.flatpak/@{int}/* r, owner @{run}/user/@{uid}/.flatpak/@{int}-private/* r, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 1381a1483..0ca01d01d 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -11,6 +11,7 @@ profile flatpak-system-helper @{exec_path} { include include include + include include include include @@ -42,7 +43,6 @@ profile flatpak-system-helper @{exec_path} { /usr/share/flatpak/remotes.d/{,**} r, /usr/share/flatpak/triggers/ r, - /usr/share/mime/mime.cache r, /var/lib/flatpak/{,**} rwkl, /var/tmp/flatpak-cache-*/{,**} rw, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 81d0c9f6b..b3cda6307 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, @@ -31,11 +32,8 @@ profile colord @{exec_path} flags=(attach_disconnected) { /etc/udev/hwdb.bin r, /usr/share/color/icc/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/snmp/mibs/{,*} r, - @{system_share_dirs}/mime/mime.cache r, - owner /var/lib/colord/.cache/ rw, owner /var/lib/colord/.cache/** rw, owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk, diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 0182e9dad..31d9b7987 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -9,12 +9,11 @@ include @{exec_path} = @{lib}/gnome-photos-thumbnailer profile gnome-photos-thumbnailer @{exec_path} { include + include include @{exec_path} mr, - /usr/share/mime/mime.cache r, - owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer index 51d5b43cf..56e448fd8 100644 --- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer +++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer @@ -10,11 +10,10 @@ include profile gnome-shell-hotplug-sniffer @{exec_path} { include include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, - @{MOUNTS}/**/ r, @{MOUNTS}/** r, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index e1b16cac3..44248cbe3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include include capability chown, @@ -20,8 +21,6 @@ profile gvfsd-admin @{exec_path} { @{exec_path} mr, - /usr/share/mime/mime.cache r, - #aa:lint ignore=too-wide # Full access to system's data, but no write access to sensitive system directories / r, diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index b70d50666..8258d1bde 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -29,8 +29,6 @@ profile kaccess @{exec_path} { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kaccessrc r, - owner @{user_share_dirs}/mime/generic-icons r, - /dev/tty r, include if exists diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod index 4560427ad..571581059 100644 --- a/apparmor.d/groups/kde/kiod +++ b/apparmor.d/groups/kde/kiod @@ -20,8 +20,6 @@ profile kiod @{exec_path} { @{exec_path} mr, - /usr/share/mime/{,**} r, - owner @{user_config_dirs}/#@{int} rw, owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int}, owner @{user_config_dirs}/ksslcertificatemanager.lock rwk, diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index 5db93719c..a8c8cbd13 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -48,8 +48,6 @@ profile startplasma @{exec_path} { /etc/xdg/plasma-workspace/env/{,*} r, /etc/xdg/plasmarc r, - /var/lib/flatpak/exports/share/mime/ r, - @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int}, owner @{user_cache_dirs}/#@{int} rwk, owner @{user_cache_dirs}/kcrash-metadata/ rw, diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 3a4a6cd61..085b444b1 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -47,7 +47,6 @@ profile lxqt-session @{exec_path} flags=(attach_disconnected) { @{bin}/xdg-user-dirs-update rPx, /usr/share/ r, - /usr/share/mime/ r, /usr/share/cursors/ r, /usr/share/backintime/common/* r, /usr/share/desktop-directories/* r, diff --git a/apparmor.d/groups/lxqt/startlxqt b/apparmor.d/groups/lxqt/startlxqt index a708e2336..3ae907116 100644 --- a/apparmor.d/groups/lxqt/startlxqt +++ b/apparmor.d/groups/lxqt/startlxqt @@ -31,7 +31,6 @@ profile startlxqt @{exec_path} { /usr/share/color-schemes/{,**} r, /usr/share/desktop-directories/{,**} r, /usr/share/kservices5/{,**} r, - /usr/share/mime/{,**} r, /etc/machine-id r, /etc/xdg/menus/{,**} r, diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico index a6c9149d2..9015d2157 100644 --- a/apparmor.d/groups/virt/cni-calico +++ b/apparmor.d/groups/virt/cni-calico @@ -9,6 +9,7 @@ include @{exec_path} = @{lib}/cni/calico /opt/cni/bin/calico profile cni-calico @{exec_path} flags=(attach_disconnected) { include + include capability sys_admin, capability net_admin, @@ -32,8 +33,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) { /var/log/calico/cni/ r, /var/log/calico/cni/*.log rw, - /usr/share/mime/globs2 r, - @{run}/calico/ rw, @{run}/calico/ipam.lock rwk, @{run}/netns/cni-@{uuid} r, diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s index 2142e28b9..59c4b9473 100644 --- a/apparmor.d/groups/virt/k3s +++ b/apparmor.d/groups/virt/k3s @@ -68,7 +68,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) { /var/lib/rancher/k3s/data/@{hex}/bin/* rix, @{lib}/kubernetes/kubelet-plugins/volume/exec/{,**} r, - /usr/share/mime/globs2 r, /etc/machine-id r, /etc/rancher/{,**} rw, diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 2b0530ef5..23e8e20d1 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -23,6 +23,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include + include include capability audit_write, @@ -141,7 +142,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { /usr/share/hwdata/* r, /usr/share/iproute2/{,**} r, /usr/share/libvirt/{,**} r, - /usr/share/mime/mime.cache r, /usr/share/misc/pci.ids r, /usr/share/qemu/{,**} r, diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer index 95fdba512..6fbabaf28 100644 --- a/apparmor.d/profiles-a-f/evince-thumbnailer +++ b/apparmor.d/profiles-a-f/evince-thumbnailer @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/evince-thumbnailer profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) { include + include @{exec_path} mr, - /usr/share/mime/mime.cache r, /usr/share/poppler/{,**} r, owner @{tmp}/gnome-desktop-file-to-thumbnail.pdf r, diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 58ba493cc..d7a72c236 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -17,6 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include include include @@ -57,7 +58,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /usr/share/fwupd/{,**} r, /usr/share/hwdata/* r, /usr/share/libdrm/*.ids r, - /usr/share/mime/mime.cache r, /usr/share/misc/*.ids r, /etc/fwupd/{,**} rw, @@ -77,7 +77,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { @{MOUNTDIRS}/*/{,@{efi}/} r, @{MOUNTDIRS}/*/{,@{efi}/}EFI/{,**} r, - /var/lib/flatpak/exports/share/mime/mime.cache r, owner /var/cache/fwupd/ rw, owner /var/cache/fwupd/** rwk, owner /var/lib/fwupd/ rw, diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo index ed62f48f1..fd9c3dfa0 100644 --- a/apparmor.d/profiles-g-l/hugo +++ b/apparmor.d/profiles-g-l/hugo @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/hugo profile hugo @{exec_path} { include + include include include @@ -26,7 +27,6 @@ profile hugo @{exec_path} { @{lib}/go/bin/go rix, /usr/share/git{,-core}/{,**} r, - /usr/share/mime/{,**} r, /usr/share/terminfo/** r, /etc/mime.types r, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 91d021fae..1576050b5 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -11,22 +11,13 @@ include profile mimetype @{exec_path} { include include + include @{exec_path} r, - /usr/share/mime/**.xml r, - /usr/share/mime/globs r, - /usr/share/mime/aliases r, - /usr/share/mime/magic r, - # To read files owner /** r, #aa:lint ignore=too-wide - owner @{user_share_dirs}/mime/**.xml r, - owner @{user_share_dirs}/mime/globs r, - owner @{user_share_dirs}/mime/aliases r, - owner @{user_share_dirs}/mime/magic r, - include if exists } From 45faf0eee06759b5a9213f65f51519b377a2a1ae Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 30 Aug 2025 19:57:09 +0200 Subject: [PATCH 525/798] fix(tunable): add missing lightdm_state_dirs tunable. --- apparmor.d/tunables/multiarch.d/system-users | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 73a3267a0..1513aae2f 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -26,6 +26,7 @@ @{lightdm_config_dirs}=@{LIGHTDM_HOME}/.config/ @{lightdm_local_dirs}=@{LIGHTDM_HOME}/.local/ @{lightdm_share_dirs}=@{LIGHTDM_HOME}/.local/share/ +@{lightdm_state_dirs}=@{LIGHTDM_HOME}/.local/state/ # Full path of all DE configuration directories @{DESKTOP_HOME}=@{GDM_HOME} @{SDDM_HOME} @{LIGHTDM_HOME} From a3426fef8cedc0a5b46a6184b2309d40598ecb30 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:23:48 +0200 Subject: [PATCH 526/798] feat: precise nvidia devices number. --- apparmor.d/abstractions/nvidia-strict | 2 +- apparmor.d/abstractions/nvidia.d/complete | 2 +- apparmor.d/groups/children/child-modprobe-nvidia | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index c3aa8e805..a7529eb9a 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -35,7 +35,7 @@ owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, - /dev/char/195:@{int} w, # Nvidia graphics devices + /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset rw, /dev/nvidia@{int} rw, /dev/nvidiactl rw, diff --git a/apparmor.d/abstractions/nvidia.d/complete b/apparmor.d/abstractions/nvidia.d/complete index ef9d0c40d..e00385efd 100644 --- a/apparmor.d/abstractions/nvidia.d/complete +++ b/apparmor.d/abstractions/nvidia.d/complete @@ -8,6 +8,6 @@ /etc/nvidia/nvidia-application-profiles* r, - /dev/char/195:@{int} rw, # Nvidia graphics devices + /dev/char/195:@{u8} rw, # Nvidia graphics devices # vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 61191fe9d..8e991cee7 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -41,7 +41,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - owner /dev/char/195:@{int} w, # Nvidia graphics devices + owner /dev/char/195:@{u8} w, # Nvidia graphics devices /dev/nvidia-modeset w, /dev/nvidia-uvm w, From 9ee26050261c69e4f0654ec0e87e6d26d958b8e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 13:29:11 +0200 Subject: [PATCH 527/798] tests(packer): simplify pkg install script. --- tests/packer/init.sh | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tests/packer/init.sh b/tests/packer/init.sh index 630da6b0f..44a86220f 100644 --- a/tests/packer/init.sh +++ b/tests/packer/init.sh @@ -3,16 +3,11 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -set -eux +set -eux -o pipefail -_lsb_release() { - # shellcheck source=/dev/null - . /etc/os-release - echo "$ID" -} -DISTRIBUTION="$(_lsb_release)" +# shellcheck source=/dev/null +source /etc/os-release || exit 1 readonly SRC=/tmp/ -readonly DISTRIBUTION main() { install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/" @@ -24,7 +19,7 @@ main() { install -Dm0755 $SRC/aa-clean /usr/bin/aa-clean chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/" - case "$DISTRIBUTION" in + case "$ID" in arch) rm -f $SRC/*.sig # Ignore signature files rm -f $SRC/*enforced* # Ignore enforced package @@ -32,8 +27,10 @@ main() { ;; debian | ubuntu) - apt-get install -y apparmor-profiles - dpkg -i $SRC/*.deb || true + # Do not install apparmor.d on the current development version + if [[ $VERSION_ID != "25.10" ]]; then + dpkg -i $SRC/*.deb || true + fi ;; opensuse*) From 9a4d878557b814fbeac1c3636b3cfb29550aa24a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:38:00 +0200 Subject: [PATCH 528/798] refractor(abs): add screensaver abs, move bus screensaver abs. --- apparmor.d/abstractions/app/chromium | 3 +-- .../abstractions/bus/org.gnome.ScreenSaver | 21 --------------- .../bus/session/org.freedesktop.ScreenSaver | 26 +++++++++++++++++++ .../org.gnome.ScreenSaver} | 12 +++++---- apparmor.d/abstractions/screensaver | 14 ++++++++++ apparmor.d/groups/gnome/gnome-session-binary | 4 +-- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/profiles-a-f/discord | 2 +- apparmor.d/profiles-a-f/element-desktop | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-m-r/pinentry-gnome3 | 2 +- apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 15 files changed, 59 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.gnome.ScreenSaver create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver rename apparmor.d/abstractions/bus/{org.freedesktop.ScreenSaver => session/org.gnome.ScreenSaver} (51%) create mode 100644 apparmor.d/abstractions/screensaver diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 8f991c230..dad131d64 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -26,11 +26,9 @@ include include include - include include include include - include include include include @@ -40,6 +38,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver deleted file mode 100644 index 46d1a1006..000000000 --- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver +++ /dev/null @@ -1,21 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console - - dbus send bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member=GetActive - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/gnome/ScreenSaver - interface=org.gnome.ScreenSaver - member={ActiveChanged,WakeUpScreen} - peer=(name="@{busname}", label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver new file mode 100644 index 000000000..ee837b886 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + dbus send bus=session path=/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={Inhibit,UnInhibit} + peer=(name=org.freedesktop.ScreenSaver), + + dbus send bus=session path=/{,org/freedesktop/}ScreenSaver + interface=org.freedesktop.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + dbus receive bus=session path=/org/freedesktop/ScreenSaver + interface=org.freedesktop.ScreenSaver + member={ActiveChanged,WakeUpScreen} + peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver similarity index 51% rename from apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver rename to apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index f73768e9f..27c456637 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -2,18 +2,20 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow checking status, activating and locking the screensaver (GNOME version) + abi , - dbus send bus=session path=/ScreenSaver - interface=org.freedesktop.ScreenSaver - member={Inhibit,UnInhibit} - peer=(name=org.freedesktop.ScreenSaver), + dbus send bus=session path=/{,org/gnome/}ScreenSaver + interface=org.gnome.ScreenSaver + member={GetActive,GetActiveTime,Lock,SetActive} + peer=(name=@{busname}, label=gjs-console), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} peer=(name=@{busname}, label=gjs-console), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/screensaver b/apparmor.d/abstractions/screensaver new file mode 100644 index 000000000..1a9369091 --- /dev/null +++ b/apparmor.d/abstractions/screensaver @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow checking status, activating and locking the screensaver + + abi , + + include if exists + include if exists + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 447c030d6..b011935ae 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -14,13 +14,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include - include + include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 379f7b814..39cf990ca 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -23,7 +23,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index 3b34d5055..e12c25b9d 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -18,9 +18,9 @@ profile discord @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index ec7ee9c65..f87486af3 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -18,10 +18,10 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 95e37b4d6..958f9b5ee 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -18,10 +18,10 @@ profile freetube @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index f4a61b07b..b60d929e2 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -11,8 +11,8 @@ profile pinentry-gnome3 @{exec_path} { include include include - include include + include signal receive set=int, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index bf0740919..d91285558 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -18,10 +18,10 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index ed1ccfe1c..659d650fe 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -22,7 +22,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index fc582cae2..d8b464956 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,10 +10,10 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include include include include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index d572ce9b8..ccf1abb61 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -27,6 +26,7 @@ profile vlc @{exec_path} { include include include + include include include From 5cc5a019d4b875ebb283b31848bf9413a8d8e76d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 17:40:42 +0200 Subject: [PATCH 529/798] feat(profile): snap: add support for dev version. --- apparmor.d/groups/snap/snap | 4 ++-- apparmor.d/groups/snap/snap-discard-ns | 2 +- apparmor.d/groups/snap/snap-failure | 2 +- apparmor.d/groups/snap/snap-seccomp | 2 +- apparmor.d/groups/snap/snap-update-ns | 2 +- apparmor.d/groups/snap/snapd | 4 ++-- apparmor.d/groups/snap/snapd-aa-prompt-listener | 2 +- apparmor.d/groups/snap/snapd-aa-prompt-ui | 2 +- apparmor.d/groups/snap/snapd-apparmor | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 927d7a3da..0d38fc055 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{bin_dirs}/snap profile snap @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-discard-ns b/apparmor.d/groups/snap/snap-discard-ns index 38396f3eb..0ccb3f1c7 100644 --- a/apparmor.d/groups/snap/snap-discard-ns +++ b/apparmor.d/groups/snap/snap-discard-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-discard-ns profile snap-discard-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-failure b/apparmor.d/groups/snap/snap-failure index edc9845e8..bed3a2d12 100644 --- a/apparmor.d/groups/snap/snap-failure +++ b/apparmor.d/groups/snap/snap-failure @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-failure profile snap-failure @{exec_path} { diff --git a/apparmor.d/groups/snap/snap-seccomp b/apparmor.d/groups/snap/snap-seccomp index 2a14fd583..90c1724be 100644 --- a/apparmor.d/groups/snap/snap-seccomp +++ b/apparmor.d/groups/snap/snap-seccomp @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-seccomp profile snap-seccomp @{exec_path} flags=(attach_disconnected) { diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index 98ee0e5e7..e831cc90c 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snap-update-ns profile snap-update-ns @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 06de56063..4a928e6d4 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -6,8 +6,8 @@ abi , include -@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin} -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{bin_dirs} = @{bin}/ /snap/{snapd,core}/{,x}@{int}@{bin} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd profile snapd @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-listener b/apparmor.d/groups/snap/snapd-aa-prompt-listener index 7b9adced7..37730ba6f 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-listener +++ b/apparmor.d/groups/snap/snapd-aa-prompt-listener @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-listener profile snapd-aa-prompt-listener @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-aa-prompt-ui b/apparmor.d/groups/snap/snapd-aa-prompt-ui index 0d26f42d3..99dc98efe 100644 --- a/apparmor.d/groups/snap/snapd-aa-prompt-ui +++ b/apparmor.d/groups/snap/snapd-aa-prompt-ui @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui profile snapd-aa-prompt-ui @{exec_path} { diff --git a/apparmor.d/groups/snap/snapd-apparmor b/apparmor.d/groups/snap/snapd-apparmor index 63251a976..47b939fa0 100644 --- a/apparmor.d/groups/snap/snapd-apparmor +++ b/apparmor.d/groups/snap/snapd-apparmor @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{lib_dirs}/snapd/snapd-apparmor profile snapd-apparmor @{exec_path} { From 458126e7d7fea79a92b84fef53a455f79b8c0445 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 18:14:32 +0200 Subject: [PATCH 530/798] refractor(profile): add notification abs, move bus notifications. --- apparmor.d/abstractions/app/chromium | 2 +- .../bus/org.freedesktop.Notifications | 26 ------------------- .../bus/session/org.freedesktop.Notifications | 21 +++++++++++++++ .../bus/{ => session}/org.gtk.Notifications | 0 apparmor.d/abstractions/notifications | 12 +++++++++ apparmor.d/groups/gnome/gnome-extension-ding | 2 +- apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-a-f/dropbox | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/session-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 4 ++- apparmor.d/profiles-s-z/transmission | 2 +- 16 files changed, 47 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Notifications create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Notifications rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Notifications (100%) create mode 100644 apparmor.d/abstractions/notifications diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dad131d64..f08a096ca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -38,6 +37,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications deleted file mode 100644 index 6962bf7ec..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications +++ /dev/null @@ -1,26 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console - - dbus send bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={GetCapabilities,GetServerInformation,Notify} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member={NotificationClosed,CloseNotification} - peer=(name="@{busname}", label=gjs-console), - - dbus receive bus=session path=/org/freedesktop/Notifications - interface=org.freedesktop.DBus.Properties - member=Notify - peer=(name=org.freedesktop.DBus, label=gjs-console), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications new file mode 100644 index 000000000..5c10a9eae --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}" + + dbus send bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={GetCapabilities,GetServerInformation,Notify,CloseNotification} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + dbus receive bus=session path=/org/freedesktop/Notifications + interface=org.freedesktop.Notifications + member={ActionInvoked,NotificationClosed,NotificationReplied} + peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications similarity index 100% rename from apparmor.d/abstractions/bus/org.gtk.Notifications rename to apparmor.d/abstractions/bus/session/org.gtk.Notifications diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications new file mode 100644 index 000000000..8232b54b5 --- /dev/null +++ b/apparmor.d/abstractions/notifications @@ -0,0 +1,12 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 695be9f0d..e47cc66a3 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,7 +19,6 @@ profile gnome-extension-ding @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-ding @{exec_path} { include include include + include unix (send,receive) type=stream addr=none peer=(label=gnome-shell), diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5eb78d8bb..0876b90d1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -25,9 +25,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include - include include include include @@ -41,6 +39,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index f3845daef..baaac245f 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,11 +13,11 @@ profile gnome-software @{exec_path} { include include include - include include include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 39cf990ca..63ab49c5e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -30,6 +29,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 8e9cddd54..0de63ac64 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -14,13 +14,13 @@ profile update-notifier @{exec_path} { include include include - include include include include include include include + include include unix (bind) type=stream addr=@@{udbus}/bus/systemd/bus-api-user, diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox index f40d69799..57487b15c 100644 --- a/apparmor.d/profiles-a-f/dropbox +++ b/apparmor.d/profiles-a-f/dropbox @@ -16,11 +16,11 @@ include profile dropbox @{exec_path} { include include - include include include include include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 366c2aed6..78781ba28 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,12 +11,12 @@ include profile filezilla @{exec_path} { include include - include include include include include include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index c2bc95465..17ca1ec5a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index dc190b787..cafccd791 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -17,9 +17,9 @@ profile session-desktop @{exec_path} { include include include - include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 659d650fe..56f5e91b8 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -19,8 +19,9 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -30,6 +31,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index ad219f1ab..78d67787d 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -12,12 +12,12 @@ profile transmission @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include include include From bd295d2a9d2fe0afc6361ca8528eb531051e9f0c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:04 +0200 Subject: [PATCH 531/798] refractor: move gtk dbus to they own abs. --- .../abstractions/bus/session/org.gtk.Actions | 22 +++++++++++++++++++ .../abstractions/bus/session/org.gtk.Settings | 18 +++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 19 ++-------------- 3 files changed, 42 insertions(+), 17 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Actions create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Settings diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Actions b/apparmor.d/abstractions/bus/session/org.gtk.Actions new file mode 100644 index 000000000..899f244a8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Actions @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + dbus receive bus=session + interface=org.gtk.Actions + member={Activate,DescribeAll,SetState}, + + dbus send bus=session + interface=org.gtk.Actions + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Settings b/apparmor.d/abstractions/bus/session/org.gtk.Settings new file mode 100644 index 000000000..9d2dd282a --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Settings @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gsd-xsettings), + dbus receive bus=session path=/org/gtk/Settings + interface=org.freedesktop.DBus.Properties + member=PropertiesChanged + peer=(name=@{busname}, label=gsd-xsettings), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 99cf70d97..356e97705 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -2,23 +2,8 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - dbus receive bus=session - interface=org.gtk.Actions - member={Activate,DescribeAll,SetState} - peer=(name=@{busname}), - - dbus send bus=session - interface=org.gtk.Actions - member=Changed, - - dbus send bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-xsettings), - dbus receive bus=session path=/org/gtk/Settings - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-xsettings), + include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From bd7ae9bb56badbb168d88dc0de859f59a1ad7344 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:23:40 +0200 Subject: [PATCH 532/798] chore: improve comment in type definition. --- pkg/prebuild/builder/stacked-dbus.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index 33af33df7..e33ecf4b7 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -19,7 +19,7 @@ var ( } ) -// Fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 +// StackedDbus is a fix for https://gitlab.com/apparmor/apparmor/-/issues/537#note_2699570190 type StackedDbus struct { prebuild.Base } From eee8241eb7649a302b65f6e840018755dd308b04 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 21:28:53 +0200 Subject: [PATCH 533/798] chore: cosmetic fixes. --- .../abstractions/bus/session/org.freedesktop.Notifications | 2 +- apparmor.d/abstractions/bus/session/org.gtk.Notifications | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index 5c10a9eae..b51c4bdcb 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -16,6 +16,6 @@ member={ActionInvoked,NotificationClosed,NotificationReplied} peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Notifications b/apparmor.d/abstractions/bus/session/org.gtk.Notifications index ad1a1ffad..151c642a8 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.Notifications +++ b/apparmor.d/abstractions/bus/session/org.gtk.Notifications @@ -11,6 +11,6 @@ member={AddNotification,RemoveNotification} peer=(name=org.gtk.Notifications, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor From 7eaae9e68c701e24710784c52e9db9fd2d44da87 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:25:57 +0200 Subject: [PATCH 534/798] fix(profile): wrong path in abstraction. --- apparmor.d/abstractions/notifications | 4 ++-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 5 +++-- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/notifications b/apparmor.d/abstractions/notifications index 8232b54b5..81d5cc94c 100644 --- a/apparmor.d/abstractions/notifications +++ b/apparmor.d/abstractions/notifications @@ -4,8 +4,8 @@ abi , - include - include + include + include include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index c9585e2ab..92e6c9484 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,7 +9,6 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include include @@ -17,15 +16,17 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include include include include include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 3f57b3035..22c02a97f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,7 +21,6 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include include include @@ -29,6 +28,7 @@ profile gnome-extension-gsconnect @{exec_path} { include include include + include include include include From 7cfff26ee273fca78aaea077cf63166d4883e2cb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 22:46:52 +0200 Subject: [PATCH 535/798] fix(profile): abstraction not updated. --- apparmor.d/profiles-s-z/superproductivity | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 73a86672f..f7abf758b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,13 +20,13 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, From a1ba00bec3e964e11cae0dd94346f8aebdffc188 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 31 Aug 2025 23:00:13 +0200 Subject: [PATCH 536/798] feat(profile): general profile update. --- apparmor.d/groups/apparmor/apparmor_parser | 4 ++-- apparmor.d/groups/apt/debconf-frontend | 4 +++- apparmor.d/groups/apt/dpkg-scripts | 1 + apparmor.d/groups/bluetooth/obexd | 5 +++++ apparmor.d/groups/cron/anacron | 3 +++ apparmor.d/groups/cups/cups-browsed | 4 +++- apparmor.d/groups/flatpak/flatpak | 3 +++ apparmor.d/groups/flatpak/flatpak-system-helper | 8 +++++++- apparmor.d/groups/freedesktop/wireplumber | 8 +++++--- apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 +- apparmor.d/groups/gnome/deja-dup-monitor | 13 +++++++++++++ apparmor.d/groups/gnome/gdm-session | 11 ++++++----- apparmor.d/groups/gnome/gnome-calculator | 1 + apparmor.d/groups/gnome/gnome-control-center | 3 ++- apparmor.d/groups/gnome/gnome-session | 3 +++ apparmor.d/groups/gnome/gnome-session-binary | 5 +++-- apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 + apparmor.d/groups/gnome/gnome-system-monitor | 5 +++-- apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 1 + apparmor.d/groups/gnome/gsd-usb-protection | 1 + apparmor.d/groups/gnome/gsd-wwan | 7 +++++++ apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/gnome/ptyxis | 1 + apparmor.d/groups/kde/DiscoverNotifier | 1 + apparmor.d/groups/procps/htop | 1 + apparmor.d/groups/ssh/sshd | 2 ++ apparmor.d/groups/systemd/systemd-coredump | 3 +++ apparmor.d/groups/systemd/systemd-detect-virt | 3 +++ apparmor.d/groups/systemd/systemd-remount-fs | 3 ++- apparmor.d/groups/systemd/systemd-udevd | 8 ++++++++ apparmor.d/groups/systemd/zram-generator | 8 ++++++-- apparmor.d/groups/ubuntu/apport-gtk | 1 + apparmor.d/groups/utils/who | 2 +- apparmor.d/profiles-a-f/finalrd | 1 + apparmor.d/profiles-g-l/gsettings | 1 - apparmor.d/profiles-g-l/issue-generator | 3 ++- apparmor.d/profiles-m-r/mimetype | 2 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/udev-fido_id | 1 + apparmor.d/profiles-s-z/update-info-dir | 3 ++- apparmor.d/profiles-s-z/wsdd | 8 +++++++- apparmor.d/profiles-s-z/xournalpp | 2 +- 43 files changed, 121 insertions(+), 30 deletions(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 0a9f9fcaf..a5769931c 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -6,7 +6,7 @@ abi , include -@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib} +@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib} @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - deny /apparmor/.null rw, + /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 4660755d6..6e80839fe 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{bin}/stty ix, @{sbin}/update-secureboot-policy Px, - # debconf apps + # Debconf apps @{bin}/adequate Px, @{bin}/debconf-apt-progress Px, @{bin}/linux-check-removal Px, @@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) { @{lib}/dkms/dkms-* rPUx, @{lib}/dkms/dkms_* rPUx, + /etc/libpaper.d/texlive-base rPUx, + /usr/share/debconf/{,**} r, /etc/inputrc r, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 7d2073768..8ae76e706 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -76,6 +76,7 @@ profile dpkg-scripts @{exec_path} { @{run}/** rw, @{efi}/grub/* rw, + /tmp/fmtutil.@{rand8} rw, /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 65ad4c0e5..3ea17a4e5 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -25,6 +25,11 @@ profile obexd @{exec_path} { member=Release peer=(name=:*, label="@{p_bluetoothd}"), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{user_cache_dirs}/ rw, diff --git a/apparmor.d/groups/cron/anacron b/apparmor.d/groups/cron/anacron index 3756c1d03..3acfc14fd 100644 --- a/apparmor.d/groups/cron/anacron +++ b/apparmor.d/groups/cron/anacron @@ -28,6 +28,7 @@ profile anacron @{exec_path} { @{tmp}/file@{rand6} rw, /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, profile run-parts { include @@ -39,7 +40,9 @@ profile anacron @{exec_path} { owner @{tmp}/#@{int} rw, owner @{tmp}/file@{rand6} rw, + /tmp/anacron-@{rand6} rw, + /tmp/anacron-@{rand6}@{c} rw, include if exists } diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index a7773a57f..7330d67c9 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -49,9 +49,11 @@ profile cups-browsed @{exec_path} { /etc/cups/{,**} r, - /var/cache/cups/{,**} rw, /var/log/cups/{,**} rw, + /var/cache/cups/{,**} rw, + owner /var/cache/cups-browsed/{,**} rw, + owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index c540b9db8..e73408a0a 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -154,6 +154,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability setuid, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak), + mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, umount /var/tmp/flatpak-cache-*/*/, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index 0ca01d01d..cdfef1bad 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -28,6 +28,11 @@ profile flatpak-system-helper @{exec_path} { ptrace read, + unix type=seqpacket peer=(label=dbus-system), + unix type=seqpacket peer=(label=flatpak), + unix type=seqpacket peer=(label=flatpak//fusermount), + unix type=seqpacket peer=(label=unconfined), + #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper @{exec_path} mr, @@ -54,7 +59,8 @@ profile flatpak-system-helper @{exec_path} { @{tmp}/remote-summary-sig.@{rand6} r, @{tmp}/remote-summary.@{rand6} r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/fdinfo/@{int} r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 7aff8bdd2..aefdc339d 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -47,8 +47,8 @@ profile wireplumber @{exec_path} { /usr/share/wireplumber/{,**} r, owner @{desktop_local_dirs}/ w, - owner @{desktop_local_dirs}/state/ w, - owner @{desktop_local_dirs}/state/wireplumber/{,**} rw, + owner @{desktop_state_dirs}/ w, + owner @{desktop_state_dirs}/wireplumber/{,**} rw, owner @{HOME}/.local/ w, owner @{user_state_dirs}/ w, @@ -81,8 +81,10 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{PROC}/@{pid}/cgroup r, + @{PROC}/1/cgroup r, + @{PROC}/1/status r, @{PROC}/@{pid}/cmdline r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/media@{int} rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 89acacd34..21c99827b 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -68,7 +68,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, - @{open_path} rPx -> child-open, + @{open_path} mrPx -> child-open, / r, @{att}/.flatpak-info r, diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index fcafbda5f..a0fb366ab 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -18,6 +18,8 @@ profile deja-dup-monitor @{exec_path} { include include include + include + include network netlink raw, @@ -39,15 +41,26 @@ profile deja-dup-monitor @{exec_path} { member=GetAll peer=(name=@{busname}, label=power-profiles-daemon), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/chrt rix, @{bin}/ionice rix, @{bin}/deja-dup Px, + /usr/share/gvfs/remote-volume-monitors/{,**} r, + /var/tmp/ r, /tmp/ r, + @{run}/mount/utab r, + + owner @{PROC}/@{pid}/mountinfo r, + include if exists } diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 9a42bcdf1..c08d12a07 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -14,11 +14,12 @@ profile gdm-session @{exec_path} { include include - signal (receive) set=(hup term) peer=gdm-session-worker, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=dbus-session, - signal (send) set=(term) peer=gnome-session-binary, - signal (send) set=(term) peer=xorg, + signal receive set=(hup term) peer=gdm-session-worker, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=dbus-session, + signal send set=(term) peer=gnome-session-binary, + signal send set=(term) peer=xorg, + signal send set=term peer=gnome-session, dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2e553d9f4..4e83bfb76 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -10,6 +10,7 @@ include profile gnome-calculator @{exec_path} { include include + include include # Needed to get currency exchange rates diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index fde43420a..111facf64 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -130,7 +130,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{user_config_dirs}/gnome-control-center/{,**} rw, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw, owner @{user_games_dirs}/**.png r, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 1f29958d1..7bcf80431 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -9,7 +9,10 @@ include @{exec_path} = @{bin}/gnome-session profile gnome-session @{exec_path} { include + include include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index b011935ae..f4c61c5c6 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -28,8 +28,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - signal (receive) set=(term, hup) peer=gdm*, - signal (send) set=(term) peer=gsd-*, + signal receive set=(term, hup) peer=gdm*, + signal send set=(term) peer=gsd-*, #aa:dbus own bus=session name=org.gnome.SessionManager #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" @@ -67,6 +67,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, owner @{gdm_cache_dirs}/gdm/Xauthority r, + owner @{gdm_config_dirs}/ rw, owner @{gdm_config_dirs}/dconf/user rw, owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server index 6ddbd4b4c..37bb7b374 100644 --- a/apparmor.d/groups/gnome/gnome-shell-calendar-server +++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server @@ -11,6 +11,7 @@ profile gnome-shell-calendar-server @{exec_path} { include include include + include include #aa:dbus own bus=session name=org.gnome.Shell.CalendarServer diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index e4ac12011..8bcb629a9 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -22,9 +22,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { network inet6 dgram, network netlink raw, - ptrace (read), + ptrace read, - signal (send) set=(kill term cont stop), + signal send set=(kill term cont stop), #aa:dbus own bus=session name=org.gnome.SystemMonitor @@ -75,6 +75,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/smaps r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/diskstats r, @{PROC}/vmstat r, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index c399eadc7..5c8ab7c8a 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -12,6 +12,7 @@ profile gnome-text-editor @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35f43a93e..83fcbd7c6 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -17,6 +17,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 3bfffdb6a..7f03d9fc5 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,6 +12,7 @@ profile gsd-usb-protection @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index ab2b2b089..3a5ee53df 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -10,10 +10,17 @@ include profile gsd-wwan @{exec_path} { include include + include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 2e21750b9..7618dc3b6 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -43,7 +43,7 @@ profile gsd-xsettings @{exec_path} { dbus receive bus=system path=/org/freedesktop/Accounts interface=org.freedesktop.Accounts - member=UserAdded + member={UserAdded,UserDeleted} peer=(name=@{busname}, label="@{p_accounts_daemon}"), dbus send bus=system path=/org/freedesktop/Accounts/User@{uid} diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index 838dc940c..b0239f404 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -12,6 +12,7 @@ profile ptyxis @{exec_path} { include include include + include unix type=stream peer=(label=ptyxis-agent), diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 2307c709f..0965396ab 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -34,6 +34,7 @@ profile DiscoverNotifier @{exec_path} { @{exec_path} mr, @{bin}/apt-config rPx, + @{bin}/plasma-discover rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index 4937f6875..ef14d9ca9 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -112,6 +112,7 @@ profile htop @{exec_path} { @{PROC}/@{pids}/oom_score r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/statm r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/wchan r, @{PROC}/@{pids}/task/ r, diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd index 40cf0bca2..633076ad6 100644 --- a/apparmor.d/groups/ssh/sshd +++ b/apparmor.d/groups/ssh/sshd @@ -69,6 +69,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, + @{sbin}/sshd.hmac r, + @{bin}/@{shells} Ux, #aa:exclude RBAC @{bin}/false ix, @{sbin}/nologin Px, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index db1854f1f..061b93ffd 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -52,6 +52,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{att}/@{run}/systemd/coredump rw, @{run}/systemd/coredump rw, + @{PROC}/@{pids}/auxv r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/comm r, @@ -59,9 +60,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{PROC}/@{pids}/fd/ r, @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/maps r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/ns/ r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/setgroups r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index 9b78b7c04..ca6eae3ad 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -43,6 +43,9 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { /dev/cpu/@{int}/msr r, + deny capability net_admin, + deny capability perfmon, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs index 96b182e5f..73213160b 100644 --- a/apparmor.d/groups/systemd/systemd-remount-fs +++ b/apparmor.d/groups/systemd/systemd-remount-fs @@ -23,7 +23,8 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) { @{bin}/mount rix, - /etc/blkid.conf r, + @{etc_ro}/blkid.conf r, + @{etc_ro}/blkid.conf.d/{,**} r, /etc/fstab r, @{run}/host/container-manager r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index 640e48f3f..cb9592d47 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -128,6 +128,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { include include + capability sys_module, + + @{sh_path} rix, + @{bin}/kmod ix, + + @{sys}/module/*/initstate r, + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator index 473848ef3..193bfc9b6 100644 --- a/apparmor.d/groups/systemd/zram-generator +++ b/apparmor.d/groups/systemd/zram-generator @@ -13,7 +13,7 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/kmod rCx, + @{bin}/kmod rCx -> kmod, @{bin}/systemd-detect-virt rPx, @{lib}/systemd/systemd-makefs rPx, @@ -31,10 +31,14 @@ profile zram-generator @{exec_path} flags=(attach_disconnected) { owner /dev/pts/@{int} rw, - profile kmod { + profile kmod flags=(attach_disconnected) { include include + capability sys_module, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 3d2cbd63d..d7480a212 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -17,6 +17,7 @@ profile apport-gtk @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who index d951bfe03..d9ca9e164 100644 --- a/apparmor.d/groups/utils/who +++ b/apparmor.d/groups/utils/who @@ -7,7 +7,7 @@ abi , include -@{exec_path} = @{bin}/who +@{exec_path} = @{bin}/{,gnu}who profile who @{exec_path} { include include diff --git a/apparmor.d/profiles-a-f/finalrd b/apparmor.d/profiles-a-f/finalrd index b22730a27..7ce69ab64 100644 --- a/apparmor.d/profiles-a-f/finalrd +++ b/apparmor.d/profiles-a-f/finalrd @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/finalrd profile finalrd @{exec_path} { include + include capability dac_read_search, capability sys_admin, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 2e0eb2cf7..9b8eca8ee 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,7 +16,6 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/glib-2.0/schemas/gschemas.compiled r, /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator index 7783c8005..093cd7100 100644 --- a/apparmor.d/profiles-g-l/issue-generator +++ b/apparmor.d/profiles-g-l/issue-generator @@ -19,6 +19,7 @@ profile issue-generator @{exec_path} { @{bin}/cat rix, @{bin}/chmod rix, @{bin}/cmp rix, + @{bin}/mkdir rix, @{bin}/mktemp rix, @{bin}/mv rix, @{bin}/rm rix, @@ -30,7 +31,7 @@ profile issue-generator @{exec_path} { @{run}/agetty.reload w, @{run}/issue rw, @{run}/issue.@{rand10} rw, - @{run}/issue.d/{,**} r, + @{run}/issue.d/{,**} rw, /dev/tty rw, diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype index 1576050b5..32950dbc4 100644 --- a/apparmor.d/profiles-m-r/mimetype +++ b/apparmor.d/profiles-m-r/mimetype @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype profile mimetype @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index d91285558..001f8605a 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -21,6 +21,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id index 9c686b19d..453e0093a 100644 --- a/apparmor.d/profiles-s-z/udev-fido_id +++ b/apparmor.d/profiles-s-z/udev-fido_id @@ -14,6 +14,7 @@ profile udev-fido_id @{exec_path} { @{exec_path} mr, /etc/udev/udev.conf r, + /etc/udev/udev.conf.d/{,**} r, @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/platform/**/report_descriptor r, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index fe06b32af..dc2a0d7aa 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -14,8 +14,9 @@ profile update-info-dir @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/install-info Px, + @{bin}/cp ix, @{bin}/find ix, + @{bin}/install-info Px, @{bin}/rm ix, /etc/environment r, diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd index fc6955793..b72cff3c4 100644 --- a/apparmor.d/profiles-s-z/wsdd +++ b/apparmor.d/profiles-s-z/wsdd @@ -9,9 +9,14 @@ include @{exec_path} = @{bin}/wsdd profile wsdd @{exec_path} { include + include include include + # wsdd can create its own chroot as a built-in security mechanism. + # This is used by default in the systemd wsdd-server service. + capability sys_chroot, + network inet dgram, network inet stream, network inet6 dgram, @@ -28,7 +33,8 @@ profile wsdd @{exec_path} { owner /var/lib/libuuid/clock.txt rw, @{run}/uuidd/request rw, - owner @{run}/user/@{uid}/gvfsd/wsdd w, + owner @{run}/user/@{uid}/wsdd w, + owner @{run}/user/@{uid}/*/wsdd w, include if exists } diff --git a/apparmor.d/profiles-s-z/xournalpp b/apparmor.d/profiles-s-z/xournalpp index 6442fe8b9..0d6c4d65f 100644 --- a/apparmor.d/profiles-s-z/xournalpp +++ b/apparmor.d/profiles-s-z/xournalpp @@ -37,7 +37,7 @@ profile xournalpp @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/snd/controlC@{int} w, - /dev/snd/pcmC@{rand4} rw, + /dev/snd/pcmC@{int}D@{int}[cp] w, include if exists } From 4f9d2703d4851a196b0e4af88d549f4b24bdc2b4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:07:01 +0200 Subject: [PATCH 537/798] build: separate the base-strict abs from the re-attach builder. Enable the use of the base-strict abs on all setup. --- apparmor.d/abstractions/attached/base | 2 +- cmd/prebuild/main.go | 5 +++-- pkg/prebuild/builder/attach.go | 5 +---- pkg/prebuild/builder/base-strict.go | 32 +++++++++++++++++++++++++++ 4 files changed, 37 insertions(+), 7 deletions(-) create mode 100644 pkg/prebuild/builder/base-strict.go diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base index 29c685f55..8741942ff 100644 --- a/apparmor.d/abstractions/attached/base +++ b/apparmor.d/abstractions/attached/base @@ -8,7 +8,7 @@ abi , - include + include @{att}/@{run}/systemd/journal/dev-log w, @{att}/@{run}/systemd/journal/socket w, diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 62685202f..5eb1ab2f2 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -32,8 +32,9 @@ func init() { // Build tasks applied by default builder.Register( - "userspace", // Resolve variable in profile attachments - "hotfix", // Temporary fix for #74, #80 & #235 + "userspace", // Resolve variable in profile attachments + "hotfix", // Temporary fix for #74, #80 & #235 + "base-strict", // Use base-strict as base abstraction ) // Matrix of ABI/Apparmor version to integrate with diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index d27908129..66ef18aef 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -49,10 +49,7 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { } else { insert = "@{att} = /\n" - profile = strings.ReplaceAll(profile, - "include ", - "include ", - ) + } return strings.Replace(profile, origin, insert+origin, 1), nil diff --git a/pkg/prebuild/builder/base-strict.go b/pkg/prebuild/builder/base-strict.go new file mode 100644 index 000000000..29a065629 --- /dev/null +++ b/pkg/prebuild/builder/base-strict.go @@ -0,0 +1,32 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package builder + +import ( + "strings" + + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +type BaseStrict struct { + prebuild.Base +} + +func init() { + RegisterBuilder(&BaseStrict{ + Base: prebuild.Base{ + Keyword: "base-strict", + Msg: "Feat: use 'base-strict' as base abstraction", + }, + }) +} + +func (b BaseStrict) Apply(opt *Option, profile string) (string, error) { + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) + return profile, nil +} From 7c6f7767575b2a0b6ed7870c6bd38483c42e1fb1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:12:30 +0200 Subject: [PATCH 538/798] build: set default att to "" when not enabled. It fixes various issues with multiple / that are not collapsed in they canonical form in file rules See https://gitlab.com/apparmor/apparmor/-/issues/450#note_2158840105 --- apparmor.d/tunables/multiarch.d/system | 3 +-- pkg/prebuild/prepare/attach.go | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system index cf8575db0..b29be3f0c 100644 --- a/apparmor.d/tunables/multiarch.d/system +++ b/apparmor.d/tunables/multiarch.d/system @@ -69,7 +69,6 @@ # Default attachment path when re-attached path disconnected path is ignored. # Disabled on abi3 and Ubuntu 25.04+ # See https://apparmor.pujol.io/development/internal/#re-attached-path -@{att}=/ -alias / -> //, +@{att}="" # vim:syntax=apparmor diff --git a/pkg/prebuild/prepare/attach.go b/pkg/prebuild/prepare/attach.go index 3331c73dc..4523382d8 100644 --- a/pkg/prebuild/prepare/attach.go +++ b/pkg/prebuild/prepare/attach.go @@ -32,7 +32,6 @@ func (p ReAttach) Apply() ([]string, error) { if err != nil { return res, err } - out = strings.ReplaceAll(out, "@{att}=/", "# @{att}=/") - out = strings.ReplaceAll(out, "alias / -> //,", "#alias / -> //,") + out = strings.ReplaceAll(out, `@{att}=""`, `# @{att}=""`) return res, path.WriteFile([]byte(out)) } From 09c1f61bb7aab8f9aff5e7c87cee66d9d9104b83 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 1 Sep 2025 15:54:28 +0200 Subject: [PATCH 539/798] build(debian): use deb-systemd-invoke and minor lintian fixes. --- debian/apparmor.d.postinst | 4 +--- debian/apparmor.d.postrm | 4 +--- debian/control | 6 +++--- 3 files changed, 5 insertions(+), 9 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 2f8c90ae0..361af7b91 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,8 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -if systemctl is-active -q apparmor; then - systemctl reload apparmor -fi +deb-systemd-invoke reload apparmor.service exit 0 diff --git a/debian/control b/debian/control index 56ad928ba..85c4d3786 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,6 @@ Architecture: any Depends: apparmor-profiles Conflicts: apparmor-profiles-extra Provides: apparmor-profiles-extra -Description: Full set of AppArmor profiles (~ 1500 profiles) - apparmor.d is a set of over 1500 AppArmor profiles whose aim is to confine - most Linux based applications and processes. +Description: Full set of AppArmor profiles (~ 2000 profiles) + apparmor.d is a set of over 2000 AppArmor profiles whose aim is to confine + most Linux based applications and processes. From 2b07398cef01bf511fafd8c66d631598baae1e8d Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Wed, 3 Sep 2025 03:28:16 +0200 Subject: [PATCH 540/798] flatpak-app ntsync --- apparmor.d/groups/flatpak/flatpak-app | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e8fe195fb..e6be7ef4f 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -98,6 +98,8 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { owner @{run}/ld-so-cache-dir/* rw, owner @{run}/user/ r, + /dev/ntsync r, + include if exists include if exists } From 2c0b5405db7242b8d0b6704fc9998927bee30c9c Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 19:06:48 -0400 Subject: [PATCH 541/798] firewall-applet: update profile --- apparmor.d/groups/firewall/firewall-applet | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/groups/firewall/firewall-applet b/apparmor.d/groups/firewall/firewall-applet index 280bd9d04..bd144b7e2 100644 --- a/apparmor.d/groups/firewall/firewall-applet +++ b/apparmor.d/groups/firewall/firewall-applet @@ -21,6 +21,9 @@ profile firewall-applet @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/cgroup r, + + owner @{user_config_dirs}/firewall/applet.conf rwkl, include if exists } From 237622f3efd6c7c8b11482086f2ca31fa47cc915 Mon Sep 17 00:00:00 2001 From: Jose Maldonado aka Yukiteru Date: Fri, 29 Aug 2025 13:54:42 -0400 Subject: [PATCH 542/798] rpcbind: update profile rpcbind: update profile --- apparmor.d/groups/network/rpcbind | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind index 1d81292fd..0650470ac 100644 --- a/apparmor.d/groups/network/rpcbind +++ b/apparmor.d/groups/network/rpcbind @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2023 Jeroen Rijken +# Copyright (C) 2025 Jose Maldonado # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,9 +10,18 @@ include @{exec_path} = @{sbin}/rpcbind profile rpcbind @{exec_path} flags=(complain) { include + include + + capability setgid, + capability setuid, @{exec_path} rm, + /etc/netconfig r, + + @{run}/rpcbind.lock rwkl, + @{run}/rpcbind/*.xdr rwkl, + include if exists } From 4c84b572cda4433a664b1488e980034886652629 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Tue, 2 Sep 2025 05:12:04 +0200 Subject: [PATCH 543/798] glxgears can't access X cookie --- apparmor.d/profiles-g-l/glxgears | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears index 1e27790df..cfd9f0dac 100644 --- a/apparmor.d/profiles-g-l/glxgears +++ b/apparmor.d/profiles-g-l/glxgears @@ -25,6 +25,7 @@ profile glxgears @{exec_path} { @{exec_path} mr, owner @{HOME}/.Xauthority r, + owner @{run}/user/@{uid}/xauth_@{rand6} r, include if exists } From e43d9078089c4b46c8f48d08ebacacf83327b3f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 2 Sep 2025 00:06:57 +0200 Subject: [PATCH 544/798] chore: cosmetic. --- Justfile | 78 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/Justfile b/Justfile index e434586c4..2c4c0e8d4 100644 --- a/Justfile +++ b/Justfile @@ -49,44 +49,44 @@ c := "--connect=qemu:///system" # VM prefix prefix := "aa-" -[doc('Show this help message')] +# Show this help message help: @just --list --unsorted @printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information." +# Build the go programs [group('build')] -[doc('Build the go programs')] build: @go build -o {{build}}/ ./cmd/aa-log @go build -o {{build}}/ ./cmd/prebuild +# Prebuild the profiles in enforced mode [group('build')] -[doc('Prebuild the profiles in enforced mode')] enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in complain mode [group('build')] -[doc('Prebuild the profiles in complain mode')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in FSP mode [group('build')] -[doc('Prebuild the profiles in FSP mode')] fsp: build @./{{build}}/prebuild --buildir {{build}} --full +# Prebuild the profiles in FSP mode (complain) [group('build')] -[doc('Prebuild the profiles in FSP mode (complain)')] fsp-complain: build @./{{build}}/prebuild --buildir {{build}} --complain --full +# Prebuild the profiles in FSP mode (debug) [group('build')] -[doc('Prebuild the profiles in FSP mode (debug)')] fsp-debug: build @./{{build}}/prebuild --buildir {{build}} --complain --full --debug +# Install prebuild profiles [group('install')] -[doc('Install prebuild profiles')] install: #!/usr/bin/env bash set -eu -o pipefail @@ -113,8 +113,8 @@ install: install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf" done +# Locally install prebuild profiles [group('install')] -[doc('Locally install prebuild profiles')] local +names: #!/usr/bin/env bash set -eu -o pipefail @@ -135,39 +135,39 @@ local +names: done; systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Prebuild, install, and load a dev profile [group('install')] -[doc('Prebuild, install, and load a dev profile')] dev name: go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}` sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}} sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service +# Build & install apparmor.d on Arch based systems [group('packages')] -[doc('Build & install apparmor.d on Arch based systems')] pkg: @makepkg --syncdeps --install --cleanbuild --force --noconfirm +# Build & install apparmor.d on Debian based systems [group('packages')] -[doc('Build & install apparmor.d on Debian based systems')] dpkg: @bash dists/build.sh dpkg @sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb +# Build & install apparmor.d on OpenSUSE based systems [group('packages')] -[doc('Build & install apparmor.d on OpenSUSE based systems')] rpm: @bash dists/build.sh rpm @sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm +# Run the unit tests [group('tests')] -[doc('Run the unit tests')] tests: @go test ./cmd/... -v -cover -coverprofile=coverage.out @go test ./pkg/... -v -cover -coverprofile=coverage.out @go tool cover -func=coverage.out +# Run the linters [group('linter')] -[doc('Run the linters')] lint: golangci-lint run packer fmt tests/packer/ @@ -177,34 +177,34 @@ lint: tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \ debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm +# Run style checks on the profiles [group('linter')] -[doc('Run style checks on the profiles')] check: @bash tests/check.sh +# Generate the man pages [group('docs')] -[doc('Generate the man pages')] man: @pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md +# Build the documentation [group('docs')] -[doc('Build the documentation')] docs: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict +# Serve the documentation [group('docs')] -[doc('Serve the documentation')] serve: @ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve -[doc('Remove all build artifacts')] +# Remove all build artifacts clean: @rm -rf \ debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \ {{pkgdest}}/{{pkgname}}* {{build}} coverage.out +# Build the package in a clean OCI container [group('packages')] -[doc('Build the package in a clean OCI container')] package dist: #!/usr/bin/env bash set -eu -o pipefail @@ -219,8 +219,8 @@ package dist: fi bash dists/docker.sh $dist $version +# Build the VM image [group('vm')] -[doc('Build the VM image')] img dist flavor: (package dist) @mkdir -p {{base_dir}} packer build -force \ @@ -237,8 +237,8 @@ img dist flavor: (package dist) -var output_dir={{output_dir}} \ tests/packer/ +# Create the machine [group('vm')] -[doc('Create the machine')] create dist flavor: @cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 @virt-install {{c}} \ @@ -257,53 +257,53 @@ create dist flavor: --sound model=ich9 \ --noautoconsole +# Start a machine [group('vm')] -[doc('Start a machine')] up dist flavor: @virsh {{c}} start {{prefix}}{{dist}}-{{flavor}} +# Stops the machine [group('vm')] -[doc('Stops the machine')] halt dist flavor: @virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}} +# Reboot the machine [group('vm')] -[doc('Reboot the machine')] reboot dist flavor: @virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}} +# Destroy the machine [group('vm')] -[doc('Destroy the machine')] destroy dist flavor: @virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true @virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram @rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 +# Connect to the machine [group('vm')] -[doc('Connect to the machine')] ssh dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` +# Mount the shared directory on the machine [group('vm')] -[doc('Mount the shared directory on the machine')] mount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4' +# Unmout the shared directory on the machine [group('vm')] -[doc('Unmout the shared directory on the machine')] umount dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true' +# List the machines [group('vm')] -[doc('List the machines')] list: @printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State" @virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g' +# List the VM images [group('vm')] -[doc('List the VM images')] images: #!/usr/bin/env bash set -eu -o pipefail @@ -320,8 +320,8 @@ images: } ' +# List the VM images that can be created [group('vm')] -[doc('List the VM images that can be created')] available: #!/usr/bin/env bash set -eu -o pipefail @@ -337,36 +337,36 @@ available: } ' +# Install dependencies for the integration tests [group('tests')] -[doc('Install dependencies for the integration tests')] init: @bash tests/requirements.sh +# Run the integration tests [group('tests')] -[doc('Run the integration tests')] integration name="": bats --recursive --timing --print-output-on-failure tests/integration/{{name}} +# Install dependencies for the integration tests (machine) [group('tests')] -[doc('Install dependencies for the integration tests (machine)')] tests-init dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init +# Synchronize the integration tests (machine) [group('tests')] -[doc('Synchronize the integration tests (machine)')] tests-sync dist flavor: @ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/ +# Re-synchronize the integration tests (machine) [group('tests')] -[doc('Re-synchronize the integration tests (machine)')] tests-resync dist flavor: (mount dist flavor) \ (tests-sync dist flavor) \ (umount dist flavor) +# Run the integration tests (machine) [group('tests')] -[doc('Run the integration tests (machine)')] tests-run dist flavor name="": (tests-resync dist flavor) ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \ bats --recursive --pretty --timing --print-output-on-failure \ From 7963479dbc944ea2fa18da16ad5a4224f73cc8fa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:21:34 +0200 Subject: [PATCH 545/798] build: various cleanup --- dists/build.sh | 2 +- dists/docker.sh | 4 ++-- dists/flags/main.flags | 4 ++-- dists/flags/ubuntu.flags | 1 + 4 files changed, 6 insertions(+), 5 deletions(-) diff --git a/dists/build.sh b/dists/build.sh index 9b9f9e765..e33c48695 100644 --- a/dists/build.sh +++ b/dists/build.sh @@ -16,7 +16,7 @@ readonly VERSION main() { case "$COMMAND" in pkg) - PKGDEST="$OUTPUT" makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar + PKGDEST="$OUTPUT" BUILDDIR=/tmp/makepkg makepkg --syncdeps --force --cleanbuild --noconfirm --noprogressbar ;; dpkg) diff --git a/dists/docker.sh b/dists/docker.sh index 2e581883c..45191adb8 100644 --- a/dists/docker.sh +++ b/dists/docker.sh @@ -25,7 +25,7 @@ readonly VERSION PACKAGER _start() { local img="$1" - docker start "$img" + docker start "$img" || return 1 } _is_running() { @@ -65,7 +65,7 @@ build_in_docker_makepkg() { --env PKGDEST="$BUILDIR" --env PACKAGER="$PACKAGER" \ --env BUILDDIR=/tmp/build \ "$BASEIMAGE/$dist" - docker exec "$img" sudo pacman -Syu --noconfirm --noprogressbar + docker exec "$img" sudo pacman -Sy --noconfirm --noprogressbar fi docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 057c7c298..2c01d9553 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -230,7 +230,7 @@ lvmdump complain lvmpolld complain man complain mate-notification-daemon complain -mdadm complain +mdadm attach_disconnected,complain mdadm-mkconf complain ModemManager attach_disconnected,complain mount attach_disconnected,complain @@ -327,7 +327,7 @@ systemd-generator-ds-identify attach_disconnected,complain systemd-generator-environment-arch complain systemd-generator-environment-flatpak complain systemd-generator-environment-snapd attach_disconnected,complain -systemd-generator-friendly-recover attach_disconnected,complain +systemd-generator-friendly-recovery attach_disconnected,complain systemd-generator-fstab attach_disconnected,complain systemd-generator-getty attach_disconnected,complain systemd-generator-gpt-auto attach_disconnected,complain diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags index 7339702a2..125575ce1 100644 --- a/dists/flags/ubuntu.flags +++ b/dists/flags/ubuntu.flags @@ -8,6 +8,7 @@ apt-helper complain check-new-release-gtk complain do-release-upgrade complain dpkg-genbuildinfo complain +esm_cache complain fanctl attach_disconnected,complain hwe-support-status complain list-oem-metapackages complain From d9df02f3f860f94d91d85862205adf872d75b9a7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:22:39 +0200 Subject: [PATCH 546/798] tests(packer): update opensuse images. --- tests/cloud-init/opensuse-gnome.user-data.yml | 18 ++++++- tests/cloud-init/opensuse-kde.user-data.yml | 14 ++++- .../cloud-init/opensuse-server.user-data.yml | 7 +++ tests/cloud-init/opensuse.yml | 54 +++++++++++++++++++ 4 files changed, 91 insertions(+), 2 deletions(-) diff --git a/tests/cloud-init/opensuse-gnome.user-data.yml b/tests/cloud-init/opensuse-gnome.user-data.yml index 3ab5a6c08..b59d66af3 100644 --- a/tests/cloud-init/opensuse-gnome.user-data.yml +++ b/tests/cloud-init/opensuse-gnome.user-data.yml @@ -1,6 +1,22 @@ #cloud-config -packages: *core-packages +packages: *gnome-packages + +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + + # Ensure auditd is enabled + - systemctl enable systemd-journald-audit.socket write_files: - *shared-directory # Setup shared directory + + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="gdm" + diff --git a/tests/cloud-init/opensuse-kde.user-data.yml b/tests/cloud-init/opensuse-kde.user-data.yml index 3ab5a6c08..2058846dd 100644 --- a/tests/cloud-init/opensuse-kde.user-data.yml +++ b/tests/cloud-init/opensuse-kde.user-data.yml @@ -1,6 +1,18 @@ #cloud-config -packages: *core-packages +packages: *kde-packages + +# apparmor.debug=1 +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg write_files: - *shared-directory # Setup shared directory + - path: /etc/sysconfig/displaymanager + append: true + content: | + DISPLAYMANAGER="sddm" diff --git a/tests/cloud-init/opensuse-server.user-data.yml b/tests/cloud-init/opensuse-server.user-data.yml index 98b78ec80..b6d35cd68 100644 --- a/tests/cloud-init/opensuse-server.user-data.yml +++ b/tests/cloud-init/opensuse-server.user-data.yml @@ -2,6 +2,13 @@ packages: *core-packages +runcmd: + # Replace SELinux by AppArmor in kernel parameters + - sed -i 's/security=selinux selinux=1/apparmor=1 apparmor.debug=1/g' /etc/default/grub + + # Regenerate grub.cfg + - grub2-mkconfig -o /boot/grub2/grub.cfg + write_files: - *shared-directory # Setup shared directory - *systemd-netword # Network configuration for server diff --git a/tests/cloud-init/opensuse.yml b/tests/cloud-init/opensuse.yml index 57c633678..ab0954c6a 100644 --- a/tests/cloud-init/opensuse.yml +++ b/tests/cloud-init/opensuse.yml @@ -2,9 +2,11 @@ # Core packages for OpenSUSE core-packages: &core-packages + - pattern:apparmor - apparmor-profiles - bash-completion - distribution-release + - docker - git - go - golang-packaging @@ -12,5 +14,57 @@ core-packages: &core-packages - just - rpmbuild - rsync + - systemd-container + - systemd-homed - vim +gnome-packages: &gnome-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # Gnome packages for OpenSUSE + - pattern:gnome + - gdm + - spice-vdagent + - terminator + - loupe + - ptyxis + +kde-packages: &kde-packages + # Core packages for OpenSUSE + - pattern:apparmor + - apparmor-profiles + - bash-completion + - distribution-release + - docker + - git + - go + - golang-packaging + - htop + - just + - rpmbuild + - rsync + - systemd-container + - systemd-homed + - vim + + # KDE packages for OpenSUSE + - pattern:kde_plasma + - pattern:kde + - sddm + - spice-vdagent + - terminator From 5795114328ad8952c826b8e82e475500d84eb94a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 13:23:49 +0200 Subject: [PATCH 547/798] tests(packer): success on cloud-init failure. --- tests/packer/builds.pkr.hcl | 4 ++-- tests/packer/clean.sh | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl index 48a5fafb6..98e923fd9 100644 --- a/tests/packer/builds.pkr.hcl +++ b/tests/packer/builds.pkr.hcl @@ -71,10 +71,10 @@ build { "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done", # Ensure cloud-init is successful - # "cloud-init status", + "cloud-init status || cloud-init collect-logs --tarfile /root/cloud-init.tar.gz", # Remove logs and artifacts so cloud-init can re-run - # "cloud-init clean", + "cloud-init clean || true", # Install local files and config "bash /tmp/init.sh", diff --git a/tests/packer/clean.sh b/tests/packer/clean.sh index f7518a2f6..23c587d4f 100644 --- a/tests/packer/clean.sh +++ b/tests/packer/clean.sh @@ -60,8 +60,7 @@ clean_pacman() { clean_zypper() { _msg "Cleaning zypper cache" - zypper update -y - zypper clean -y + zypper clean --all } # Make the image as impersonal as possible. From a0f1c55ab475a9c3f6d9ad26bf8d91b7d53036d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:12:40 +0200 Subject: [PATCH 548/798] doc: update roadmap. --- docs/development/roadmap.md | 49 ++++++++++++++++++++++++++++--------- 1 file changed, 38 insertions(+), 11 deletions(-) diff --git a/docs/development/roadmap.md b/docs/development/roadmap.md index 2585208e5..379241a49 100644 --- a/docs/development/roadmap.md +++ b/docs/development/roadmap.md @@ -6,11 +6,18 @@ title: Roadmap This is the current list of features that must be implemented to get to a stable release -- [x] **Play machine** +- [x] **[Play machine](https://github.com/roddhjav/play)** -- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** - - [x] Move most profiles into groups such that - - [ ] New simplified build system to generate the packages with profile dependencies check +- [ ] **[Sub packages](https://github.com/roddhjav/apparmor.d/issues/464)** + - [x] Move most profiles into groups + - [ ] Provide complain/enforced packages version + - [ ] normal/FSP/server packages variants + +- [ ] **Build system** + - [ ] Continuous release on the main branch, ~2 releases per week + - [ ] Provide packages repo for ubuntu/debian + - [x] Add a `just` target to install the profiles in the right place + - [x] Fully drop the Makefile in favor of `just` - [ ] **Tests** - [x] Tests VM for all supported targets (see [tests/vm](vm.md)) @@ -22,14 +29,26 @@ This is the current list of features that must be implemented to get to a stable - [ ] **General improvements** - [ ] Provide a proper fix for [#74](https://github.com/roddhjav/apparmor.d/issues/74), [#80](https://github.com/roddhjav/apparmor.d/issues/80) & [#235](https://github.com/roddhjav/apparmor.d/issues/235) - - [x] The apt/dpkg profiles needs to be reworked -- [ ] Build system - - [ ] Continuous release on the main branch, ~2 releases per week - - [ ] Provide packages repo for ubuntu/debian - - [ ] Provide complain/enforced packages version - - [x] Add a `just` target to install the profiles in the right place - - [x] Fully drop the Makefile in favor of `just` +- [ ] **Abstractions** + - [ ] Document all abstractions + - [ ] Split and reorganize some big abs into set of smaller abstractions. + Strictly follow the new abstractions guidelines (layer 0, layer 1, etc.) + - [ ] Abstraction based profiles: + Most of the accesses needed by GUI based application are commons. As such 80-90% of the profile content should be handled by abstractions (internally they will have conditions). + - [ ] Test new interface like abstractions + - notifications + - audio-bluetooth + - secrets-service + - media-keys + - ... + - [ ] Rewrite the desktop abstraction to only contains other abs. No direct rules in it. + - [ ] Rewrite the DE specific abstraction to be a layer 1 abs + +- [ ] **Security improvements** + - [ ] Limit the use of `abstractions/common/systemd` + - [ ] Ensure systemctl restart/stop/reload is always confined and filtered by unit (dbus only) + - [ ] Revisit the usae of `systemd-tty-ask-password-agent` ## Next features @@ -45,8 +64,16 @@ This is the current list of features that must be implemented to get to a stable - [ ] Debug tool to show the profiles transition tree, and ensure no profile is missing - [x] Remove the `default` profile +- [ ] **Define roles** + - [ ] Unrestricted shell role without FSP enabled + - [ ] Define the roles when FSP is enabled + ## Done +**General improvements** + +- [x] The apt/dpkg profiles has been rewritten + **Abstractions** - [x] New `audio-client` and `audio-server` abstractions From d86cf03dabfe1ba614341278ea42cb0a078df52e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:13:25 +0200 Subject: [PATCH 549/798] build(debian): post script must not fail. --- debian/apparmor.d.postinst | 2 +- debian/apparmor.d.postrm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/apparmor.d.postinst b/debian/apparmor.d.postinst index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postinst +++ b/debian/apparmor.d.postinst @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 diff --git a/debian/apparmor.d.postrm b/debian/apparmor.d.postrm index 361af7b91..840f3196b 100644 --- a/debian/apparmor.d.postrm +++ b/debian/apparmor.d.postrm @@ -8,6 +8,6 @@ set -e #DEBHELPER# apparmor_parser --purge-cache || true -deb-systemd-invoke reload apparmor.service +deb-systemd-invoke reload apparmor.service || true exit 0 From c7177eedde336a0bbef70e8fcc4413eaf07d88f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 15:16:25 +0200 Subject: [PATCH 550/798] doc: update documentation. --- docs/development/abstractions.md | 9 +++++++++ docs/issues.md | 30 +++++++++++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md index f1ac6e18e..cd82f5d21 100644 --- a/docs/development/abstractions.md +++ b/docs/development/abstractions.md @@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this A minimal set of rules for chromium based application. Handle access for internal sandbox. +It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile: + +!!! note "" + + [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25) + ``` sh linenums="24" + @{domain} = org.chromium.Chromium + ``` ### **`common/electron`** @@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu [apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13) ``` sh linenums="10" @{name} = spotify + @{domain} = org.chromium.Chromium @{lib_dirs} = /opt/@{name} @{config_dirs} = @{user_config_dirs}/@{name} @{cache_dirs} = @{user_cache_dirs}/@{name} diff --git a/docs/issues.md b/docs/issues.md index 1db3b195a..2f38f4c5a 100644 --- a/docs/issues.md +++ b/docs/issues.md @@ -6,28 +6,24 @@ title: Known issues Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**. -## Complain mode +## Ubuntu -A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: +### Dbus -1. `deny` rules are enforced even in *complain* mode, -2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, -3. If AppArmor does not find the profile to transition `rPx`. +Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.* + +Note: Ubuntu server has been more tested and will work without issues with enforced rules. -## Pacman "could not get current working directory" +### Snap -```sh -$ sudo pacman -Syu -... -error: could not get current working directory -:: Processing package changes... -... -``` +Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress. -This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory. -According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory. +## Complain mode + +A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**: -This provides a basic protection against some packages (on the AUR) that may have rogue install script. +1. `deny` rules are enforced even in *complain* mode, +2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile, +3. If AppArmor does not find the profile to transition `rPx`. -[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman From 470025c09025861a4fbee72a3f424ff7b0219044 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 19:39:18 +0200 Subject: [PATCH 551/798] build(debian): update list of profile to hide. Nb: we cannot use these profiles as they would break with apparmor.d profiles (they don't expect confined peer). --- pkg/prebuild/files.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go index 504f05c1c..d9879570b 100644 --- a/pkg/prebuild/files.go +++ b/pkg/prebuild/files.go @@ -11,9 +11,12 @@ import ( ) // Hide is the default content of debian/apparmor.d.hide. Whonix has special addition. -var Hide = `# This file is generated by "make", all edit will be lost. +var Hide = `# This file is generated by "just", all edit will be lost. /etc/apparmor.d/usr.bin.firefox +/etc/apparmor.d/usr.bin.swtpm +/etc/apparmor.d/usr.bin.wsdd +/etc/apparmor.d/usr.libexec.geoclue /etc/apparmor.d/usr.sbin.cups-browsed /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/usr.sbin.rsyslogd From 2aead7e93b0dce022401c5f42b8eeb23cb3e01a9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:01:20 +0200 Subject: [PATCH 552/798] build(arch): initial pkbuild for splited packages. Note: it is not enabled yet. --- PKGBUILD | 111 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 9 deletions(-) diff --git a/PKGBUILD b/PKGBUILD index dfbb46735..a68ba817d 100644 --- a/PKGBUILD +++ b/PKGBUILD @@ -3,8 +3,15 @@ # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use. -pkgname=apparmor.d -pkgver=0.001 +pkgbase=apparmor.d +pkgname=( + apparmor.d + # apparmor.d.enforced + # apparmor.d.fsp apparmor.d.fsp.enforced + # apparmor.d.server apparmor.d.server.enforced + # apparmor.d.server.fsp apparmor.d.server.fsp.enforced +) +pkgver=0.0001 pkgrel=1 pkgdesc="Full set of apparmor profiles" arch=('x86_64' 'armv6h' 'armv7h' 'aarch64') @@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d" license=('GPL-2.0-only') depends=('apparmor>=4.1.0' 'apparmor<5.0.0') makedepends=('go' 'git' 'rsync' 'just') -conflicts=("$pkgname-git") pkgver() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" echo "0.$(git rev-list --count HEAD)" } @@ -24,17 +30,104 @@ prepare() { } build() { - cd "$srcdir/$pkgname" + cd "$srcdir/$pkgbase" export CGO_CPPFLAGS="${CPPFLAGS}" export CGO_CFLAGS="${CFLAGS}" export CGO_CXXFLAGS="${CXXFLAGS}" export CGO_LDFLAGS="${LDFLAGS}" + export GOPATH="${srcdir}" export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw" export DISTRIBUTION=arch - just complain + local -A modes=( + # Mapping of modes to just build target. + [default]=complain + # [enforced]=enforce + # [fsp]=fsp-complain + # [fsp.enforced]=fsp + # [server]=server-complain + # [server.enforced]=server + # [server.fsp]=server-fsp-complain + # [server.fsp.enforced]=server-fsp + ) + for mode in "${!modes[@]}"; do + just build=".build/$mode" "${modes[$mode]}" + done } -package() { - cd "$srcdir/$pkgname" - just destdir="$pkgdir" install +_conflicts() { + local mode="$1" + local pattern=".$mode" + if [[ "$mode" == "default" ]]; then + pattern="" + else + echo "$pkgbase" + fi + for pkg in "${pkgname[@]}"; do + if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then + continue + fi + echo "$pkg" + done +} + +_install() { + local mode="${1:?}" + cd "$srcdir/$pkgbase" + just build=".build/$mode" destdir="$pkgdir" install +} + +package_apparmor.d() { + mode=default + pkgdesc="$pkgdesc (complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.enforced() { + mode=enforced + pkgdesc="$pkgdesc (enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp() { + mode="fsp" + pkgdesc="$pkgdesc (FSP mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.fsp.enforced() { + mode="fsp.enforced" + pkgdesc="$pkgdesc (FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server() { + mode="server" + pkgdesc="$pkgdesc (server complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.enforced() { + mode="server.enforced" + pkgdesc="$pkgdesc (server enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp() { + mode="server.fsp" + pkgdesc="$pkgdesc (server FSP complain mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode +} + +package_apparmor.d.server.fsp.enforced() { + mode="server.fsp.enforced" + pkgdesc="$pkgdesc (server FSP enforced mode)" + mapfile -t conflicts < <(_conflicts $mode) + _install $mode } From ab7cba2da6e283f6f7e2eed1b746271b3bbda512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 22:16:40 +0200 Subject: [PATCH 553/798] build: add early support for server version of the package. --- docs/development/build.md | 44 ++++++++++++++++++++++++++------------- pkg/prebuild/cli/cli.go | 27 +++++++++++++++++++++--- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/docs/development/build.md b/docs/development/build.md index eaa2487a2..b767e4e4e 100644 --- a/docs/development/build.md +++ b/docs/development/build.md @@ -10,18 +10,22 @@ go run ./cmd/prebuild -h ``` ``` -aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] +aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. Options: - -h, --help Show this help message and exit. - -c, --complain Set complain flag on all profiles. - -e, --enforce Set enforce flag on all profiles. - -a, --abi ABI Target apparmor ABI. - -f, --full Set AppArmor for full system policy. - -F, --file Only prebuild a given file. + -h, --help Show this help message and exit. + -c, --complain Set complain flag on all profiles. + -e, --enforce Set enforce flag on all profiles. + -a, --abi ABI Target apparmor ABI. + -v, --version V Target apparmor version. + -f, --full Set AppArmor for full system policy. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. + -F, --file Only prebuild a given file. + --debug Enable debug mode. Prepare tasks: configure - Set distribution specificities @@ -31,21 +35,27 @@ Prepare tasks: overwrite - Overwrite dummy upstream profiles synchronise - Initialize a new clean apparmor.d build directory ignore - Ignore profiles and files from: + server - Configure AppArmor for server systemd-default - Configure systemd unit drop in files to a profile for some units systemd-early - Configure systemd unit drop in files to ensure some service start after apparmor + attach - Configure tunable for re-attached path Build tasks: - abi3 - Convert all profiles from abi 4.0 to abi 3.0 - attach - Re-attach disconnected path - complain - Set complain flag on all profiles - enforce - All profiles have been enforced - fsp - Prevent unconfined transitions in profile rules - hotfix - Temporary fix for #74, #80 & #235 - userspace - Resolve variable in profile attachments + userspace - Fix: resolve variable in profile attachments + abi3 - Build: convert all profiles from abi 4.0 to abi 3.0 + attach - Feat: re-attach disconnected path + base-strict - Feat: use 'base-strict' as base abstraction + complain - Build: set complain flag on all profiles + debug - Build: debug mode enabled + enforce - Build: all profiles have been enforced + fsp - Feat: prevent unconfined transitions in profile rules + hotfix - Fix: temporary solution for #74, #80 & #235 + stacked-dbus - Fix: resolve peer label variable in dbus rules Directive: #aa:dbus own bus= name= [interface=AARE] [path=AARE] #aa:dbus talk bus= name= label= [interface=AARE] [path=AARE] + #aa:dbus common bus= name= label= #aa:exec [P|U|p|u|PU|pu|] profiles... #aa:only filters... #aa:exclude filters... @@ -66,6 +76,12 @@ Ignore profiles and files as defined in the `dist/ignore` directory. See [workfl *Enabled by default. Can be disabled in `cmd/prebuild/main.go`* +### **`server`** + +Configure AppArmor for server. Desktop related groups and profiles that use desktop abstraction are not included. [hotfix](#hotfix) is also disabled, as it is only needed on desktop system. It is mostly intended to be used on server with FSP enabled. E.g: [the play machine](https://github.com/roddhjav/play). + +*Enable with the `--server` option in the prebuild command.* + ### **`merge`** Merge profiles from `apparmor.d/group/`, `apparmor.d/profiles-*-*/` to a unified directory in `.build/apparmor.d` that AppArmor can parse. diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 8abfb4323..981331edd 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -7,6 +7,8 @@ package cli import ( "flag" "fmt" + "os" + "slices" "strings" "github.com/roddhjav/apparmor.d/pkg/logging" @@ -20,7 +22,7 @@ import ( const ( nilABI = 0 nilVer = 0.0 - usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4] [--version V] [--file FILE] + usage = `aa-prebuild [-h] [--complain | --enforce] [--full] [--server] [--abi 3|4] [--version V] [--file FILE] Prebuild apparmor.d profiles for a given distribution and apply internal built-in directives. @@ -32,7 +34,8 @@ Options: -a, --abi ABI Target apparmor ABI. -v, --version V Target apparmor version. -f, --full Set AppArmor for full system policy. - -b, --buildir DIR Root build directory. + -s, --server Set AppArmor for server. + -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. --debug Enable debug mode. ` @@ -43,6 +46,7 @@ var ( complain bool enforce bool full bool + server bool debug bool abi int version float64 @@ -55,6 +59,8 @@ func init() { flag.BoolVar(&help, "help", false, "Show this help message and exit.") flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.") flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.") + flag.BoolVar(&server, "s", false, "Set AppArmor for server.") + flag.BoolVar(&server, "server", false, "Set AppArmor for server.") flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.") flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.") flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.") @@ -81,7 +87,22 @@ func Configure() { flag.Parse() if help { flag.Usage() - return + os.Exit(0) + } + + if server { + idx := slices.Index(prepare.Prepares, prepare.Tasks["merge"]) + if idx == -1 { + prepare.Register("server") + } else { + prepare.Prepares = slices.Insert(prepare.Prepares, idx, prepare.Tasks["server"]) + } + + // Remove hotfix task as it is not needed on server + idx = slices.Index(prepare.Prepares, prepare.Tasks["hotfix"]) + if idx != -1 { + prepare.Prepares = slices.Delete(prepare.Prepares, idx, idx+1) + } } if full && paths.New("apparmor.d/groups/_full").Exist() { From ec88fcbfcb2a928bb543bdc0497946ff6fe840cc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:18:31 +0200 Subject: [PATCH 554/798] feat(abs): add the camera abstraction --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/camera | 35 +++++++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/browsers/epiphany | 3 +- apparmor.d/groups/freedesktop/pipewire | 2 +- .../groups/freedesktop/pipewire-media-session | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 3 +- apparmor.d/groups/freedesktop/wireplumber | 3 +- apparmor.d/profiles-s-z/signal-desktop | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 10 files changed, 44 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/camera diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index f08a096ca..725b57fca 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,6 +30,7 @@ include include include + include include include include @@ -44,7 +45,6 @@ include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera new file mode 100644 index 000000000..0f5cff363 --- /dev/null +++ b/apparmor.d/abstractions/camera @@ -0,0 +1,35 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to all cameras + + abi , + + # Allow detection of cameras. Leaks plugged in USB device info + @{sys}/bus/usb/devices/ r, + @{sys}/devices/@{pci}/usb@{int}/**/busnum r, + @{sys}/devices/@{pci}/usb@{int}/**/devnum r, + @{sys}/devices/@{pci}/usb@{int}/**/idProduct r, + @{sys}/devices/@{pci}/usb@{int}/**/idVendor r, + @{sys}/devices/@{pci}/usb@{int}/**/interface r, + @{sys}/devices/@{pci}/usb@{int}/**/modalias r, + @{sys}/devices/@{pci}/usb@{int}/**/speed r, + + @{sys}/class/video4linux/ r, + @{sys}/devices/**/video4linux/** r, + @{sys}/devices/**/video4linux/video@{int}/ r, + @{sys}/devices/**/video4linux/video@{int}/uevent r, + + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + + # VideoCore cameras (shared device with VideoCore/EGL) + /dev/vchiq rw, + + # Access to video /dev devices + /dev/video@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5072cadfd..d0b36188b 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -16,6 +16,7 @@ include include include + include include include include @@ -30,7 +31,6 @@ include include include - include dbus bus=accessibility, dbus bus=session, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 86b293e8d..45a32868e 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -12,6 +12,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -61,8 +62,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index 02a370cdc..c8c89ac13 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -14,8 +14,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include - include capability sys_ptrace, diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session index af6f30e9c..83ee32baa 100644 --- a/apparmor.d/groups/freedesktop/pipewire-media-session +++ b/apparmor.d/groups/freedesktop/pipewire-media-session @@ -14,9 +14,9 @@ profile pipewire-media-session @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 05e4c3ec2..28d8b9d31 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -18,6 +18,7 @@ profile pulseaudio @{exec_path} { include include include + include include include include @@ -105,7 +106,6 @@ profile pulseaudio @{exec_path} { @{sys}/devices/**/sound/**/{uevent,pcm_class} r, @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r, - @{sys}/devices/virtual/video4linux/video@{int}/uevent r, deny @{sys}/module/apparmor/parameters/enabled r, @@ -114,7 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/cmdline r, /dev/media@{int} r, - /dev/video@{int} rw, # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aefdc339d..708e5a6e8 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -16,9 +16,9 @@ profile wireplumber @{exec_path} { include include include + include include include - include network bluetooth raw, network bluetooth seqpacket, @@ -71,7 +71,6 @@ profile wireplumber @{exec_path} { @{sys}/bus/ r, @{sys}/bus/media/devices/ r, - @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r, @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 001f8605a..4abe053f6 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -19,6 +19,7 @@ profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index ccf1abb61..3a3a77313 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -17,6 +17,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -85,7 +86,6 @@ profile vlc @{exec_path} { /dev/shm/#@{int} rw, /dev/snd/ r, /dev/tty r, - /dev/video@{int} rw, owner /dev/tty@{int} rw, # Silencer From c2ecc756b2e424926b7d0ac79b99b8f20c911de2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:30:52 +0200 Subject: [PATCH 555/798] feat(abs): add the media-control abstraction --- apparmor.d/abstractions/media-control | 20 +++++++++++++++++++ apparmor.d/groups/freedesktop/pipewire | 3 +-- apparmor.d/groups/freedesktop/pulseaudio | 3 +-- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-boxes | 5 ++--- apparmor.d/groups/gnome/gnome-control-center | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 5 ++--- apparmor.d/groups/gnome/localsearch | 3 --- .../groups/gnome/org.gnome.NautilusPreviewer | 5 ++--- apparmor.d/profiles-a-f/cheese | 5 ++--- apparmor.d/profiles-s-z/v4l2-ctl | 6 ++---- apparmor.d/profiles-s-z/virt-manager | 5 ++--- 12 files changed, 37 insertions(+), 30 deletions(-) create mode 100644 apparmor.d/abstractions/media-control diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control new file mode 100644 index 000000000..1cdcf66f2 --- /dev/null +++ b/apparmor.d/abstractions/media-control @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to media controller such as microphones, and video capture hardware. +# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst + + abi , + + # Control of media devices + /dev/media@{int} rwk, + + # Access to V4L subnodes configuration + # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html + /dev/v4l-subdev@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire index c8c89ac13..04b08ecc4 100644 --- a/apparmor.d/groups/freedesktop/pipewire +++ b/apparmor.d/groups/freedesktop/pipewire @@ -15,6 +15,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { include include include + include include capability sys_ptrace, @@ -66,8 +67,6 @@ profile pipewire @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/attr/apparmor/current r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - include if exists } diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 28d8b9d31..5c7c49c3d 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -26,6 +26,7 @@ profile pulseaudio @{exec_path} { include include include + include include ptrace (trace) peer=@{profile_name}, @@ -113,8 +114,6 @@ profile pulseaudio @{exec_path} { owner @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/cmdline r, - /dev/media@{int} r, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 708e5a6e8..aa78d9667 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -18,6 +18,7 @@ profile wireplumber @{exec_path} { include include include + include include network bluetooth raw, @@ -65,7 +66,6 @@ profile wireplumber @{exec_path} { @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) - @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @@ -86,7 +86,6 @@ profile wireplumber @{exec_path} { owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, /dev/udmabuf rw, include if exists diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes index 1447715b7..cd46dd069 100644 --- a/apparmor.d/groups/gnome/gnome-boxes +++ b/apparmor.d/groups/gnome/gnome-boxes @@ -13,10 +13,12 @@ profile gnome-boxes @{exec_path} { include include include + include include include include include + include include include include @@ -80,9 +82,6 @@ profile gnome-boxes @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} rw, - /dev/video@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, profile virsh { diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 111facf64..10f310232 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -17,11 +17,13 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include include @@ -191,8 +193,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/*/comm rw, /dev/ r, - /dev/media@{int} r, - /dev/video@{int} rw, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 0876b90d1..7344b735b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -32,18 +32,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include include include include + include include include include include include - include capability sys_nice, capability sys_ptrace, @@ -321,7 +322,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @@ -379,7 +379,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} rw, /dev/tty@{int} rw, @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 049b3c402..d5700db7c 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -68,9 +68,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index f084e7b12..e1bde2238 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -10,14 +10,15 @@ include profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { include include + include include include include include include + include include include - include network netlink raw, @@ -52,8 +53,6 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, - /dev/media@{int} r, - include if exists } diff --git a/apparmor.d/profiles-a-f/cheese b/apparmor.d/profiles-a-f/cheese index b89fa42f2..33b933be2 100644 --- a/apparmor.d/profiles-a-f/cheese +++ b/apparmor.d/profiles-a-f/cheese @@ -11,10 +11,12 @@ include profile cheese @{exec_path} { include include + include include include include include + include include include @@ -49,9 +51,6 @@ profile cheese @{exec_path} { owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/v4l2-ctl b/apparmor.d/profiles-s-z/v4l2-ctl index e398049de..ddb86b9a2 100644 --- a/apparmor.d/profiles-s-z/v4l2-ctl +++ b/apparmor.d/profiles-s-z/v4l2-ctl @@ -9,14 +9,12 @@ include @{exec_path} = @{bin}/v4l2-ctl profile v4l2-ctl @{exec_path} { include + include include - include + include @{exec_path} mr, - /dev/media@{int} rw, - /dev/video@{int} rw, - include if exists } diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 8a1b5f355..f820d2953 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,12 +16,14 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include include + include include include include @@ -101,9 +103,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/stat r, - /dev/media@{int} r, - /dev/video@{int} rw, - # Silence the noise deny /usr/share/virt-manager/{,**} w, deny owner @{user_share_dirs}/gvfs-metadata/{,*} r, From 5484f84764d2f1bc9c5ccf28494fdec5ada382aa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:32:06 +0200 Subject: [PATCH 556/798] tests(build): add tests for the stacked-dbus build task. --- pkg/prebuild/builder/core_test.go | 24 ++++++++++++++++++++++++ pkg/prebuild/builder/stacked-dbus.go | 2 +- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index 06ceb1d28..c6c493472 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -231,6 +231,30 @@ func TestBuilder_Apply(t *testing.T) { want: "", wantErr: true, }, + { + name: "stacked-dbus-1", + b: Builders["stacked-dbus"], + profile: ` +profile foo { + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + +}`, + want: ` +profile foo { +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session), +dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + +}`, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/pkg/prebuild/builder/stacked-dbus.go b/pkg/prebuild/builder/stacked-dbus.go index e33ecf4b7..eca8122c6 100644 --- a/pkg/prebuild/builder/stacked-dbus.go +++ b/pkg/prebuild/builder/stacked-dbus.go @@ -72,7 +72,7 @@ func (b StackedDbus) Apply(opt *Option, profile string) (string, error) { toResolve = append(toResolve, k) } - rulesByParagraph, paragraphs, err := parse(kind, profile) // + rulesByParagraph, paragraphs, err := parse(kind, profile) if err != nil { return "", err } From 64d71ffb6e762b5ba51302087731bbeb8577631d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:45:08 +0200 Subject: [PATCH 557/798] build: attach: ensure we don't recursivelly call ourself. --- pkg/prebuild/builder/attach.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go index 66ef18aef..1ec5e06b1 100644 --- a/pkg/prebuild/builder/attach.go +++ b/pkg/prebuild/builder/attach.go @@ -31,6 +31,9 @@ func init() { func (b ReAttach) Apply(opt *Option, profile string) (string, error) { var insert string var origin = "profile " + opt.Name + if opt.File.HasSuffix("attached/base") { + return profile, nil // Do not re-attach twice + } if strings.Contains(profile, "attach_disconnected") { insert = "@{att} = /att/" + opt.Name + "/\n" @@ -42,13 +45,17 @@ func (b ReAttach) Apply(opt *Option, profile string) (string, error) { "include ", "include ", ) + profile = strings.ReplaceAll(profile, + "include ", + "include ", + ) profile = strings.ReplaceAll(profile, "include ", "include ", ) } else { - insert = "@{att} = /\n" + insert = "@{att} = \"\"\n" } From 8c33125b5ec251c6c8996ea23f24c5380c597a8c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:46:12 +0200 Subject: [PATCH 558/798] build: add missing server build task. --- pkg/prebuild/prepare/server.go | 105 +++++++++++++++++++++++++++++++++ 1 file changed, 105 insertions(+) create mode 100644 pkg/prebuild/prepare/server.go diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go new file mode 100644 index 000000000..85f98e75d --- /dev/null +++ b/pkg/prebuild/prepare/server.go @@ -0,0 +1,105 @@ +// apparmor.d - Full set of apparmor profiles +// Copyright (C) 2021-2024 Alexandre Pujol +// SPDX-License-Identifier: GPL-2.0-only + +package prepare + +import ( + "fmt" + "strings" + + "github.com/roddhjav/apparmor.d/pkg/paths" + "github.com/roddhjav/apparmor.d/pkg/prebuild" +) + +var ( + serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + "include ", + } + serverIgnoreGroups = []string{ + "akonadi", + "avahi", + "bluetooth", + "browsers", + "cosmic", + "cups", + "display-manager", + "flatpak", + "freedesktop", + "gnome", + "gvfs", + "hyprland", + "kde", + "lxqt", + "steam", + "xfce", + "zed", + } +) + +type Server struct { + prebuild.Base +} + +func init() { + RegisterTask(&Server{ + Base: prebuild.Base{ + Keyword: "server", + Msg: "Configure AppArmor for server", + }, + }) +} + +func (p Server) Apply() ([]string, error) { + res := []string{} + + // Ignore desktop related groups + groupNb := 0 + for _, group := range serverIgnoreGroups { + path := prebuild.RootApparmord.Join("groups", group) + if path.IsDir() { + if err := path.RemoveAll(); err != nil { + return res, err + } + groupNb++ + } else { + res = append(res, fmt.Sprintf("Group %s not found, ignoring", path)) + } + } + + // Ignore profiles using a desktop related abstraction + fileNb := 0 + files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories()) + for _, file := range files { + if !file.Exist() { + continue + } + profile, err := file.ReadFileAsString() + if err != nil { + return res, err + } + for _, pattern := range serverIgnorePatterns { + if strings.Contains(profile, pattern) { + if err := file.RemoveAll(); err != nil { + return res, err + } + fileNb++ + break + } + } + } + + res = append(res, fmt.Sprintf("%d groups ignored", groupNb)) + res = append(res, fmt.Sprintf("%d profiles ignored", fileNb)) + return res, nil +} From e2f11d46b0a81322bfef9394d440a30edfc67958 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:48:59 +0200 Subject: [PATCH 559/798] tests(check): make the script configurable. Such that it can be used in downstream project with different folder structure. --- tests/check.sh | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 60e23c694..861ca84fa 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -11,9 +11,11 @@ set -eu -o pipefail RES=$(mktemp) echo "false" >"$RES" MAX_JOBS=$(nproc) +APPARMORD=${CHECK_APPARMORD:-apparmor.d} +SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled -readonly RES MAX_JOBS APPARMORD="apparmor.d" +readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } _warn() { @@ -500,14 +502,14 @@ _check_udev() { check_sbin() { local file name jobs - mapfile -t sbin Date: Sat, 6 Sep 2025 23:51:12 +0200 Subject: [PATCH 560/798] tests(check): add support for global exclusion. --- tests/check.sh | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/tests/check.sh b/tests/check.sh index 861ca84fa..5b35f8816 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -15,6 +15,8 @@ APPARMORD=${CHECK_APPARMORD:-apparmor.d} SBIN_LIST=${CHECK_SBIN_LIST:-tests/sbin.list} declare WITH_CHECK declare _check_is_disabled +declare _check_is_disabled_global +_FILE_IGNORE_ALL=false readonly APPARMORD SBIN_LIST RES MAX_JOBS readonly reset="\033[0m" fgRed="\033[0;31m" fgYellow="\033[0;33m" fgWhite="\033[0;37m" BgWhite="\033[1;37m" _msg() { printf '%b%s%b\n' "$BgWhite" "$*" "$reset"; } @@ -44,6 +46,11 @@ _in_array() { _is_enabled() { local check="$1" if _in_array "$check" "${WITH_CHECK[@]}"; then + if [[ -n "${_check_is_disabled_global+x}" && ${#_check_is_disabled_global[@]} -gt 0 ]]; then + if _in_array "$check" "${_check_is_disabled_global[@]}"; then + return 1 + fi + fi if [[ -z "${_check_is_disabled+x}" || ${#_check_is_disabled[@]} -eq 0 ]]; then return 0 fi @@ -70,10 +77,18 @@ _ignore_lint() { local checks line="$1" if [[ "$line" =~ ^[[:space:]]*$_IGNORE_LINT=.*$ ]]; then - # Start of an ignore block - _IGNORE_LINT_BLOCK=true + # Start of an ignore block (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + # Treat as file-wide ignore + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + _IGNORE_LINT_BLOCK=false + return 0 + fi + _IGNORE_LINT_BLOCK=true + _check_is_disabled=("${_parsed[@]}") elif [[ $_IGNORE_LINT_BLOCK == true && "$line" =~ ^[[:space:]]*$ ]]; then # New paragraph, end of block @@ -81,22 +96,33 @@ _ignore_lint() { _check_is_disabled=() elif [[ $_IGNORE_LINT_BLOCK == true ]]; then - # Nothing to do, we are in a block + # Nothing to do, we are in a block/paragraph return 0 elif [[ "$line" == *"$_IGNORE_LINT="* ]]; then - # Inline ignore + # Inline ignore (or file-wide if in header) checks="${line#*"$_IGNORE_LINT="}" - read -ra _check_is_disabled <<<"${checks//,/ }" + read -ra _parsed <<<"${checks//,/ }" + if (( line_number <= 10 )); then + _check_is_disabled_global=("${_parsed[@]}") + _FILE_IGNORE_ALL=true + return 0 + fi + _check_is_disabled=("${_parsed[@]}") else - _check_is_disabled=() + # Do not clear if file-wide ignore is set + if ! $_FILE_IGNORE_ALL; then + _check_is_disabled=() + fi fi } _check() { local file="$1" - local line_number=0 + line_number=0 + _FILE_IGNORE_ALL=false + _check_is_disabled_global=() while IFS= read -r line; do line_number=$((line_number + 1)) From c239203e724df124cd0c0e4a35794e661a84b065 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 6 Sep 2025 23:55:42 +0200 Subject: [PATCH 561/798] feat(abs): add the tpm abstraction. --- apparmor.d/abstractions/tpm | 16 ++++++++++++++++ apparmor.d/profiles-a-f/fwupd | 3 +-- apparmor.d/profiles-s-z/sbctl | 4 +--- 3 files changed, 18 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/tpm diff --git a/apparmor.d/abstractions/tpm b/apparmor.d/abstractions/tpm new file mode 100644 index 000000000..ef7b30a2b --- /dev/null +++ b/apparmor.d/abstractions/tpm @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016-2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Communication to the system TPM chip over /dev/tpm@{int} and kernel TPM +# resource manager /dev/tpmrm@{int} + + abi , + + /dev/tpm@{int} rw, + /dev/tpmrm@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index d7a72c236..8447bff3e 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -20,6 +20,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include include + include capability dac_override, capability dac_read_search, @@ -133,8 +134,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) { /dev/mei@{int} rw, /dev/mem r, /dev/mtd@{int} rw, - /dev/tpm@{int} rw, - /dev/tpmrm@{int} rw, /dev/wmi/* r, profile gpg flags=(attach_disconnected,complain) { diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl index ef007a32c..a4fdbac88 100644 --- a/apparmor.d/profiles-s-z/sbctl +++ b/apparmor.d/profiles-s-z/sbctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/sbctl profile sbctl @{exec_path} { include + include capability dac_read_search, capability linux_immutable, @@ -34,9 +35,6 @@ profile sbctl @{exec_path} { @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r, @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r, - /dev/pts/@{int} rw, - /dev/tpmrm@{int} rw, - # File Inherit deny network inet stream, deny network inet6 stream, From 2efdd6f5274af00e48adc4da0ab77e03805191f4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:43:44 +0200 Subject: [PATCH 562/798] feat(profile): improve ufw-init fix #843 --- apparmor.d/groups/firewall/ufw-init | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/firewall/ufw-init b/apparmor.d/groups/firewall/ufw-init index aae80b87d..fcb9d8b6c 100644 --- a/apparmor.d/groups/firewall/ufw-init +++ b/apparmor.d/groups/firewall/ufw-init @@ -11,8 +11,10 @@ profile ufw-init @{exec_path} { include include + capability dac_override, capability dac_read_search, capability net_admin, + capability net_raw, network inet dgram, network inet raw, @@ -27,12 +29,29 @@ profile ufw-init @{exec_path} { @{sbin}/sysctl rCx -> sysctl, @{sbin}/xtables-legacy-multi rix, @{sbin}/xtables-nft-multi rix, + @{bin}/kmod rCx -> kmod, /etc/default/ufw r, /etc/ufw/* r, + @{run}/xtables.lock rwk, + @{PROC}/@{pid}/net/ip_tables_names r, - # @{PROC}/sys/net/ipv{4,6}/** rw, + @{PROC}/sys/kernel/modprobe r, + + profile kmod { + include + include + + capability sys_module, + + @{run}/xtables.lock r, + + @{sys}/module/compression r, + @{sys}/module/x_tables/initstate r, + + include if exists + } profile sysctl { include From 1defbbc416b3fcb74acc8a35707c3c6c1a68ae49 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:47:24 +0200 Subject: [PATCH 563/798] fix(abs): tmp path for wine tmp data. fix #836 --- apparmor.d/abstractions/wine | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/wine b/apparmor.d/abstractions/wine index 28d15cf76..145cd763a 100644 --- a/apparmor.d/abstractions/wine +++ b/apparmor.d/abstractions/wine @@ -9,9 +9,9 @@ owner @{user_share_dirs}/applications/wine/ rw, owner @{user_share_dirs}/applications/wine/**/ rw, - owner @{tmp}/.wine-@{uid}/ rw, - owner @{tmp}/.wine-@{uid}/** rwk, - owner @{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, + owner @{att}/@{tmp}/.wine-@{uid}/ rw, + owner @{att}/@{tmp}/.wine-@{uid}/** rwk, + owner @{att}/@{tmp}/.wine-@{uid}/server-fd@{int2}-@{hex}/tmpmap-@{hex8} m, owner /dev/shm/wine-@{hex6}-fsync rw, owner /dev/shm/wine-@{hex6}@{h}-fsync rw, From 06d476ccaa5eca22a6c70f1d39c13f8d061b6590 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:48:54 +0200 Subject: [PATCH 564/798] fix(profile): att on logind fix #833 --- apparmor.d/groups/systemd/systemd-logind | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 271354633..05c812b18 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -136,7 +136,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, - /dev/dri/card@{int} rw, + @{att}/dev/dri/card@{int} rw, /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From 4771e56d88d2e30032cb2de3e71247eee3210ddd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:49:59 +0200 Subject: [PATCH 565/798] feat(profile): git: allow transition to github cli. fix #829 --- apparmor.d/profiles-g-l/git | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git index 0538f5da0..01b491b98 100644 --- a/apparmor.d/profiles-g-l/git +++ b/apparmor.d/profiles-g-l/git @@ -65,6 +65,7 @@ profile git @{exec_path} flags=(attach_disconnected) { @{pager_path} rPx -> child-pager, + @{bin}/gh rPUx, @{bin}/man rPx, @{bin}/meld rPUx, @{lib}/code/extensions/git/dist/askpass.sh rPx, From 5fe9e0ee9e88984b01006fd797e1a386ade091bd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 19:52:40 +0200 Subject: [PATCH 566/798] feat(profile): support for Tumbleweed gs path. see #828 --- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/kde/kioworker | 2 +- tests/check.sh | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index acae9b7a1..642d7ef5c 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -62,7 +62,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { @{bin}/chmod rix, @{bin}/cp rix, @{bin}/{,e}grep rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{bin}/hostname rix, @{bin}/ippfind rix, diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker index 71465df97..0fc81a764 100644 --- a/apparmor.d/groups/kde/kioworker +++ b/apparmor.d/groups/kde/kioworker @@ -41,7 +41,7 @@ profile kioworker @{exec_path} { @{lib}/libheif/*.so* rm, @{bin}/wrestool rPUx, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, #aa:exec kio_http_cache_cleaner diff --git a/tests/check.sh b/tests/check.sh index 5b35f8816..b54bc157a 100644 --- a/tests/check.sh +++ b/tests/check.sh @@ -221,6 +221,7 @@ declare -A EQUIVALENTS=( ["awk"]="{m,g,}awk" ["gawk"]="{m,g,}awk" ["grep"]="{,e}grep" + ["gs"]="gs{,.bin}" ["which"]="which{,.debianutils}" ) _check_equivalent() { From a87449268b227f1242445a9d66f52b62279dac94 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:05:19 +0200 Subject: [PATCH 567/798] feat(profile): various improvement for Tumbleweed fix #828 --- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/groups/kde/dolphin | 9 +++++++-- apparmor.d/groups/kde/kwin_x11 | 1 + apparmor.d/groups/kde/okular | 5 ++++- apparmor.d/profiles-g-l/libreoffice | 9 ++++++--- 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index a06a29da4..b448c542d 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -46,7 +46,7 @@ owner @{user_config_dirs}/kdeglobals r, owner @{user_config_dirs}/kwinrc r, owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk, + owner @{user_config_dirs}/session/*_* rwlk, owner @{user_config_dirs}/session/#@{int} rw, owner @{user_config_dirs}/trashrc r, diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin index 2d3b099d7..022c0beec 100644 --- a/apparmor.d/groups/kde/dolphin +++ b/apparmor.d/groups/kde/dolphin @@ -25,7 +25,11 @@ profile dolphin @{exec_path} { network netlink raw, - signal (send) set=(term) peer=kioworker, + signal send set=hup peer=@{p_systemd}, + signal send set=term peer=kioworker, + + ptrace read peer=@{p_systemd}, + ptrace read peer=okular, @{exec_path} mr, @@ -109,10 +113,11 @@ profile dolphin @{exec_path} { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, @{sys}/devices/virtual/block/dm-@{int}/uevent r, - /dev/tty r, + /dev/tty rw, include if exists } diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index f4f955a4f..ac80b3b18 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -41,6 +41,7 @@ profile kwin_x11 @{exec_path} { /usr/share/kwin-x11/{,**} r, /usr/share/kwin/{,**} r, /usr/share/plasma/desktoptheme/{,**} r, + /usr/share/sounds/*/stereo/*.oga r, /etc/machine-id r, /etc/xdg/plasmarc r, diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular index acd9b7430..a2ffad26f 100644 --- a/apparmor.d/groups/kde/okular +++ b/apparmor.d/groups/kde/okular @@ -23,6 +23,8 @@ profile okular @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + signal send set=term peer=kioworker, @{exec_path} mr, @@ -69,7 +71,7 @@ profile okular @{exec_path} { owner @{user_state_dirs}/#@{int} rw, owner @{user_state_dirs}/okularstaterc rw, - owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/okularstaterc.@{rand6} rwlk -> @{user_state_dirs}/#@{int}, owner @{user_state_dirs}/okularstaterc.lock rwk, owner @{tmp}/#@{int} rw, @@ -82,6 +84,7 @@ profile okular @{exec_path} { owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, profile gpg { include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index dfb9361f3..de1c4a856 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -78,21 +78,24 @@ profile libreoffice @{exec_path} { /usr/share/mythes/{,**} r, /usr/share/thumbnailers/{,**} r, + /etc/cups/ppd/*.ppd r, /etc/java{,-}{,@{version}}-openjdk/{,**} r, /etc/libreoffice/{,**} r, - /etc/paperspecs r, /etc/papersize r, + /etc/paperspecs r, /etc/xdg/* r, /var/tmp/ r, owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w, owner @{user_cache_dirs}/libreoffice/{,**} rw, + + owner @{user_config_dirs}/kservicemenurc r, owner @{user_config_dirs}/libreoffice/ rw, owner @{user_config_dirs}/libreoffice/** rwk, - owner @{user_config_dirs}/soffice.*.lock rwk, owner @{user_config_dirs}/plasma_workspace.notifyrc r, - owner @{user_config_dirs}/kservicemenurc r, + owner @{user_config_dirs}/soffice.*.lock rwk, + owner @{user_config_dirs}/soffice.binrc r, owner @{user_share_dirs}/#@{int} rw, owner @{user_share_dirs}/user-places.xbel r, From e370a66c5be6193117a75e3e7c3f3b0d72564495 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:10:51 +0200 Subject: [PATCH 568/798] fix(profile): issues with stacking fix #819 --- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/gnome/gnome-calculator | 2 +- apparmor.d/groups/procps/pgrep | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index cb7edf822..840500c52 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/xdg-settings -profile xdg-settings @{exec_path} { +profile xdg-settings @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 4e83bfb76..2f1cc0e89 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-calculator -profile gnome-calculator @{exec_path} { +profile gnome-calculator @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/procps/pgrep b/apparmor.d/groups/procps/pgrep index 489f55bd7..d10c1e772 100644 --- a/apparmor.d/groups/procps/pgrep +++ b/apparmor.d/groups/procps/pgrep @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/pgrep -profile pgrep @{exec_path} { +profile pgrep @{exec_path} flags=(attach_disconnected) { include include include From fda63da65e42a19f2216ecff92783cfa7675e3bd Mon Sep 17 00:00:00 2001 From: sbrantler Date: Wed, 3 Sep 2025 13:17:58 +0200 Subject: [PATCH 569/798] Add xfce-clipman --- apparmor.d/groups/xfce/xfce-clipman | 31 +++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 apparmor.d/groups/xfce/xfce-clipman diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman new file mode 100644 index 000000000..270f7266f --- /dev/null +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Sighy Brantler +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xfce4-clipman +profile xfce-clipman @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + + owner @{user_cache_dirs}/xfce4/clipman/ r, + owner @{user_cache_dirs}/xfce4/clipman/* rw, + + owner @{user_config_dirs}/autostart/ r, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, + owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop.@{rand6} rw, + + include if exists +} + +# vim:syntax=apparmor From 0f0082fd5b5fa2bb10244651f4ab81dacb6146c7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:07 -0600 Subject: [PATCH 570/798] Add profile for kinit --- apparmor.d/profiles-g-l/kinit | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kinit diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit new file mode 100644 index 000000000..26cdcbd18 --- /dev/null +++ b/apparmor.d/profiles-g-l/kinit @@ -0,0 +1,39 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kinit +profile kinit @{exec_path} { + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From 4f4f5c464e7b0fb9b2392a0cbaec15b321c379a2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:27:57 -0600 Subject: [PATCH 571/798] Add profile for kdestroy --- apparmor.d/profiles-g-l/kdestroy | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 apparmor.d/profiles-g-l/kdestroy diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy new file mode 100644 index 000000000..1e34b0193 --- /dev/null +++ b/apparmor.d/profiles-g-l/kdestroy @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/kdestroy +profile kdestroy @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to destroy other users' creds cache + capability dac_override, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Credentials cache + /tmp/krb5cc_* rwk, + /tmp/tkt* rwk, + + include if exists +} + +# vim:syntax=apparmor From a4798a2f383f205584a8cf11f715d4b0b3ea6ceb Mon Sep 17 00:00:00 2001 From: doublez13 Date: Mon, 11 Aug 2025 10:28:50 -0600 Subject: [PATCH 572/798] Add profile for klist --- apparmor.d/profiles-g-l/klist | 36 +++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 apparmor.d/profiles-g-l/klist diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist new file mode 100644 index 000000000..0dc0c89ba --- /dev/null +++ b/apparmor.d/profiles-g-l/klist @@ -0,0 +1,36 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/klist +profile klist @{exec_path} { + include + + @{exec_path} mr, + + #Allow root to list other users' creds cache + capability dac_override, + capability dac_read_search, + + #Config Files + /etc/krb5.conf r, + /etc/krb5.conf.d/{,**} r, + + #Host keytab file + /etc/krb5.keytab r, + + #User keytab file + /var/lib/krb5/user/*/client.keytab rk, + + #Credentials cache + /tmp/krb5cc_* rk, + /tmp/tkt* rk, + + include if exists +} + +# vim:syntax=apparmor From 7a610bb5fa9ad2ae370a71170c4142c0cdc8cdbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:37:53 -0600 Subject: [PATCH 573/798] Formatting Fix --- apparmor.d/profiles-g-l/kdestroy | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 1e34b0193..0a4ed9ab5 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -10,11 +10,11 @@ include profile kdestroy @{exec_path} { include - @{exec_path} mr, - #Allow root to destroy other users' creds cache capability dac_override, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From 00f63f77e1881067c3ff447ac2b5dbbaa6fe2db1 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:39:34 -0600 Subject: [PATCH 574/798] Formatting Fix --- apparmor.d/profiles-g-l/klist | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 0dc0c89ba..9deeeedd8 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -10,12 +10,12 @@ include profile klist @{exec_path} { include - @{exec_path} mr, - #Allow root to list other users' creds cache capability dac_override, capability dac_read_search, + @{exec_path} mr, + #Config Files /etc/krb5.conf r, /etc/krb5.conf.d/{,**} r, From c51f189ca0f6723475a0db2d860f58c28ccc8496 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:46:04 -0600 Subject: [PATCH 575/798] Use abstractions where possible --- apparmor.d/profiles-g-l/kdestroy | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdestroy b/apparmor.d/profiles-g-l/kdestroy index 0a4ed9ab5..ccc0a2b25 100644 --- a/apparmor.d/profiles-g-l/kdestroy +++ b/apparmor.d/profiles-g-l/kdestroy @@ -9,16 +9,13 @@ include @{exec_path} = @{bin}/kdestroy profile kdestroy @{exec_path} { include + include #Allow root to destroy other users' creds cache capability dac_override, @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - #Credentials cache /tmp/krb5cc_* rwk, /tmp/tkt* rwk, From 415bd4aa445e587e1e7df523af998c49dcd14758 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:48:57 -0600 Subject: [PATCH 576/798] Use abstractions where possible --- apparmor.d/profiles-g-l/kinit | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 26cdcbd18..067886f89 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -10,6 +10,7 @@ include profile kinit @{exec_path} { include include + include network inet dgram, network inet6 dgram, @@ -19,13 +20,6 @@ profile kinit @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab r, From e86f77fa4bfd8a46fea4555f8829231737fcad51 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 07:50:41 -0600 Subject: [PATCH 577/798] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 7 ------- 1 file changed, 7 deletions(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 9deeeedd8..c9e30b775 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -16,13 +16,6 @@ profile klist @{exec_path} { @{exec_path} mr, - #Config Files - /etc/krb5.conf r, - /etc/krb5.conf.d/{,**} r, - - #Host keytab file - /etc/krb5.keytab r, - #User keytab file /var/lib/krb5/user/*/client.keytab rk, From cbc4f19b8bdf264e56e138e36c16b4f3b7bdcc6c Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:10:11 -0600 Subject: [PATCH 578/798] Be more specific on client keytab path --- apparmor.d/profiles-g-l/kinit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/kinit b/apparmor.d/profiles-g-l/kinit index 067886f89..706a11c10 100644 --- a/apparmor.d/profiles-g-l/kinit +++ b/apparmor.d/profiles-g-l/kinit @@ -21,7 +21,7 @@ profile kinit @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab r, + /var/lib/krb5/user/@{uid}/client.keytab r, #Credentials cache /tmp/krb5cc_* rwk, From 9cac4eeb901cfd4b5ce3633c26525ade4ff1afbe Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:11:43 -0600 Subject: [PATCH 579/798] Be more specific on client keytab path --- apparmor.d/profiles-g-l/klist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index c9e30b775..71411ccc9 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -17,7 +17,7 @@ profile klist @{exec_path} { @{exec_path} mr, #User keytab file - /var/lib/krb5/user/*/client.keytab rk, + /var/lib/krb5/user/@{uid}/client.keytab rk, #Credentials cache /tmp/krb5cc_* rk, From b1c0cfdab5ec66b3806117ed0be4d00a701a69e2 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:20:53 -0600 Subject: [PATCH 580/798] Use abstractions where possible --- apparmor.d/profiles-g-l/klist | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-g-l/klist b/apparmor.d/profiles-g-l/klist index 71411ccc9..f21f34295 100644 --- a/apparmor.d/profiles-g-l/klist +++ b/apparmor.d/profiles-g-l/klist @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/klist profile klist @{exec_path} { include + include #Allow root to list other users' creds cache capability dac_override, From 5c3c1522571432c0d5398959962974d7410de9ba Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 4 Sep 2025 08:35:36 -0600 Subject: [PATCH 581/798] Run kerberos utils in complain mode --- dists/flags/main.flags | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 2c01d9553..cd9a0e5a6 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -185,6 +185,7 @@ kconf_update complain kde-powerdevil attach_disconnected,mediate_deleted,complain kde-systemd-start-condition complain kded complain +kdestroy complain kdump_mem_estimator complain kdump-config attach_disconnected,complain kdump-tools-init complain,attach_disconnected @@ -193,9 +194,11 @@ kernel-install complain kernel-postinst-kdump complain keyboxd complain kglobalacceld complain +kinit complain kio_http_cache_cleaner complain kiod complain kioworker complain +klist complain konsole attach_disconnected,mediate_deleted,complain kscreen_backend_launcher complain kscreen_osd_service complain From 0ffc8f9fa6bbfa0af350019a1420c23fdbded7fd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 20:56:44 +0200 Subject: [PATCH 582/798] fix: self raised linter issue. --- apparmor.d/groups/cups/cups-backend-pdf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/cups/cups-backend-pdf b/apparmor.d/groups/cups/cups-backend-pdf index 6f658b064..21da6bf93 100644 --- a/apparmor.d/groups/cups/cups-backend-pdf +++ b/apparmor.d/groups/cups/cups-backend-pdf @@ -25,7 +25,7 @@ profile cups-backend-pdf @{exec_path} { @{sh_path} rix, @{bin}/cp rix, - @{bin}/gs rix, + @{bin}/gs{,.bin} rix, @{bin}/gsc rix, @{lib}/ghostscript/** mr, From 6400bc725c78d569dc70804e0f9c92d4fb35d787 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:20:32 +0200 Subject: [PATCH 583/798] tests: update some unit tests to the last changes. --- pkg/prebuild/builder/core_test.go | 48 ++++++++++++++++++++++++++++- pkg/prebuild/directive/dbus.go | 17 +++++++--- pkg/prebuild/directive/dbus_test.go | 8 +++-- 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go index c6c493472..6bcf74647 100644 --- a/pkg/prebuild/builder/core_test.go +++ b/pkg/prebuild/builder/core_test.go @@ -253,12 +253,58 @@ dbus send bus=session path=/org/freedesktop/DBus member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName} peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), +}`, + }, + { + name: "base-strict-1", + b: Builders["base-strict"], + profile: ` +profile foo { + include +}`, + want: ` +profile foo { + include +}`, + }, + { + name: "attach-1", + b: Builders["attach"], + profile: ` +profile attach-1 flags=(attach_disconnected) { + include + include + include +}`, + want: ` +@{att} = /att/attach-1/ +profile attach-1 flags=(attach_disconnected,attach_disconnected.path=@{att}) { + include + include + include +}`, + }, + { + name: "attach-2", + b: Builders["attach"], + profile: ` +profile attach-2 flags=(complain) { + include + include + include +}`, + want: ` +@{att} = "" +profile attach-2 flags=(complain) { + include + include + include }`, }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - opt := &Option{File: prebuild.RootApparmord.Join(tt.name)} + opt := &Option{File: prebuild.RootApparmord.Join(tt.name), Name: tt.name} got, err := tt.b.Apply(opt, tt.profile) if (err != nil) != tt.wantErr { t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr) diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go index 891eb9e1d..4862597bb 100644 --- a/pkg/prebuild/directive/dbus.go +++ b/pkg/prebuild/directive/dbus.go @@ -135,7 +135,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { } res = append(res, - // DBus.Properties + // DBus.Properties: reply to properties request from anyone &aa.Dbus{ Access: []string{"send", "receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Properties", @@ -143,7 +143,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"{@{busname},org.freedesktop.DBus}"`, }, - // DBus.Introspectable + // DBus.Introspectable: allow clients to introspect the service &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.Introspectable", @@ -151,7 +151,7 @@ func (d Dbus) own(rules map[string]string) aa.Rules { PeerName: `"@{busname}"`, }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"receive"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", @@ -170,7 +170,14 @@ func (d Dbus) own(rules map[string]string) aa.Rules { func (d Dbus) talk(rules map[string]string) aa.Rules { interfaces := getInterfaces(rules) - res := aa.Rules{} + res := aa.Rules{ + &aa.Unix{ + Type: "stream", + Address: "none", + PeerLabel: rules["label"], + PeerAddr: "none", + }, + } // Interfaces for _, iface := range interfaces { @@ -198,7 +205,7 @@ func (d Dbus) talk(rules map[string]string) aa.Rules { PeerName: `"{@{busname},` + rules["name"] + `}"`, PeerLabel: rules["label"], }, - // DBus.ObjectManager + // DBus.ObjectManager: allow clients to enumerate sources &aa.Dbus{ Access: []string{"send"}, Bus: rules["bus"], Path: rules["path"], Interface: "org.freedesktop.DBus.ObjectManager", diff --git a/pkg/prebuild/directive/dbus_test.go b/pkg/prebuild/directive/dbus_test.go index 0844fd745..d6e90bb99 100644 --- a/pkg/prebuild/directive/dbus_test.go +++ b/pkg/prebuild/directive/dbus_test.go @@ -8,7 +8,7 @@ import ( "testing" ) -const dbusOwnSystemd1 = ` include +const dbusOwnSystemd1 = ` include dbus bind bus=system name=org.freedesktop.systemd1{,.*}, dbus receive bus=system path=/org/freedesktop/systemd1{,/**} @@ -73,7 +73,7 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", }, profile: " #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions", - want: ` include + want: ` include dbus bind bus=session name=com.rastersoft.ding{,.*}, dbus receive bus=session path=/com/rastersoft/ding{,/**} @@ -120,7 +120,9 @@ func TestDbus_Apply(t *testing.T) { Raw: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", }, profile: " #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon", - want: ` dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} + want: ` unix type=stream addr=none peer=(label=accounts-daemon, addr=none), + + dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} interface=org.freedesktop.Accounts{,.*} peer=(name="{@{busname},org.freedesktop.Accounts{,.*}}", label=accounts-daemon), dbus (send receive) bus=system path=/org/freedesktop/Accounts{,/**} From c4ebf8903e30ec49a16c7d5aeea74b726aeab8f1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 21:43:06 +0200 Subject: [PATCH 584/798] tests(builder): cleanup build settings between tests. --- cmd/prebuild/main_test.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go index d3c28f025..7bf2c0e1a 100644 --- a/cmd/prebuild/main_test.go +++ b/cmd/prebuild/main_test.go @@ -10,6 +10,8 @@ import ( "testing" "github.com/roddhjav/apparmor.d/pkg/prebuild" + "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" + "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" ) func chdirGitRoot() { @@ -49,6 +51,8 @@ func Test_main(t *testing.T) { chdirGitRoot() for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { + prepare.Prepares = []prepare.Task{} + builder.Builds = []builder.Builder{} prebuild.Distribution = tt.dist main() }) From 237daecedb362bf405b19b5402b5221d78f1f533 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:03 +0200 Subject: [PATCH 585/798] tests: remove prebuild main test. - the same is tested in the build process - unit test is done in the prebuild pkg --- cmd/prebuild/main_test.go | 60 --------------------------------------- 1 file changed, 60 deletions(-) delete mode 100644 cmd/prebuild/main_test.go diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go deleted file mode 100644 index 7bf2c0e1a..000000000 --- a/cmd/prebuild/main_test.go +++ /dev/null @@ -1,60 +0,0 @@ -// apparmor.d - Full set of apparmor profiles -// Copyright (C) 2023-2024 Alexandre Pujol -// SPDX-License-Identifier: GPL-2.0-only - -package main - -import ( - "os" - "os/exec" - "testing" - - "github.com/roddhjav/apparmor.d/pkg/prebuild" - "github.com/roddhjav/apparmor.d/pkg/prebuild/builder" - "github.com/roddhjav/apparmor.d/pkg/prebuild/prepare" -) - -func chdirGitRoot() { - cmd := exec.Command("git", "rev-parse", "--show-toplevel") - out, err := cmd.Output() - if err != nil { - panic(err) - } - root := string(out[0 : len(out)-1]) - if err := os.Chdir(root); err != nil { - panic(err) - } -} - -func Test_main(t *testing.T) { - tests := []struct { - name string - dist string - }{ - { - name: "Build for Archlinux", - dist: "arch", - }, - { - name: "Build for Ubuntu", - dist: "ubuntu", - }, - { - name: "Build for Debian", - dist: "debian", - }, - { - name: "Build for OpenSUSE Tumbleweed", - dist: "opensuse", - }, - } - chdirGitRoot() - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - prepare.Prepares = []prepare.Task{} - builder.Builds = []builder.Builder{} - prebuild.Distribution = tt.dist - main() - }) - } -} From 627700a152bbea3fdfd10c4c97009c92b4933bfb Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:07:31 +0200 Subject: [PATCH 586/798] build: set config for ubuntu 25.10 --- cmd/prebuild/main.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go index 5eb1ab2f2..455621e5b 100644 --- a/cmd/prebuild/main.go +++ b/cmd/prebuild/main.go @@ -49,6 +49,9 @@ func init() { case "noble": prebuild.ABI = 4 prebuild.Version = 4.0 + case "questing": + prebuild.ABI = 4 + prebuild.Version = 5.0 } case "debian": From b45e1f36fee6fc038b8867f9ffc62a2ab866e433 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 22:59:00 +0200 Subject: [PATCH 587/798] build: add support for downstream project in some prepare tasks. --- pkg/prebuild/cli/cli.go | 5 ++++- pkg/prebuild/directories.go | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index 981331edd..bf768c050 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -139,8 +139,11 @@ func Configure() { builder.Register("stacked-dbus") } else { + if !prebuild.DownStream { + prepare.Register("attach") + } builder.Register("attach") - prepare.Register("attach") + } default: diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 37cbc69bc..201d8c841 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -13,6 +13,9 @@ var ( // AppArmor version Version = 4.0 + // Tells the build we are a downstream project using apparmor.d as dependency + DownStream = false + // Either or not RBAC is enabled RBAC = false From f61f200427be4032873d39add37cf1f3f6796ca8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:52:11 +0200 Subject: [PATCH 588/798] build: ignore more abstraction for the server edition. --- pkg/prebuild/prepare/server.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/prebuild/prepare/server.go b/pkg/prebuild/prepare/server.go index 85f98e75d..fb9a1f602 100644 --- a/pkg/prebuild/prepare/server.go +++ b/pkg/prebuild/prepare/server.go @@ -14,6 +14,9 @@ import ( var ( serverIgnorePatterns = []string{ + "include ", + "include ", + "include ", "include ", "include ", "include ", From ca1827ea1207242018ba604c7a789b6beb0992e9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 7 Sep 2025 23:53:02 +0200 Subject: [PATCH 589/798] fix: missing attach_disconnected in parrent profile while subprofile was using it. --- apparmor.d/groups/utils/su | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/su b/apparmor.d/groups/utils/su index 866da3d6a..e5293021c 100644 --- a/apparmor.d/groups/utils/su +++ b/apparmor.d/groups/utils/su @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/su -profile su @{exec_path} { +profile su @{exec_path} flags=(attach_disconnected) { include include include From aec8e413b36e0a8845ace7483a2299a9b957dc66 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Thu, 4 Sep 2025 16:58:49 +0200 Subject: [PATCH 590/798] fix slurp --- apparmor.d/profiles-s-z/slurp | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c4250275e..c795ee08e 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -16,6 +16,7 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, + owner /dev/shm/@{uuid} r, include if exists } From d9ecbdbe4b87418e6ed2e4432240eaadc5bad8ad Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 8 Sep 2025 16:14:44 +0200 Subject: [PATCH 591/798] slurp review fixes --- apparmor.d/profiles-s-z/slurp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/slurp b/apparmor.d/profiles-s-z/slurp index c795ee08e..740af9b7b 100644 --- a/apparmor.d/profiles-s-z/slurp +++ b/apparmor.d/profiles-s-z/slurp @@ -9,6 +9,8 @@ include @{exec_path} = @{bin}/slurp profile slurp @{exec_path} { include + include + include @{exec_path} mr, @@ -16,7 +18,6 @@ profile slurp @{exec_path} { # often used in combination with grim screen cature tool owner /dev/shm/grim-@{rand6} rw, - owner /dev/shm/@{uuid} r, include if exists } From b569d447031d6a8fe31cdfc1fd0a3540e71f1ded Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:09:38 +0200 Subject: [PATCH 592/798] feat(profile): update apt profiles. --- apparmor.d/abstractions/common/apt | 6 +++++- apparmor.d/groups/apt/apt | 4 +++- apparmor.d/groups/apt/apt-helper | 2 ++ apparmor.d/groups/apt/apt-methods-http | 2 ++ apparmor.d/groups/apt/deb-systemd-invoke | 2 ++ apparmor.d/groups/apt/dpkg | 3 +++ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-checkbuilddeps | 11 ++++++++--- apparmor.d/groups/apt/dpkg-script-apparmor | 7 +++++++ apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/groups/apt/unattended-upgrade | 4 ++++ 11 files changed, 44 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt index a267fd909..bec8d9a20 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/common/apt @@ -6,6 +6,7 @@ abi , /usr/share/dpkg/cputable r, + /usr/share/dpkg/ostable r, /usr/share/dpkg/tupletable r, /usr/share/dpkg/varianttable r, @@ -19,6 +20,9 @@ /etc/apt/sources.list.d/ r, /etc/apt/sources.list.d/*.{sources,list} r, + /etc/apt/trusted.gpg r, + /etc/apt/trusted.gpg.d/{,*} r, + /var/lib/apt/lists/{,**} r, /var/lib/apt/extended_states r, @@ -26,7 +30,7 @@ /var/cache/apt/srcpkgcache.bin r, /var/lib/dpkg/status r, - /var/lib/ubuntu-advantage/apt-esm/{,**} r, + /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 9bdabb1c2..ade8bee61 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -147,6 +147,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { /tmp/ r, /tmp/apt-changelog-*/ w, /tmp/apt-changelog-*/*.changelog w, + /tmp/apt-tmp-index.@{rand6} rw, owner @{tmp}/apt-changelog-*/.apt-acquire-privs-test.* rw, owner @{tmp}/apt-dpkg-install-*/ rw, owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w, @@ -190,6 +191,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/bunzip2 rix, @{bin}/chmod rix, + @{bin}/bzip2 rix, @{bin}/gunzip rix, @{bin}/gzip rix, @{bin}/patch rix, @@ -197,7 +199,7 @@ profile apt @{exec_path} flags=(attach_disconnected) { @{bin}/tar rix, @{bin}/xz rix, - /etc/dpkg/origins/debian r, + /etc/dpkg/origins/* r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, owner @{HOME}/** rwkl -> @{HOME}/**, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index 5a2d7dd55..f16e98d2f 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -25,6 +25,8 @@ profile apt-helper @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http index 61be160dc..77a418b07 100644 --- a/apparmor.d/groups/apt/apt-methods-http +++ b/apparmor.d/groups/apt/apt-methods-http @@ -74,6 +74,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) { @{run}/ubuntu-advantage/aptnews.json rw, owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/1/cgroup r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/apt/deb-systemd-invoke b/apparmor.d/groups/apt/deb-systemd-invoke index d2e9e9260..824d3b4dd 100644 --- a/apparmor.d/groups/apt/deb-systemd-invoke +++ b/apparmor.d/groups/apt/deb-systemd-invoke @@ -15,6 +15,8 @@ profile deb-systemd-invoke @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg index 2c1ac1ce5..986c6f188 100644 --- a/apparmor.d/groups/apt/dpkg +++ b/apparmor.d/groups/apt/dpkg @@ -18,6 +18,9 @@ profile dpkg @{exec_path} { capability fowner, capability fsetid, capability setgid, + capability sys_ptrace, + + ptrace read peer=apt, @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 467d0d50e..1a4055f77 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -14,10 +14,13 @@ profile dpkg-buildflags @{exec_path} flags=(complain) { @{exec_path} r, - /etc/dpkg/origins/debian r, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /usr/share/dpkg/abitable r, + + /etc/dpkg/origins/* r, owner @{user_config_dirs}/dpkg/buildflags.conf r, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 6f54d3967..712a74e8c 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -11,16 +11,21 @@ include profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include include + include @{exec_path} r, - /etc/dpkg/origins/debian r, - - /var/lib/dpkg/status r, + @{bin}/dpkg rPx, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/dpkg/ostable r, /usr/share/dpkg/cputable r, /usr/share/dpkg/tupletable r, + /etc/dpkg/origins/* r, + + /var/lib/dpkg/status r, + # For package building owner @{user_build_dirs}/**/debian/control r, diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor index 38a068ac0..73a4f6c46 100644 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ b/apparmor.d/groups/apt/dpkg-script-apparmor @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: merge with dpkg-scripts + abi , include @@ -16,8 +18,13 @@ profile dpkg-script-apparmor @{exec_path} { @{exec_path} mrix, @{bin}/{,e}grep ix, + @{bin}/cat ix, + @{bin}/chmod ix, + @{bin}/mkdir ix, @{bin}/deb-systemd-helper Px, + @{bin}/dpkg-maintscript-helper Px, + @{bin}/dpkg Px -> child-dpkg, @{bin}/deb-systemd-invoke Px, @{bin}/dpkg-divert ix, @{bin}/systemctl Cx -> systemctl, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 8ae76e706..acde577de 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -114,6 +114,10 @@ profile dpkg-scripts @{exec_path} { capability sys_ptrace, capability sys_resource, + signal send set=(cont term) peer=systemd-tty-ask-password-agent, + + ptrace read peer=@{p_systemd}, + @{bin}/systemd-tty-ask-password-agent Px, @{pager_path} Px -> child-pager, diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d501a325f..ebdc88d08 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -38,6 +38,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { unix type=stream addr=@@{udbus}/bus/unattended-upgr/system, + #aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade + @{exec_path} mr, @{bin}/ r, @@ -70,6 +72,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{lib}/zsys-system-autosnapshot Px, /usr/share/distro-info/* r, + /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, @{etc_ro}/login.defs r, @{etc_ro}/security/capability.conf r, @@ -127,6 +130,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/attr/current r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/mounts r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/stat r, owner @{PROC}/@{pids}/fd/ r, From 394dc54ceb7ff80bbbde064992f1580eee64e0ac Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 22:13:12 +0200 Subject: [PATCH 593/798] feat(profile): update snap profiles. --- apparmor.d/groups/snap/snap | 31 +++++++++++++++++++++++++-- apparmor.d/groups/snap/snap-update-ns | 4 +++- apparmor.d/groups/snap/snapd | 14 ++++++++---- 3 files changed, 42 insertions(+), 7 deletions(-) diff --git a/apparmor.d/groups/snap/snap b/apparmor.d/groups/snap/snap index 0d38fc055..9530b8594 100644 --- a/apparmor.d/groups/snap/snap +++ b/apparmor.d/groups/snap/snap @@ -17,13 +17,19 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include include + include capability chown, capability dac_override, capability dac_read_search, capability setuid, capability sys_admin, + capability sys_ptrace, + network inet dgram, + network inet stream, + network inet6 dgram, + network inet6 stream, network netlink raw, ptrace read peer=snap.*, @@ -36,7 +42,7 @@ profile snap @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=io.snapcraft.SessionAgent #aa:dbus own bus=session name=io.snapcraft.Settings - #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store + #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.* #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}" #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}" @@ -59,9 +65,11 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{bin}/gpg{,2} rCx -> gpg, @{bin}/systemctl rCx -> systemctl, @{bin}/systemd-run rCx -> run, # Start snap from the cli + @{bin}/unsquashfs rCx -> unsquashfs, @{bin}/xdg-settings rCx -> xdg-settings, - @{lib_dirs}/** mr, + @{bin_dirs}/xdelta3 ix, + @{lib_dirs}/** mr, @{lib_dirs}/snapd/snap-confine rPx, @{lib_dirs}/snapd/snap-seccomp rPx, @{lib_dirs}/snapd/snapd rPx, @@ -80,6 +88,9 @@ profile snap @{exec_path} flags=(attach_disconnected) { @{HOME}/.snap/{,**} rw, @{HOME}/snap/{,**} rw, + @{user_pkg_dirs}/** r, + + owner @{tmp}/read-file@{int}/unpack/{,**} w, owner @{tmp}/snapd-auto-import-mount-@{int}/ rw, @{run}/user/@{uid}/bus rw, @@ -176,14 +187,30 @@ profile snap @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + network unix stream, + network (send receive) netlink raw, + @{run}/systemd/notify w, owner @{run}/user/@{uid}/systemd/notify rw, owner @{run}/user/@{uid}/systemd/private rw, include if exists } + profile unsquashfs { + include + + @{bin}/unsquashfs mr, + + /**.snap r, + + owner /tmp/read-file@{int}/unpack/{,**} w, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/snap/snap-update-ns b/apparmor.d/groups/snap/snap-update-ns index e831cc90c..5d08a4240 100644 --- a/apparmor.d/groups/snap/snap-update-ns +++ b/apparmor.d/groups/snap/snap-update-ns @@ -34,7 +34,9 @@ profile snap-update-ns @{exec_path} { @{lib_dirs}/**.so* mr, @{lib}/@{multiarch}/webkit2gtk-@{version}/ w, - /usr/share/xml/iso-codes/ w, + + /usr/share/xml/ r, + /usr/share/xml/iso-codes/ rw, /var/lib/snapd/mount/{,*} r, diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd index 4a928e6d4..87e535b3f 100644 --- a/apparmor.d/groups/snap/snapd +++ b/apparmor.d/groups/snap/snapd @@ -97,10 +97,11 @@ profile snapd @{exec_path} { @{lib_dirs}/snapd/snap-update-ns rPx, /usr/share/bash-completion/{,**} r, - /usr/share/dbus-1/{system,session}.d/{,snapd*} rw, + /usr/share/dbus-1/{system,session}.d/ rw, + /usr/share/dbus-1/{system,session}.d/snapd* rw, /usr/share/dbus-1/services/*snap* r, /usr/share/polkit-1/actions/{,**} r, - /usr/share/polkit-1/actions/snap.*.policy r, + /usr/share/polkit-1/actions/snap.*.policy* rw, @{etc_ro}/environment r, /etc/apparmor.d/*snapd.snap* r, @@ -190,6 +191,8 @@ profile snapd @{exec_path} { network netlink raw, + ptrace read peer=@{p_systemd}, + /etc/systemd/system/{,**/} r, /etc/systemd/system/snap* rw, /etc/systemd/user/{,**/} rw, @@ -229,9 +232,12 @@ profile snapd @{exec_path} { include @{sbin}/runuser mr, - @{bin}/tar ix, - owner @{HOME}/snap/*/common/.cache/{,**} r, + @{sh_path} ix, + @{bin}/gzip ix, + @{bin}/tar ix, + + owner @{HOME}/snap/*/{,**} r, include if exists } From f69a7e7213d81ddd0c3c760400edfdc025be05e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:04:36 +0200 Subject: [PATCH 594/798] feat(profile): update gnome profiles. --- .../bus/org.gnome.keyring.internal.Prompter | 2 + .../gnome/evolution-addressbook-factory | 2 + .../groups/gnome/evolution-calendar-factory | 1 + apparmor.d/groups/gnome/gdm | 25 ++++++----- apparmor.d/groups/gnome/gdm-generate-config | 3 +- apparmor.d/groups/gnome/gio-launch-desktop | 2 + apparmor.d/groups/gnome/gnome-calculator | 2 + apparmor.d/groups/gnome/gnome-calendar | 15 +++---- apparmor.d/groups/gnome/gnome-control-center | 9 +++- .../groups/gnome/gnome-disk-image-mounter | 7 +++ apparmor.d/groups/gnome/gnome-extension-ding | 4 +- .../groups/gnome/gnome-extension-gsconnect | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 9 ++-- apparmor.d/groups/gnome/gnome-session | 10 +++++ apparmor.d/groups/gnome/gnome-shell | 44 ++++++++++--------- apparmor.d/groups/gnome/gnome-software | 1 + apparmor.d/groups/gnome/gnome-text-editor | 1 + apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-power | 10 ++++- .../groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-sharing | 5 +++ apparmor.d/groups/gnome/gsd-usb-protection | 5 +++ apparmor.d/groups/gnome/kgx | 1 + apparmor.d/groups/gnome/localsearch | 7 +++ apparmor.d/groups/gnome/mutter-x11-frames | 1 + apparmor.d/groups/gnome/nautilus | 9 ++++ apparmor.d/groups/gnome/papers | 9 ++++ apparmor.d/groups/gnome/ptyxis | 2 +- apparmor.d/groups/gnome/ptyxis-agent | 11 ++++- apparmor.d/groups/gnome/tracker-extract | 5 +-- apparmor.d/groups/gnome/tracker-miner | 4 +- apparmor.d/tunables/multiarch.d/system-users | 2 +- 32 files changed, 154 insertions(+), 59 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter index 1c3e8f760..0816b046f 100644 --- a/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter +++ b/apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter @@ -11,6 +11,8 @@ abi , + unix type=stream peer=(label=gnome-keyring-daemon), + dbus send bus=session path=/org/gnome/keyring/Prompter interface=org.gnome.keyring.internal.Prompter member={BeginPrompting,PerformPrompt,StopPrompting} diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index b56af123d..56fd3ce3f 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory + #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/** interface=org.gnome.evolution.dataserver.* diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 3d1d00f28..2ee416bd9 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 4c84fe822..3f958cb7e 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { capability chown, capability dac_override, capability dac_read_search, + capability fowner, capability fsetid, capability kill, capability net_admin, @@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /usr/share/wayland-sessions/*.desktop r, /usr/share/xsessions/*.desktop r, + /etc/.pwd.lock rwk, /etc/default/locale r, /etc/gdm{3,}/custom.conf r, /etc/gdm{3,}/daemon.conf r, @@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) { /var/log/gdm{3,}/ rw, - owner @{GDM_HOME}/block-initial-setup rw, - - @{run}/gdm{3,}/greeter/ rw, - @{run}/systemd/seats/seat@{int} r, - @{run}/systemd/sessions/* r, - @{run}/systemd/users/@{uid} r, - owner @{run}/gdm{3,}.pid rw, - owner @{run}/gdm{3,}/ rw, - owner @{run}/gdm{3,}/custom.conf r, - owner @{run}/gdm{3,}/dbus/ w, - owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w, - owner @{run}/gdm{3,}/gdm.pid rw, + @{GDM_HOME}/ rw, + @{GDM_HOME}/** rw, + + @{run}/gdm{,3}/ rw, + owner @{run}/gdm{,3}.pid rw, + owner @{run}/gdm{,3}/dbus/ rw, + owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, + + @{run}/systemd/seats/seat@{int} r, + @{run}/systemd/sessions/* r, + @{run}/systemd/users/@{uid} r, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index 6e67866f5..c5e6d4cd5 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, - @{PROC}/@{pids}/status r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/tty/drivers r, @{PROC}/uptime r, profile pgrep { diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index a3d285e94..eb76f1207 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { @{bin}/gnome-terminal rPUx, @{lib}/gio-launch-desktop rix, + @{lib}/*/** rPx, + @{lib}/* rPx, owner @{HOME}/{,**} rw, diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator index 2f1cc0e89..4ab9b165f 100644 --- a/apparmor.d/groups/gnome/gnome-calculator +++ b/apparmor.d/groups/gnome/gnome-calculator @@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, + #aa:dbus own bus=session name=org.gnome.Calculator + @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 7d6d5246d..872fc6858 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} { #aa:dbus own bus=session name=org.gnome.Calendar + #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry - #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry + #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell - #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - - dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=:*, label=evolution-source-registry), @{exec_path} mr, @{open_path} rPx -> child-open-help, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 10f310232..8ef24e9ce 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.Settings #aa:dbus own bus=session name=org.bluez.obex.Agent1 + #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell - #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}" #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd + #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}" @@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon} + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, @{bin}/@{shells} rUx, diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 379a887b3..519a248d8 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,17 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include + include + include + include + include + include include include include + #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd + @{exec_path} mr, # Allow to mount user files diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e47cc66a3..be7edcd79 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} { @{share_dirs}/{,**} r, /usr/share/thumbnailers/{,*.thumbnailer} r, - owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r, - owner @{HOME}/@{XDG_DESKTOP_DIR}/ r, + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, owner @{user_share_dirs}/nautilus/scripts/ r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 22c02a97f..7af7b8b2f 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} { owner @{run}/user/@{uid}/gsconnect/{,**} rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + owner @{run}/user/@{uid}/keyring/ssh rw, @{sys}/devices/virtual/dmi/id/chassis_type r, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 6752f54d4..595b3fd48 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { capability ipc_lock, - signal (receive) set=(term) peer=gdm, - signal (send) set=(term) peer=ssh-agent, + signal receive set=(term) peer=gdm, + signal send set=(term) peer=ssh-agent, + + unix type=stream peer=(label=snap.*), #aa:dbus own bus=session name=org.gnome.keyring #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s} - #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret + #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 7bcf80431..257e91c0a 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -16,6 +16,14 @@ profile gnome-session @{exec_path} { include include + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, @{shells_path} rix, @@ -64,6 +72,8 @@ profile gnome-session @{exec_path} { owner @{HOME}/ r, + owner @{run}/user/@{uid}/gnome-session-leader-fifo rw, + owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/loginuid r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 7344b735b..8278ac648 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include include + include include include include @@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=com.canonical.{U,u}nity + #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager @@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting # Talk with gnome-shell @@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}" #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding + #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs #aa:dbus talk bus=session name=org.gnome.* label=gnome-* - #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*" + #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # System bus - - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=RegisterAuthenticationAgent - peer=(name=:*, label="@{p_polkitd}"), - dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent - interface=org.freedesktop.PolicyKit1.AuthenticationAgent - member=BeginAuthentication - peer=(name=:*, label="@{p_polkitd}"), - - dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager - interface=org.freedesktop.NetworkManager.AgentManager - member={RegisterWithCapabilities,Unregister} - peer=(name=:*, label=NetworkManager), # Session bus @@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sh_path} rCx -> shell, @{bin}/pkexec rCx -> pkexec, - @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + @{lib}/gio-launch-desktop rCx -> open, + @{python_path} rCx -> python, @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, @@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw, owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w, - owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r, owner @{user_cache_dirs}/gnome-boxes/*.png r, owner @{user_cache_dirs}/gnome-photos/{,**} r, owner @{user_cache_dirs}/gnome-screenshot/{,**} rw, owner @{user_cache_dirs}/gnome-software/icons/{,**} r, + owner @{user_cache_dirs}/gsconnect/@{hex32} r, owner @{user_cache_dirs}/libgweather/{,**} rw, owner @{user_cache_dirs}/media-art/{,**} r, owner @{user_cache_dirs}/vlc/**/*.jpg r, + owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, @@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/class/net/ r, @{sys}/class/power_supply/ r, @{sys}/devices/@{pci}/boot_vga r, + @{sys}/devices/@{pci}/gpu_busy_percent r, @{sys}/devices/@{pci}/input@{int}/{properties,name} r, + @{sys}/devices/@{pci}/mem_info_vram_* r, @{sys}/devices/@{pci}/net/*/statistics/collisions r, @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r, @@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/power_supply/{,**} r, @{sys}/devices/platform/**/input@{int}/{properties,name} r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/net/*/statistics/collisions r, @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r, @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r, @@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include if exists } + profile python { + include + include + + # /usr/share/gnome-shell/extensions/{,**} + + include if exists + } + profile open flags=(attach_disconnected,mediate_deleted,complain) { include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index baaac245f..247436318 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -45,6 +45,7 @@ profile gnome-software @{exec_path} { @{bin}/baobab rPUx, @{bin}/bwrap rPx -> flatpak-app, @{bin}/fusermount{,3} rCx -> fusermount, + @{bin}/gnome-control-center rPx, @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgconf rCx -> gpg, @{bin}/gpgsm rCx -> gpg, diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 5c8ab7c8a..8aa950e2c 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -10,6 +10,7 @@ include profile gnome-text-editor @{exec_path} { include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 83fcbd7c6..35714fa0b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 63ab49c5e..0f77b023e 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight interface=org.freedesktop.UPower.KbdBacklight member=GetBrightness - peer=(name=:*, label="@{p_upowerd}"), + peer=(name=@{busname}, label="@{p_upowerd}"), dbus receive bus=session path=/org/gtk/Settings interface=org.freedesktop.DBus.Properties member=PropertiesChanged - peer=(name=:*, label=gsd-xsettings), + peer=(name=@{busname}, label=gsd-xsettings), + + dbus send bus=system path=/org/freedesktop/login1 + interface=org.freedesktop.login1.Manager + member=Suspend + peer=(name=@{busname}, label="@{p_systemd_logind}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 59123f485..c5be27f27 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { dbus receive bus=system path=/org/cups/cupsd/Notifier interface=org.cups.cupsd.Notifier - member={ServerStarted,PrinterDeleted,PrinterStopped} + member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded} peer=(name=@{busname}, label=cups-notifier-dbus), dbus receive bus=session diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 7b47b0676..b6d90d5e3 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=:*, label=gnome-shell), + dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3 + interface=org.freedesktop.NetworkManager.VPN.Connection + member=VpnStateChanged + peer=(name=@{busname}, label=NetworkManager), + @{exec_path} mr, /usr/share/dconf/profile/gdm r, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 7f03d9fc5..59e67d9bf 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} { #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx index a32a3d8c3..f843d6c14 100644 --- a/apparmor.d/groups/gnome/kgx +++ b/apparmor.d/groups/gnome/kgx @@ -39,6 +39,7 @@ profile kgx @{exec_path} { @{PROC}/ r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index d5700db7c..c041cdf99 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { /usr/share/osinfo/{,**} r, /usr/share/poppler/{,**} r, + /etc/fstab r, + # Allow to search user files owner @{HOME}/ r, owner @{HOME}/{,**} r, @@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}/tracker3/files/ rw, owner @{user_cache_dirs}/tracker3/files/** rwk, + owner @{GDM_HOME}/ r, + owner @{GDM_HOME}/*/ r, + owner @{gdm_cache_dirs}/tracker3/{,**} rwk, + owner @{gdm_config_dirs}/user-dirs.dirs r, + @{run}/mount/utab r, @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index ae225aa65..92e619e5c 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { /usr/share/gdm/greeter-dconf-defaults r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, owner @{gdm_config_dirs}/dconf/user r, diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d8e7c3341..a91a154a7 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { member=NameHasOwner peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session + interface=org.freedesktop.Application + member=Open, + + dbus send bus=session path=/org/gnome/Nautilus + interface=org.gtk.Application + member={CommandLine,DescribeAll} + peer=(name=org.gnome.Nautilus, label=nautilus), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers index 0318c7265..6c4fe6f12 100644 --- a/apparmor.d/groups/gnome/papers +++ b/apparmor.d/groups/gnome/papers @@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026 + interface=org.freedesktop.portal.Session + member=Close + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + @{exec_path} mr, @{open_path} Cx -> open, /usr/share/poppler/{,**} r, + /etc/passwd r, + owner @{user_share_dirs}/gvfs-metadata/{,*} r, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk, owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw, + /tmp/ r, + /var/tmp/ r, owner @{tmp}/.goutputstream-@{rand6} rw, owner @{tmp}/papers-@{int}/{,**} rw, owner @{tmp}/gtkprint_@{rand6} rw, diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index b0239f404..ac47b5460 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -16,7 +16,7 @@ profile ptyxis @{exec_path} { unix type=stream peer=(label=ptyxis-agent), - #aa:dbus own bus=session name=org.gnome.Ptyxis + #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 982afd90d..2735e0c5d 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} { include include - signal send set=hup peer=unconfined, + signal send set=hup peer=@{p_systemd}, ptrace read, + unix type=stream peer=(label=ptyxis), + @{exec_path} mr, @{bin}/podman Px, @@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} { unix bind type=stream addr=@@{udbus}/bus/systemd-run/, @{bin}/systemd-run mr, + + # The shell is not confined on purpose. @{bin}/@{shells} Ux, + # Some CLI program can be launched directly from Gnome Shell + @{bin}/htop Px, + @{bin}/micro PUx, + @{bin}/nvtop Px, + owner @{run}/user/@{uid}/systemd/private rw, include if exists diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e8612f7b6..3f9f49281 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include include + include include network netlink raw, @@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} r, - /dev/video@{int} rw, - # file_inherit owner /dev/tty@{int} rw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 6b358c8b0..7f7a3a8e4 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include include include include include include + include include include @@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/media@{int} rw, - /dev/video@{int} rw, owner /dev/tty@{int} rw, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 1513aae2f..07450efff 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -5,7 +5,7 @@ # Define some extra paths for some commonly used system user # Full path of the GDM configuration directories -@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/ +@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ @{gdm_config_dirs}=@{GDM_HOME}/.config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ From 009fb9285d497eae14b08032b43f44e81c862823 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:05:34 +0200 Subject: [PATCH 595/798] feat(profile): update gvfsd profiles. --- apparmor.d/groups/gvfs/gvfsd-fuse | 12 ++++++++++-- apparmor.d/groups/gvfs/gvfsd-sftp | 20 +++++++++----------- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 ++ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 2695a1bf7..4741b0f31 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -23,17 +23,25 @@ profile gvfsd-fuse @{exec_path} { dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=RegisterFuse - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), + + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label=gvfsd-sftp), @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, + owner @{run}/user/@{uid}/gvfsd-fuse/ rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} w, + @{PROC}/sys/fs/pipe-max-size r, /dev/fuse rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 76bb55e98..1019a1525 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -17,28 +17,26 @@ profile gvfsd-sftp @{exec_path} { include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} + #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection - peer=(name=@{busname}, label=gnome-extension-gsconnect), - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=nautilus), + peer=(name=@{busname}), dbus receive bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gvfsd), + + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 0dee4e73b..7f4c20718 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,6 +15,7 @@ profile gvfsd-wsdd @{exec_path} { include include + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd @@ -47,6 +48,7 @@ profile gvfsd-wsdd @{exec_path} { @{bin}/env mr, @{bin}/wsdd rPx, + @{run}/avahi-daemon/socket rw, @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, owner @{run}/user/@{uid}/gvfsd/wsdd rw, From fecb4dbca6645341359e367e80d70a5e222f13be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:06:35 +0200 Subject: [PATCH 596/798] feat(profile): update flatpak profiles. --- apparmor.d/groups/flatpak/flatpak | 13 +++++++++++++ apparmor.d/groups/flatpak/flatpak-portal | 1 + apparmor.d/groups/flatpak/flatpak-session-helper | 5 +++++ apparmor.d/groups/flatpak/flatpak-system-helper | 1 + 4 files changed, 20 insertions(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index e73408a0a..bd749db40 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -40,6 +40,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain signal send peer=flatpak-app, + unix type=seqpacket peer=(label=flatpak-system-helper), + unix type=stream peer=(label=flatpak//fusermount), + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.Flatpak.SystemHelper label=flatpak-system-helper #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -47,6 +50,16 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ReloadConfig + peer=(name=org.freedesktop.DBus, label=dbus-session//&unconfined), + + dbus send bus=system path=/org/freedesktop/Flatpak/SystemHelper + interface=org.freedesktop.Flatpak.SystemHelper + member=GetRevokefsFd + peer=(name=org.freedesktop.Flatpak.SystemHelper), + @{exec_path} mr, @{bin}/bwrap rPx -> flatpak-app, diff --git a/apparmor.d/groups/flatpak/flatpak-portal b/apparmor.d/groups/flatpak/flatpak-portal index fdbdb9189..97f9f4911 100644 --- a/apparmor.d/groups/flatpak/flatpak-portal +++ b/apparmor.d/groups/flatpak/flatpak-portal @@ -11,6 +11,7 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 162e3b448..8a8f5afb7 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -21,6 +21,11 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.Flatpak + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{shells_path} rUx -> user_unconfined, diff --git a/apparmor.d/groups/flatpak/flatpak-system-helper b/apparmor.d/groups/flatpak/flatpak-system-helper index cdfef1bad..0bd74bdcb 100644 --- a/apparmor.d/groups/flatpak/flatpak-system-helper +++ b/apparmor.d/groups/flatpak/flatpak-system-helper @@ -34,6 +34,7 @@ profile flatpak-system-helper @{exec_path} { unix type=seqpacket peer=(label=unconfined), #aa:dbus own bus=system name=org.freedesktop.Flatpak.SystemHelper + #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon @{exec_path} mr, From d0657d2c26644a386bc0078ec6f83ffebaa1a03e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:10:19 +0200 Subject: [PATCH 597/798] feat(profile): update network profiles. --- apparmor.d/groups/network/NetworkManager | 30 ++++++++++++++++++++++ apparmor.d/groups/network/netplan | 9 +++++++ apparmor.d/groups/network/netplan-generate | 2 ++ apparmor.d/groups/network/nmcli | 14 ++++++++++ apparmor.d/groups/network/openvpn | 2 ++ 5 files changed, 57 insertions(+) diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index f27449e77..2959441c4 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -48,6 +48,23 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=gnome-control-center), + + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=nm-online), + dbus send bus=system path=/org/freedesktop/nm_dispatcher interface=org.freedesktop.nm_dispatcher member=Action2 @@ -63,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { member={InterfacesAdded,InterfacesRemoved} peer=(name=org.freedesktop.DBus), + dbus receive bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=cockpit-bridge), + @{exec_path} mr, @{sh_path} rix, @@ -84,9 +106,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx, /usr/share/netplan/netplan.script rPx, + @{lib}/netplan/@{int2}-network-manager-all.yaml w, + /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/iproute2/{,**} r, + /etc/netplan/ r, + /etc/netplan/90-NM-@{uuid}.yaml r, + @{att}/ r, /etc/ r, @@ -110,7 +137,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { @{sys}/class/rfkill/ r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{run}/netplan/ r, @{run}/network/ifstate r, @{run}/NetworkManager/{,**} rw, @{run}/nm-*.pid rw, @@ -135,6 +164,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, + /dev/net/tun rw, /dev/rfkill rw, profile systemctl { diff --git a/apparmor.d/groups/network/netplan b/apparmor.d/groups/network/netplan index 5855131a8..a0fad0a93 100644 --- a/apparmor.d/groups/network/netplan +++ b/apparmor.d/groups/network/netplan @@ -9,9 +9,12 @@ include @{exec_path} = /usr/share/netplan/netplan.script profile netplan @{exec_path} flags=(attach_disconnected) { include + include include include + #aa;dbus owb bus=system name=io.netplan.Netplan + @{exec_path} mr, @{lib}/netplan/generate rPx, @@ -20,6 +23,8 @@ profile netplan @{exec_path} flags=(attach_disconnected) { /usr/share/netplan/{,**} r, + /etc/netplan/{,*} r, + @{run}/netplan/ r, profile udevadm { @@ -42,6 +47,10 @@ profile netplan @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + + @{run}/udev/control rw, + include if exists } diff --git a/apparmor.d/groups/network/netplan-generate b/apparmor.d/groups/network/netplan-generate index 74ed20aaf..cea17b81c 100644 --- a/apparmor.d/groups/network/netplan-generate +++ b/apparmor.d/groups/network/netplan-generate @@ -26,6 +26,8 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) { @{run}/NetworkManager/conf.d/ rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw, @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw, + @{run}/NetworkManager/conf.d/netplan.conf rw, + @{run}/NetworkManager/conf.d/netplan.conf.@{rand6} rw, @{run}/NetworkManager/system-connections/ rw, @{run}/NetworkManager/system-connections/* rw, diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli index 6065a12da..b4da14960 100644 --- a/apparmor.d/groups/network/nmcli +++ b/apparmor.d/groups/network/nmcli @@ -16,11 +16,25 @@ profile nmcli @{exec_path} { capability sys_nice, #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesRemoved + peer=(name=@{busname}, label=NetworkManager), + dbus send bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=GetManagedObjects + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @{pager_path} rPx -> child-pager, + /etc/netplan/* r, + owner @{HOME}/.nm-vpngate/*.ovpn r, owner @{HOME}/.cert/nm-openvpn/*.pem rw, diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn index b5a6b83ef..2a513b84e 100644 --- a/apparmor.d/groups/network/openvpn +++ b/apparmor.d/groups/network/openvpn @@ -66,6 +66,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/net/route r, + /dev/net/tun rw, + profile update-resolv { include include From ff8efaecd209909a48bc7cd6677763fb4cd7e19b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:11:25 +0200 Subject: [PATCH 598/798] feat(profile): update arch profiles. --- apparmor.d/groups/pacman/pacdiff | 33 +++++++++++++------- apparmor.d/groups/pacman/pacman-hook-systemd | 2 ++ 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff index cab9eed4b..eef992666 100644 --- a/apparmor.d/groups/pacman/pacdiff +++ b/apparmor.d/groups/pacman/pacdiff @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/pacdiff profile pacdiff @{exec_path} flags=(attach_disconnected) { include - include capability dac_read_search, capability mknod, @@ -20,17 +19,18 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{sh_path} rix, - @{bin}/{m,g,}awk rix, - @{bin}/cat rix, - @{bin}/cmp rix, - @{bin}/find rix, - @{bin}/locate rix, - @{bin}/pacman rix, - @{bin}/pacman-conf rPx, - @{bin}/pacsort rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/tput rix, + @{bin}/{m,g,}awk ix, + @{bin}/cat ix, + @{bin}/cmp ix, + @{bin}/find ix, + @{bin}/locate ix, + @{bin}/pacman ix, + @{bin}/pacman-conf Px, + @{bin}/pacsort ix, + @{bin}/rm ix, + @{bin}/sed ix, + @{bin}/tput ix, + @{editor_path} Cx -> editor, # packages files / r, @@ -44,6 +44,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) { /dev/tty rw, /dev/pts/@{int} rw, + profile editor { + include + include + + /etc/** rw, + + include if exists + } + include if exists } diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd index 0878385c5..860fb34ea 100644 --- a/apparmor.d/groups/pacman/pacman-hook-systemd +++ b/apparmor.d/groups/pacman/pacman-hook-systemd @@ -46,6 +46,8 @@ profile pacman-hook-systemd @{exec_path} { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent Px, From 98063fa7711c03f624a149227b2ef3672b866469 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:15:42 +0200 Subject: [PATCH 599/798] feat(profile): rewrite the pacman profile. --- apparmor.d/groups/pacman/pacman | 167 +++++++++++++++++++------------- 1 file changed, 101 insertions(+), 66 deletions(-) diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman index 427ac0141..41b45c9d0 100644 --- a/apparmor.d/groups/pacman/pacman +++ b/apparmor.d/groups/pacman/pacman @@ -46,71 +46,49 @@ profile pacman @{exec_path} flags=(attach_disconnected) { @{exec_path} mrix, - @{bin}/gpg{,2} rCx -> gpg, - @{bin}/gpgconf rCx -> gpg, - @{bin}/gpgsm rCx -> gpg, - - # Pacman hooks & install scripts - @{sh_path} rix, - @{coreutils_path} rix, - @{bin}/appstreamcli rPx, - @{bin}/arch-audit rPx, - @{bin}/archlinux-java rPx, - @{bin}/bootctl rPx, - @{bin}/cert-sync rPx, - @{bin}/checkrebuild rPUx, - @{bin}/dconf rPx, - @{bin}/dot rix, - @{bin}/fc-cache{,-32} rPx, - @{bin}/filecap rix, - @{bin}/gdbus rix, - @{bin}/gdk-pixbuf-query-loaders rPx, - @{bin}/getent rix, - @{bin}/gettext rix, - @{bin}/ghc-pkg-@{version} rPx, - @{bin}/gio-querymodules rPx, - @{bin}/glib-compile-schemas rPx, - @{sbin}/groupadd rPx, - @{bin}/gtk-query-immodules-* rPx, - @{bin}/gtk{,4}-update-icon-cache rPx, - @{sbin}/iconvconfig rix, - @{bin}/install-catalog rPx, - @{bin}/install-info rPx, - @{sbin}/iscsi-iname rix, - @{bin}/journalctl rPx, - @{bin}/killall rix, - @{sbin}/ldconfig rix, - @{sbin}/locale-gen rPx, - @{bin}/limine-install rPUx, - @{bin}/mkinitcpio rPx, - @{sbin}/needrestart rPx, - @{bin}/pacdiff rPx, - @{bin}/pacman-key rPx, - @{bin}/pkgfile rPUx, - @{bin}/pkill rix, - @{bin}/rsync rix, - @{bin}/sbctl rPx, - @{sbin}/setcap rix, - @{bin}/setfacl rix, - @{sbin}/sysctl rPx, - @{bin}/systemctl rCx -> systemctl, - @{bin}/systemd-* rPx, - @{bin}/tput rix, - @{bin}/update-ca-trust rPx, - @{bin}/update-desktop-database rPx, - @{sbin}/update-grub rPx, - @{bin}/update-mime-database rPx, - @{bin}/vercmp rix, - @{bin}/which{,.debianutils} rix, - @{bin}/xmlcatalog rix, - @{lib}/systemd/systemd-* rPx, - @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rPx, - @{lib}/vlc/vlc-cache-gen rPx, - /opt/Mullvad*/resources/mullvad-setup rPx, - /usr/share/code-features/patch.py rPx, - /usr/share/code-marketplace/patch.py rPx, - /usr/share/libalpm/scripts/* rPUx, - /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx, + # Pacman's keyring + @{bin}/gpg{,2} Cx -> gpg, + @{bin}/gpgconf Cx -> gpg, + @{bin}/gpgsm Cx -> gpg, + + # Common program found in hooks & install scripts + @{sh_path} rix, + @{coreutils_path} rix, + @{bin}/dot ix, + @{bin}/filecap ix, + @{bin}/getent ix, + @{bin}/gettext ix, + @{bin}/gzip ix, + @{bin}/rsync ix, + @{bin}/setfacl ix, + @{bin}/tput ix, + @{bin}/vercmp ix, + @{bin}/which{,.debianutils} ix, + @{bin}/xmlcatalog ix, + @{sbin}/iconvconfig ix, + @{sbin}/iscsi-iname ix, + @{sbin}/setcap ix, + + @{bin}/dbus-send Cx -> bus, + @{bin}/gdbus Cx -> bus, + @{bin}/killall Cx -> pkill, + @{bin}/kmod Cx -> kmod, + @{bin}/pkill Cx -> pkill, + @{bin}/systemctl Cx -> systemctl, + @{sbin}/ldconfig Cx -> ldconfig, + + #aa:lint ignore=too-wide + # Hooks & install scripts can legitimately start/restart anything + # PU is only used as a safety fallback. + @{bin}/** PUx, + @{sbin}/** PUx, + /opt/*/** PUx, + /etc/** PUx, + /usr/share/** PUx, + + @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} Px, + @{lib}/systemd/systemd-* Px, + @{lib}/vlc/vlc-cache-gen Px, # For shell pwd, keept as it can annoy users to see error in pacman output /**/ r, @@ -196,6 +174,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, signal send set=(cont term) peer=systemd-tty-ask-password-agent, signal receive set=(term winch) peer=makepkg//sudo, @@ -207,11 +187,66 @@ profile pacman @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/ r, /{run,var}/log/journal/@{hex32}/ r, - /{run,var}/log/journal/@{hex32}/*.journal* r, + /{run,var}/log/journal/@{hex32}/system.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r, + /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r, include if exists } + profile bus { + include + include + include + + @{bin}/gdbus rix, + + include if exists + } + + profile pkill { + include + include + + @{bin}/killall mr, + @{bin}/pkill mr, + + include if exists + } + + profile kmod { + include + include + + include if exists + } + + profile ldconfig { + include + include + + @{sh_path} rix, + @{sbin}/ldconfig mrix, + + @{lib}/ r, + /usr/local/ r, + /usr/local/lib/ r, + + /opt/cuda/**/@{lib}/ r, + /opt/cuda/**/@{lib}/@{multiarch}/ r, + + /etc/ld.so.cache rw, + /etc/ld.so.cache~ rw, + + /var/cache/ldconfig/ rw, + owner /var/cache/ldconfig/aux-cache* rw, + + include if exists + } + include if exists include if exists } From e549863d4adf82147f9c17763cfe367d5ebf746c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:20:27 +0200 Subject: [PATCH 600/798] feat(profile): update systemd profiles. --- .../systemd-generator-system-update | 3 ++- apparmor.d/groups/systemd/coredumpctl | 2 +- apparmor.d/groups/systemd/localectl | 2 +- apparmor.d/groups/systemd/systemd-detect-virt | 1 + apparmor.d/groups/systemd/systemd-dissect | 2 +- apparmor.d/groups/systemd/systemd-hostnamed | 2 ++ apparmor.d/groups/systemd/systemd-journald | 2 +- apparmor.d/groups/systemd/systemd-localed | 14 +++++++++++++- apparmor.d/groups/systemd/systemd-logind | 13 +++++++------ apparmor.d/groups/systemd/systemd-machine-id-setup | 2 +- apparmor.d/groups/systemd/systemd-rfkill | 1 + apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 3 +++ apparmor.d/groups/systemd/systemd-sleep-upgrades | 1 + apparmor.d/groups/systemd/systemd-timedated | 8 ++++++++ 15 files changed, 45 insertions(+), 13 deletions(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 557e4ab6e..9767a2e72 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) @{exec_path} mr, - @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/status r, include if exists } diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl index d1ee1141c..06969ef47 100644 --- a/apparmor.d/groups/systemd/coredumpctl +++ b/apparmor.d/groups/systemd/coredumpctl @@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) { @{PROC}/@{pids}/fd/ r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl index 0d46dbfed..9792fb75f 100644 --- a/apparmor.d/groups/systemd/localectl +++ b/apparmor.d/groups/systemd/localectl @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/localectl -profile localectl @{exec_path} { +profile localectl @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt index ca6eae3ad..9b49c20fc 100644 --- a/apparmor.d/groups/systemd/systemd-detect-virt +++ b/apparmor.d/groups/systemd/systemd-detect-virt @@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) { deny capability net_admin, deny capability perfmon, + deny network (send receive) netlink raw, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect index 0381b93b1..1bbb91858 100644 --- a/apparmor.d/groups/systemd/systemd-dissect +++ b/apparmor.d/groups/systemd/systemd-dissect @@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) { signal send set=cont peer=child-pager, - ptrace read peer=unconfined, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed index 01d04989b..8fae34b29 100644 --- a/apparmor.d/groups/systemd/systemd-hostnamed +++ b/apparmor.d/groups/systemd/systemd-hostnamed @@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/chassis_type r, @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_serial r, + @{sys}/devices/virtual/dmi/id/product_uuid r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, @{sys}/devices/virtual/dmi/id/uevent r, diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index 2765d8f10..e0a8a2e47 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted network netlink raw, - ptrace (read), + ptrace read, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed index e98bef009..cefab3890 100644 --- a/apparmor.d/groups/systemd/systemd-localed +++ b/apparmor.d/groups/systemd/systemd-localed @@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + @{bin}/cat ix, + @{bin}/gzip ix, + @{bin}/localedef ix, + @{bin}/rm ix, + @{bin}/sort ix, + @{sbin}/locale-gen rPx, + + /usr/share/i18n/{,**} r, /usr/share/kbd/keymaps/{,**} r, - /usr/share/xkeyboard-config-2/{,**} r, /usr/share/systemd/*-map r, /usr/share/X11/xkb/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, + /etc/ r, /etc/.#locale.conf@{hex16} rw, + /etc/.#locale.gen@{hex16} rw, /etc/.#vconsole.conf* rw, /etc/default/.#locale* rw, /etc/default/keyboard r, /etc/default/locale rw, /etc/locale.conf rw, + /etc/locale.gen rw, + /etc/nsswitch.conf r, + /etc/passwd r, /etc/vconsole.conf rw, /etc/X11/xorg.conf.d/ rw, /etc/X11/xorg.conf.d/.#*.conf@{hex} rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 05c812b18..c5e87b3e2 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{sys}/module/vt/parameters/default_utf8 r, @{sys}/power/{state,resume_offset,resume,disk} r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/1/cmdline r, @{PROC}/pressure/* r, @{PROC}/swaps r, diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup index c791e6375..a2115a926 100644 --- a/apparmor.d/groups/systemd/systemd-machine-id-setup +++ b/apparmor.d/groups/systemd/systemd-machine-id-setup @@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_chroot, - ptrace (read), + ptrace read, mount options=(rw rshared) -> /, mount options=(rw rslave) -> /, diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill index bf983ea7a..34e7255ab 100644 --- a/apparmor.d/groups/systemd/systemd-rfkill +++ b/apparmor.d/groups/systemd/systemd-rfkill @@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) { include capability net_admin, + capability sys_admin, capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 4cbe61755..5b9c51dbe 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{lib}/pm-utils/power.d/*hdparm-apm ix, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index 94e2e8daf..e29a41a7a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} { @{exec_path} mr, + @{lib}/sysstat/sa{1,2} Px, + @{lib}/sysstat/debian-sa{1,2} Px, + include if exists } diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades index 4f2cce637..c2c107b1f 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-upgrades +++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades @@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} { include @{exec_path} mr, + @{sh_path} r, include if exists } diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated index ffed031b5..b65f2b7af 100644 --- a/apparmor.d/groups/systemd/systemd-timedated +++ b/apparmor.d/groups/systemd/systemd-timedated @@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) { interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={DisableUnitFiles,EnableUnitFiles} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), + dbus send bus=system path=/org/freedesktop/systemd1 + interface=org.freedesktop.systemd1.Manager + member={JobRemoved,Reload,StartUnit,StopUnit} + peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"), @{exec_path} mr, From 43175387474acabd2e877e78f709c13e9643e999 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:21:34 +0200 Subject: [PATCH 601/798] feat(profile): update ubuntu profiles. --- apparmor.d/groups/ubuntu/software-properties-dbus | 9 +++++++-- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage | 3 ++- apparmor.d/groups/ubuntu/update-notifier | 13 +++++++++++++ 4 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index 8d55ec0b7..cc7387709 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -19,11 +19,16 @@ profile software-properties-dbus @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus receive bus=system interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=software-properties-gtk), + peer=(name=@{busname}, label=software-properties-gtk), + + dbus receive bus=system path=/ + interface=com.ubuntu.SoftwareProperties + member=Reload + peer=(name=@{busname}, label=software-properties-gtk), @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index af91c7eaa..cd858737b 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -44,12 +44,10 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /usr/share/pixmaps/ r, /usr/share/python-apt/{,**} r, /usr/share/software-properties/{,**} r, - /usr/share/themes/{,**} r, /usr/share/ubuntu-drivers-common/detect/{,**} r, /usr/share/X11/xkb/{,**} r, /usr/share/xml/iso-codes/{,**} r, /usr/share/software-properties/gtkbuilder/* r, - /usr/share/xkeyboard-config-2/{,**} r, /etc/apport/blacklist.d/{,*} r, /etc/default/apport r, diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index e8d847e92..ea9742d4c 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -60,9 +60,10 @@ profile ubuntu-advantage @{exec_path} { @{run}/ubuntu-advantage/{,**} rw, - @{PROC}/version_signature r, @{PROC}/@{pids}/mountinfo r, @{PROC}/@{pids}/mounts r, + @{PROC}/1/cgroup r, + @{PROC}/version_signature r, owner @{PROC}/@{pid}/fd/ r, profile systemctl { diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 0de63ac64..4c60b4aaf 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -28,6 +28,11 @@ profile update-notifier @{exec_path} { #aa:dbus talk bus=system name=org.debian.apt label=apt #aa:dbus talk bus=session name=org.ayatana.NotificationItem interface+=org.kde.StatusNotifierItem label=gnome-shell + dbus receive bus=system path=/com/ubuntu/UnattendedUpgrade/Pending + interface=com.ubuntu.UnattendedUpgrade.Pending + member=Finished + peer=(name=@{busname}, label=unattended-upgrade), + @{exec_path} mr, @{sh_path} rix, @@ -49,6 +54,7 @@ profile update-notifier @{exec_path} { @{lib}/update-notifier/package-system-locked rPx, /usr/share/apport/apport-checkreports rPx, /usr/share/apport/apport-gtk rPx, + @{open_path} Cx -> open, @{lib}/@{python_name}/dist-packages/{apt,gi}/**/__pycache__/{,**} rw, @@ -95,6 +101,13 @@ profile update-notifier @{exec_path} { include if exists } + profile open { + include + include + + include if exists + } + include if exists } From c7b99bb84e9098e57a368c1a237838f11095116d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:26:31 +0200 Subject: [PATCH 602/798] feat(profile): update some core profiles. --- apparmor.d/profiles-g-l/kdump-config | 2 + apparmor.d/profiles-g-l/kdump-tools-init | 2 + apparmor.d/profiles-g-l/kdump_mem_estimator | 2 + apparmor.d/profiles-g-l/kernel-postinst-kdump | 8 +++- apparmor.d/profiles-g-l/logrotate | 2 + apparmor.d/profiles-m-r/initramfs-hooks | 6 ++- apparmor.d/profiles-m-r/mdadm | 1 + apparmor.d/profiles-m-r/mkinitramfs | 48 ++++++------------- apparmor.d/profiles-m-r/needrestart | 2 + apparmor.d/profiles-m-r/rsyslogd | 1 + 10 files changed, 37 insertions(+), 37 deletions(-) diff --git a/apparmor.d/profiles-g-l/kdump-config b/apparmor.d/profiles-g-l/kdump-config index 2bd8ef6b9..75c536612 100644 --- a/apparmor.d/profiles-g-l/kdump-config +++ b/apparmor.d/profiles-g-l/kdump-config @@ -72,6 +72,8 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump-tools-init b/apparmor.d/profiles-g-l/kdump-tools-init index b5af4dcc9..7767831a8 100644 --- a/apparmor.d/profiles-g-l/kdump-tools-init +++ b/apparmor.d/profiles-g-l/kdump-tools-init @@ -29,6 +29,8 @@ profile kdump-tools-init @{exec_path} flags=(attach_disconnected) { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kdump_mem_estimator b/apparmor.d/profiles-g-l/kdump_mem_estimator index b80a89343..5f85af3fe 100644 --- a/apparmor.d/profiles-g-l/kdump_mem_estimator +++ b/apparmor.d/profiles-g-l/kdump_mem_estimator @@ -27,6 +27,8 @@ profile kdump_mem_estimator @{exec_path} { capability net_admin, + ptrace read peer=@{p_systemd}, + include if exists } diff --git a/apparmor.d/profiles-g-l/kernel-postinst-kdump b/apparmor.d/profiles-g-l/kernel-postinst-kdump index 50606695a..eb17c5355 100644 --- a/apparmor.d/profiles-g-l/kernel-postinst-kdump +++ b/apparmor.d/profiles-g-l/kernel-postinst-kdump @@ -31,8 +31,7 @@ profile kernel-postinst-kdump @{exec_path} { / r, - /etc/initramfs-tools/conf.d/{,**} r, - /etc/initramfs-tools/initramfs.conf r, + /etc/initramfs-tools/{,**} r, owner /var/lib/kdump/** rw, @@ -49,6 +48,11 @@ profile kernel-postinst-kdump @{exec_path} { include include + @{sys}/module/*/ r, + @{sys}/module/*/coresize r, + @{sys}/module/*/holders/ r, + @{sys}/module/*/refcnt r, + include if exists } diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate index 0dee9ed6a..781a01a27 100644 --- a/apparmor.d/profiles-g-l/logrotate +++ b/apparmor.d/profiles-g-l/logrotate @@ -80,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_ptrace, + ptrace read peer=@{p_systemd}, + dbus send bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=KillUnit diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 136536764..89a57310f 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -10,6 +10,7 @@ include profile initramfs-hooks @{exec_path} { include include + include include @{exec_path} mr, @@ -37,9 +38,9 @@ profile initramfs-hooks @{exec_path} { @{lib}/ r, @{lib}/** mr, + /usr/share/*/initramfs/{,**} r, /usr/share/initramfs-tools/{,**} r, /usr/share/plymouth/{,**} r, - /usr/share/cryptsetup/initramfs/{,**} r, /etc/console-setup/{,**} r, /etc/cryptsetup-initramfs/{,**} r, @@ -81,8 +82,9 @@ profile initramfs-hooks @{exec_path} { include include - @{bin}/ldd mr, @{bin}/* mr, + @{sbin}/* mr, + @{lib}/@{multiarch}/ld-linux-*so* mrix, @{lib}/ld-linux.so* mr, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 4cc5fc9fb..e40f6b1e3 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -12,6 +12,7 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { include include + capability dac_read_search, capability sys_admin, mqueue (read getattr) type=posix /, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index c6caf364f..d94e5aa44 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -33,6 +33,7 @@ profile mkinitramfs @{exec_path} { @{bin}/cpio rix, @{bin}/dirname rix, @{bin}/env rix, + @{bin}/find rix, @{bin}/getopt rix, @{bin}/gzip rix, @{bin}/id rix, @@ -56,10 +57,9 @@ profile mkinitramfs @{exec_path} { @{bin}/xargs rix, @{bin}/xz rix, @{bin}/zstd rix, - @{sbin}/blkid rPx, @{lib}/dracut/dracut-install rix, + @{sbin}/blkid rPx, - @{bin}/find rCx -> find, @{bin}/kmod rCx -> kmod, @{sbin}/ldconfig rCx -> ldconfig, @{bin}/ldd rCx -> ldd, @@ -113,11 +113,16 @@ profile mkinitramfs @{exec_path} { @{sys}/bus/ r, @{sys}/bus/*/drivers/ r, - @{sys}/devices/platform/ r, - @{sys}/devices/platform/**/ r, - @{sys}/devices/platform/**/modalias r, + @{sys}/devices/ r, + @{sys}/devices/**/ r, + @{sys}/devices/**/modalias r, + @{sys}/devices/**/uevent r, @{sys}/module/compression r, @{sys}/module/firmware_class/parameters/path r, + @{sys}/class/ r, + @{sys}/class/*/ r, + + @{sys}/bus/platform/drivers/simple-framebuffer/ r, @{PROC}/@{pid}/mounts r, @{PROC}/cmdline r, @@ -129,17 +134,14 @@ profile mkinitramfs @{exec_path} { include include - @{bin}/ldd mr, - @{lib}/@{multiarch}/ld-linux-*so* mr, - @{lib}/ld-linux.so* mr, - - @{sh_path} rix, - @{bin}/kmod mr, - @{lib}/initramfs-tools/bin/* mr, - + @{sh_path} rix, @{lib}/@{multiarch}/ld-*.so* rix, @{lib}/ld-*.so{,.2} rix, + @{bin}/* mr, + @{sbin}/* mr, + @{lib}/** mr, + include if exists } @@ -160,26 +162,6 @@ profile mkinitramfs @{exec_path} { include if exists } - profile find { - include - include - - @{bin}/find mr, - - # pwd dir - / r, - /etc/ r, - /root/ r, - - /usr/share/initramfs-tools/scripts/{,**/} r, - /etc/initramfs-tools/scripts/{,**/} r, - - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r, - owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r, - - include if exists - } - profile kmod { include include diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index 8c908ddb4..c55393753 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -59,7 +59,9 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/environ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/stat r, + @{PROC}/@{pid}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd index ede981f58..c5e5ac051 100644 --- a/apparmor.d/profiles-m-r/rsyslogd +++ b/apparmor.d/profiles-m-r/rsyslogd @@ -45,6 +45,7 @@ profile rsyslogd @{exec_path} { @{PROC}/cmdline r, @{PROC}/kmsg r, @{PROC}/sys/kernel/osrelease r, + @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, include if exists } From 1b97efa21595f170d2a9466b91f2ee8a611f5d0e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:27:15 +0200 Subject: [PATCH 603/798] feat(abs): add org.gtk.Menus. --- .../abstractions/bus/session/org.gtk.Menus | 18 ++++++++++++++++++ apparmor.d/abstractions/gtk.d/complete | 1 + 2 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.Menus diff --git a/apparmor.d/abstractions/bus/session/org.gtk.Menus b/apparmor.d/abstractions/bus/session/org.gtk.Menus new file mode 100644 index 000000000..b21c08067 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.Menus @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session + interface=org.gtk.Menus + member={Start,End} + peer=(name=@{busname}), + + dbus send bus=session + interface=org.gtk.Menus + member=Changed, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 356e97705..0b69d8ee1 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -3,6 +3,7 @@ # SPDX-License-Identifier: GPL-2.0-only include + include include @{lib}/{,@{multiarch}/}gtk*/** mr, From 17eac0b62c0ee7dccb0c0c3642b41ce2df238aa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:02 +0200 Subject: [PATCH 604/798] feat(abs): add missing dbus rule on org.freedesktop.DBus --- apparmor.d/groups/bus/dbus-session | 6 +++--- apparmor.d/groups/bus/dbus-system | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index cc6b33f61..27e228e2c 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -31,10 +31,10 @@ profile dbus-session flags=(attach_disconnected) { signal (send) set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} - dbus receive bus=session path=/org/freedesktop/DBus + dbus receive bus=session interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), @{exec_path} mrix, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 4dec1d407..235c44cd4 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -36,8 +36,8 @@ profile dbus-system flags=(attach_disconnected) { #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus - member=Hello - peer=(name=@{busname}), + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name="{@{busname},org.freedesktop.DBus}"), dbus receive bus=system path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Activator @@ -82,6 +82,7 @@ profile dbus-system flags=(attach_disconnected) { @{PROC}/@{pid}/environ r, @{PROC}/@{pid}/mounts r, @{PROC}/@{pid}/oom_score_adj r, + @{PROC}/@{pid}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, @@ -91,6 +92,7 @@ profile dbus-system flags=(attach_disconnected) { @{att}/dev/dri/card@{int} rw, @{att}/dev/input/event@{int} rw, + @{att}/dev/pts/ptmx rw, include if exists } From d32fd036503bd197d649ba85657eaf079854b2c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:30:30 +0200 Subject: [PATCH 605/798] feat(profile): improve ibus-portal. --- apparmor.d/groups/bus/ibus-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 53edb4b00..6ea4891a7 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -15,11 +15,12 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { signal (receive) set=(term, hup) peer=gdm*, #aa:dbus own bus=session name=org.freedesktop.portal.IBus + #aa:dbus own bus=session name=org.freedesktop.IBus dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From c7e999fe30e5cb43e61cdca01eea3e18fa5fb0c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:32:29 +0200 Subject: [PATCH 606/798] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/wireplumber | 2 ++ apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +++ apparmor.d/groups/freedesktop/xdg-desktop-portal | 2 ++ .../groups/freedesktop/xdg-desktop-portal-gnome | 10 +++++----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 12 +++--------- apparmor.d/groups/freedesktop/xdg-settings | 2 +- apparmor.d/groups/freedesktop/xorg | 3 ++- 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 5c7c49c3d..ce1dffd58 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -21,9 +21,9 @@ profile pulseaudio @{exec_path} { include include include + include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index aa78d9667..84d6675de 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -27,6 +27,7 @@ profile wireplumber @{exec_path} { network netlink raw, #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} + #aa:dbus own bus=session name=org.pipewire.Telephony dbus receive bus=session interface=org.freedesktop.DBus.Introspectable @@ -77,6 +78,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, + @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index be66f7484..c1f255c75 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -21,6 +21,9 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { network unix stream, + #aa:dbus talk bus=session name=org.freedesktop.portal.Flatpak label=flatpak-portal + #aa:dbus talk bus=session name=org.freedesktop.portal.Request path=/org/freedesktop/portal/desktop label=xdg-desktop-portal + dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.portal.Realtime member=MakeThread* diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 21c99827b..ec2cc86be 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -52,6 +52,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal @@ -101,6 +102,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/ r, + @{PROC}/@{pids}/status r, @{PROC}/*/ r, @{PROC}/1/cgroup r, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index ca5f62f82..b6c77f336 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -16,6 +16,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -24,6 +25,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include + include include network unix stream, @@ -36,17 +38,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell + #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" dbus send bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Background member=RunningApplicationsChanged peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell interface=org.freedesktop.DBus.Properties member=GetAll @@ -85,6 +83,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { owner @{tmp}/gtkprint@{rand6} r, owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw, + owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, + @{run}/mount/utab r, owner @{PROC}/@{pid}/ r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 92e6c9484..9688df798 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -35,18 +35,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gtk + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Settings label=xdg-desktop-portal + dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.impl.portal.Settings peer=(name=:*), - dbus send bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.impl.portal.Settings - member=SettingChanged - peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal), - - dbus send bus=session path=/org/gtk/Notifications - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings index 840500c52..fd05bcee9 100644 --- a/apparmor.d/groups/freedesktop/xdg-settings +++ b/apparmor.d/groups/freedesktop/xdg-settings @@ -15,7 +15,7 @@ profile xdg-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} r, - @{sh_path} r, + @{sh_path} mr, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat ix, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index c14af6d6e..bfec4405c 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -133,8 +133,9 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{PROC}/ioports r, @{PROC}/mtrr rw, + /dev/ r, /dev/fb@{int} rw, - /dev/input/event@{int} rw, + @{att}/dev/input/event@{int} rw, /dev/input/mouse@{int} rw, /dev/shm/#@{int} rw, /dev/shm/shmfd-* rw, From 4d7e03a9e2f743fc32661c1741ce50f0d99cddd6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:34:44 +0200 Subject: [PATCH 607/798] feat(profile): add missing grep to locale-gen. --- apparmor.d/groups/utils/locale-gen | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/utils/locale-gen b/apparmor.d/groups/utils/locale-gen index 3620018a7..5366f1403 100644 --- a/apparmor.d/groups/utils/locale-gen +++ b/apparmor.d/groups/utils/locale-gen @@ -18,6 +18,7 @@ profile locale-gen @{exec_path} { @{exec_path} mr, @{sh_path} rix, + @{bin}/{e,}grep rix, @{bin}/cat rix, @{bin}/gzip rix, @{bin}/localedef rix, From e5012e381efa8eefb028f661606aa159e0cd46a1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:39:13 +0200 Subject: [PATCH 608/798] chore: pids means all pid. --- apparmor.d/groups/_full/sd | 39 +++++++++++++++-------------- apparmor.d/groups/bus/dbus-system | 12 ++++----- apparmor.d/profiles-m-r/needrestart | 12 ++++----- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index 13864f2dd..ccdbf338b 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -195,25 +195,26 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{sys}/firmware/efi/efivars/** w, @{sys}/fs/cgroup/{,**} w, - @{PROC}/@{pid}/attr/apparmor/exec w, - @{PROC}/@{pid}/attr/current r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/gid_map w, - @{PROC}/@{pid}/limits r, - @{PROC}/@{pid}/loginuid rw, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/oom_score_adj rw, - @{PROC}/@{pid}/sessionid r, - @{PROC}/@{pid}/setgroups r, - @{PROC}/@{pid}/setgroups w, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/uid_map r, - @{PROC}/@{pid}/uid_map w, + @{PROC}/@{pids}/attr/apparmor/exec w, + @{PROC}/@{pids}/attr/current r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/gid_map w, + @{PROC}/@{pids}/limits r, + @{PROC}/@{pids}/loginuid rw, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/oom_score_adj rw, + @{PROC}/@{pids}/sessionid r, + @{PROC}/@{pids}/setgroups r, + @{PROC}/@{pids}/setgroups w, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, + @{PROC}/@{pids}/uid_map r, + @{PROC}/@{pids}/uid_map w, @{PROC}/cmdline r, @{PROC}/interrupts r, @{PROC}/irq/@{int}/node r, diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 235c44cd4..1b62a1086 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -77,12 +77,12 @@ profile dbus-system flags=(attach_disconnected) { @{sys}/kernel/security/apparmor/features/dbus/mask r, @{sys}/module/apparmor/parameters/enabled r, - @{PROC}/@{pid}/attr/apparmor/current r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/mounts r, - @{PROC}/@{pid}/oom_score_adj r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/attr/apparmor/current r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/mounts r, + @{PROC}/@{pids}/oom_score_adj r, + @{PROC}/@{pids}/status r, @{PROC}/cmdline r, @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/fd/ r, diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart index c55393753..a09008ac3 100644 --- a/apparmor.d/profiles-m-r/needrestart +++ b/apparmor.d/profiles-m-r/needrestart @@ -56,12 +56,12 @@ profile needrestart @{exec_path} flags=(attach_disconnected) { /tmp/@{word10}/ rw, @{PROC}/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/cmdline r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/maps r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, owner @{PROC}/@{pid}/fd/ r, /dev/ r, From 69fcef01b7b5d9003f902512be3d7c2543da5ce8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:50:23 +0200 Subject: [PATCH 609/798] feat(profile): add a large profile for mkosi. --- apparmor.d/profiles-m-r/mkosi | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 apparmor.d/profiles-m-r/mkosi diff --git a/apparmor.d/profiles-m-r/mkosi b/apparmor.d/profiles-m-r/mkosi new file mode 100644 index 000000000..f6489a501 --- /dev/null +++ b/apparmor.d/profiles-m-r/mkosi @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# This profile is large on purpose: +# - It is required to have a profile for mkosi to allow userns. +# - Mkosi uses a lot of different binaries and scripts inside sandbox. +# - Using the unconfined flag would Pix everything, we do not want that as the +# transitioned profile would have to account for mkosi paths too. + +abi , + +include + +@{exec_path} = @{bin}/mkosi @{user_share_dirs}/pipx/venvs/*/bin/mkosi +profile mkosi @{exec_path} flags=(attach_disconnected,mediate_deleted) { + include + + all, + userns, + + include if exists +} + +# vim:syntax=apparmor From e09251d2669a0161aef2eb75e5d92c1c74a86f56 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:53:00 +0200 Subject: [PATCH 610/798] feat(abs): update org.freedesktop.PolicyKit1 --- .../abstractions/bus/org.freedesktop.PolicyKit1 | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 index 9dfab7481..2a4e8c1e5 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 +++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Can talk to polkitd's CheckAuthorization API + abi , #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}" @@ -13,17 +15,13 @@ dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"), + member={CheckAuthorization,CancelCheckAuthorization} + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name="@{busname}", label="@{p_polkitd}"), - dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority - interface=org.freedesktop.PolicyKit1.Authority - member=CheckAuthorization - peer=(name=org.freedesktop.PolicyKit1), + member=RegisterAuthenticationAgentWithOptions + peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"), include if exists From fce5de8d198df15219422e0b6867609a3f3ee85d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:55:29 +0200 Subject: [PATCH 611/798] feat(abs): update org.freedesktop.PackageKit --- .../abstractions/bus/org.freedesktop.PackageKit | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit index f6cde2030..a4f9ba9b9 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit +++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit @@ -2,6 +2,9 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow communication with PackageKit transactions. Transactions are exported +# with random object paths that currently take the form /@{int}_@{hex8}. + abi , #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd @@ -16,6 +19,14 @@ member=StateHasChanged peer=(name=org.freedesktop.PackageKit), + dbus send bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + + dbus receive bus=system path=/@{int}_@{hex8} + interface=org.freedesktop.PackageKit.Transaction + peer=(label=packagekitd), + include if exists # vim:syntax=apparmor From 93c94836e292a2e4b39cea261e6891e30b74d6a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:56:14 +0200 Subject: [PATCH 612/798] feat(abs): add snapcraft dbus reference call. --- .../bus/session/io.snapcraft.Launcher | 21 +++++++++++++++++++ .../io.snapcraft.PrivilegedDesktopLauncher | 16 ++++++++++++++ .../bus/session/io.snapcraft.Settings | 16 ++++++++++++++ 3 files changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Launcher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher create mode 100644 apparmor.d/abstractions/bus/session/io.snapcraft.Settings diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher new file mode 100644 index 000000000..ca2bf92c8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Launcher @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal xdg-open + + abi , + + dbus send bus=session path=/ + interface=com.canonical.SafeLauncher + member=OpenURL + peer=(name=@{busname}, label=snap), + + dbus send bus=session path=/io/snapcraft/Launcher + interface=io.snapcraft.Launcher + member={OpenURL,OpenFile} + peer=(name=@{busname}, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher new file mode 100644 index 000000000..704d9010d --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can identify and launch other snaps. + + abi , + + dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher + interface=io.snapcraft.PrivilegedDesktopLauncher + member=OpenDesktopEntry + peer=(name=io.snapcraft.Launcher, label=snap), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/io.snapcraft.Settings b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings new file mode 100644 index 000000000..c50753cd6 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/io.snapcraft.Settings @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow use of snapd's internal 'xdg-settings' + + abi , + + dbus send bus=session path=/io/snapcraft/Settings + interface=io.snapcraft.Settings + member={Check,CheckSub,Get,GetSub,Set,SetSub} + peer=(name=io.snapcraft.Settings, label=snap), + + include if exists + +# vim:syntax=apparmor From 8f0ee240007ba41dee39f721bc22fff6163171ba Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:57:10 +0200 Subject: [PATCH 613/798] feat(abs): add org.gtk.vfs.MountOperation --- .../bus/session/org.gtk.vfs.MountOperation | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation new file mode 100644 index 000000000..ff8c928f8 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskQuestion,AskPassword} + peer=(name=@{busname}, label=gvfsd-*), + + include if exists + +# vim:syntax=apparmor From 76c5586688218983fe9203fd894e8cc794a895e2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:58:11 +0200 Subject: [PATCH 614/798] feat(abs): add org.freedesktop.IBus.Portal --- .../bus/session/org.freedesktop.IBus.Portal | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal new file mode 100644 index 000000000..e7c0f9cef --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal @@ -0,0 +1,24 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow access to the IBus portal + + abi , + + dbus send bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.IBus.Portal + member=CreateInputContext + peer=(name=org.freedesktop.portal.IBus), + + dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int} + interface=org.freedesktop.IBus.InputContext + peer=(label=ibus-daemon), + + include if exists + +# vim:syntax=apparmor From 865bac4cc6a2c7d79a37503b5d02985655a29532 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 11 Sep 2025 23:59:07 +0200 Subject: [PATCH 615/798] feat(abs): update org.freedesktop.ColorManager. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index e23092429..13d186898 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname}", label="@{p_colord}"), + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=FindDeviceByProperty - peer=(name="@{busname}", label="@{p_colord}"), + member={FindDeviceByProperty,FindDeviceById} + peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), include if exists From 0c90adb24d81bab5f241c853be367e62f8fea01f Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:04:37 -0600 Subject: [PATCH 616/798] Update mdadm There were lots of missing components of mdadm. I have a few scripts that create and tear down MD RAID arrays. I've ran them all and added the missing entries. Note that mdadm has the ability to run in daemon mode and send mail when an array fails. That's why it requires all the network entries. --- apparmor.d/profiles-m-r/mdadm | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index e40f6b1e3..94a178ce7 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2025 Alexandre Pujol +# Copyright (C) 2025 Zane Zakraisek # SPDX-License-Identifier: GPL-2.0-only abi , @@ -14,12 +15,22 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability sys_admin, + capability mknod, + capability net_admin, + + network netlink raw, mqueue (read getattr) type=posix /, @{exec_path} mr, + @{sh_path} rix, + @{bin}/sendmail rPUx, + + /etc/mdadm.conf r, + @{run}/initctl r, + @{run}/mdadm/* rwk, /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw, @@ -27,13 +38,17 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/vendor r, + @{sys}/devices/virtual/block/md*/** rw, + @{sys}/module/md_mod/** rw, @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, @{PROC}/kcore r, @{PROC}/partitions r, + @{PROC}/mdstat rw, /dev/**/ r, + /dev/.tmp.md.* rw, include if exists } From c4bad04fed083d93c51c7040266f2a7bd179b550 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 11 Sep 2025 17:15:32 -0600 Subject: [PATCH 617/798] mdadm Make the linter happy :) --- apparmor.d/profiles-m-r/mdadm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index 94a178ce7..a3fba9479 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -24,8 +24,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{sh_path} rix, - @{bin}/sendmail rPUx, + @{sh_path} rix, + @{sbin}/sendmail rPUx, /etc/mdadm.conf r, From 1540315d5caab3d5e6a87dd4c5ea4c31114d1058 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 07:38:44 -0600 Subject: [PATCH 618/798] mdadm: include all config file locations pulled from strings --- apparmor.d/profiles-m-r/mdadm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index a3fba9479..b0397eb8d 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -27,7 +27,8 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{sh_path} rix, @{sbin}/sendmail rPUx, - /etc/mdadm.conf r, + /etc/{,mdadm/}mdadm.conf r, + /etc/{,mdadm/}mdadm.conf.d/* r, @{run}/initctl r, @{run}/mdadm/* rwk, From 1d2b271dfcf96c739a79d7909161da2396cfc943 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 10:26:41 -0600 Subject: [PATCH 619/798] ssh-keygen: allow execution of ssh-sk-helper The ssh-sk-helper profile was added last year but never hooked into the ssh-keygen profile. This is needed for generating SSH keys that live on a yubikey. --- apparmor.d/groups/ssh/ssh-keygen | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen index 1b6dd5e98..738268b0a 100644 --- a/apparmor.d/groups/ssh/ssh-keygen +++ b/apparmor.d/groups/ssh/ssh-keygen @@ -15,6 +15,8 @@ profile ssh-keygen @{exec_path} { @{exec_path} mr, + @{lib}/{,ssh/}ssh-sk-helper rPx -> ssh-sk-helper, + /etc/ssh/moduli rw, /etc/ssh/ssh_host_*_key* rw, From c67773947ec9951c18fd511093be9bea78aa79de Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 08:09:04 -0600 Subject: [PATCH 620/798] ssh: allow ssh to authenticate to remote hosts using kerberos tickets --- apparmor.d/groups/ssh/ssh | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index bf71a8463..c2926a3a4 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -12,6 +12,7 @@ profile ssh @{exec_path} { include include include + include include network inet stream, From 53501d8bf4bcf462c643e0c4fd81f4fd82865b79 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Fri, 12 Sep 2025 12:25:55 -0600 Subject: [PATCH 621/798] ssh: allow ssh to write to the kerberos CC when it picks up a ticket --- apparmor.d/groups/ssh/ssh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index c2926a3a4..0d6826490 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -44,6 +44,8 @@ profile ssh @{exec_path} { owner @{user_projects_dirs}/**/ssh/{,*} r, owner @{user_projects_dirs}/**/config r, + owner @{tmp}/krb5cc_* rwk, + audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl, owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, From fda74f574f4c3ec693c20eaaf6a19a737ddee178 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:02:35 +0200 Subject: [PATCH 622/798] chore(abs): add some device description. --- apparmor.d/abstractions/dri | 3 +++ apparmor.d/abstractions/nvidia-strict | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index dd8f7b55a..128da00d0 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -28,8 +28,11 @@ @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/vendor r, + # Allow access to all cards /dev/dri/ r, /dev/dri/card@{int} rw, + + # Video Acceleration API /dev/dri/renderD128 rw, /dev/dri/renderD129 rw, diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a7529eb9a..8fd78a702 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -36,8 +36,14 @@ owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices + + # Nvidia proprietary modset driver /dev/nvidia-modeset rw, + + # Nvidia graphics devices /dev/nvidia@{int} rw, + + # Nvidia's control device /dev/nvidiactl rw, deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r, From 56948a54eb1461ad4dd8e78a42185bb8e5de4819 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:03:20 +0200 Subject: [PATCH 623/798] feat(abs): reorganise the audio abstractions. --- apparmor.d/abstractions/audio-client | 6 ++++++ apparmor.d/abstractions/audio-server | 5 ----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 826191309..1ebdf4c76 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -57,12 +57,18 @@ owner @{run}/user/@{uid}/pulse/ rw, owner @{run}/user/@{uid}/pulse/native rw, + @{run}/udev/data/c116:@{int} r, # For ALSA + @{run}/udev/data/+sound:card@{int} r, # For sound card + + @{sys}/class/ r, @{sys}/class/sound/ r, /dev/shm/ r, owner /dev/shm/pulse-shm-@{int} rw, /dev/snd/controlC@{int} r, + /dev/snd/pcmC@{int}D@{int}[cp] r, + /dev/snd/timer r, include if exists diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server index 10bcef426..a7f89b91b 100644 --- a/apparmor.d/abstractions/audio-server +++ b/apparmor.d/abstractions/audio-server @@ -9,11 +9,6 @@ include - @{run}/udev/data/+sound:card@{int} r, # for sound card - - @{sys}/class/ r, - @{sys}/class/sound/ r, - @{PROC}/asound/** rw, /dev/admmidi* rw, From 122b004c2e6be12d64f0eb0a3e3835cd0e8fef35 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:29:29 +0200 Subject: [PATCH 624/798] feat(abs): aff the uinput abs. --- apparmor.d/abstractions/uinput | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 apparmor.d/abstractions/uinput diff --git a/apparmor.d/abstractions/uinput b/apparmor.d/abstractions/uinput new file mode 100644 index 000000000..b97d1eb8a --- /dev/null +++ b/apparmor.d/abstractions/uinput @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2020 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow write access to the uinput device for emulating input devices from +# userspace for sending input events. + + abi , + + /dev/uinput rw, + /dev/input/uinput rw, + + include if exists + +# vim:syntax=apparmor From 7cf4719728569dc207122236ff5a187ff2375a8f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:35:07 +0200 Subject: [PATCH 625/798] feat(abs): add the secrets-service abs. --- .../bus/session/org.freedesktop.Secret | 49 +++++++++++++++++++ apparmor.d/abstractions/secrets-service | 33 +++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.Secret create mode 100644 apparmor.d/abstractions/secrets-service diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret new file mode 100644 index 000000000..8ded1b6d7 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -0,0 +1,49 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + + dbus send bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus receive bus=session path=/org/freedesktop/secrets{,/**} + interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} + peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), + + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=ReadAlias + peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon), + dbus send bus=session path=/org/freedesktop/secrets + interface=org.freedesktop.Secret.Service + member=SearchItems + peer=(name=@{busname}, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service new file mode 100644 index 000000000..71b7c7d82 --- /dev/null +++ b/apparmor.d/abstractions/secrets-service @@ -0,0 +1,33 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Provide full access to the secret-service API: +# - https://standards.freedesktop.org/secret-service/) +# +# The secret-service allows managing (add/delete/lock/etc) collections and +# (add/delete/etc) items within collections. The API also has the concept of +# aliases for collections which is typically used to access the default +# collection. While it would be possible for an application developer to use a +# snap-specific collection and mediate by object path, application developers +# are meant to instead to treat collections (typically the default collection) +# as a database of key/value attributes each with an associated secret that +# applications may query. Because AppArmor does not mediate member data, +# typical and recommended usage of the API does not allow for application +# isolation. For details, see: +# - https://standards.freedesktop.org/secret-service/ch03.html +# + + abi , + + include + + dbus send bus=session path=/org/gnome/keyring/daemon + interface=org.gnome.keyring.Daemon + member=GetEnvironment + peer=(name=org.gnome.keyring, label=gnome-keyring-daemon), + + include if exists + +# vim:syntax=apparmor From db347d13de5610ddcd0338f23e082a9b0e544f74 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:37:35 +0200 Subject: [PATCH 626/798] feat(abs): revisit and restrict the devices-usb abs. --- apparmor.d/abstractions/devices-usb | 13 +++++++++++-- apparmor.d/abstractions/devices-usb-read | 23 +++++++++++++---------- 2 files changed, 24 insertions(+), 12 deletions(-) diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb index 85f8f6b92..3361f10ec 100644 --- a/apparmor.d/abstractions/devices-usb +++ b/apparmor.d/abstractions/devices-usb @@ -3,13 +3,22 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow raw access to all connected USB devices + abi , include - /dev/bus/usb/@{int}/@{int} wk, + @{PROC}/tty/drivers r, + + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk, + + # Allow access to all ttyUSB devices too + /dev/ttyACM@{int} wk, + /dev/ttyUSB@{int} wk, - @{sys}/devices/**/usb@{int}/{,**} w, + # Allow raw access to USB printers (i.e. for receipt printers in POS systems). + /dev/usb/lp@{int} wk, include if exists diff --git a/apparmor.d/abstractions/devices-usb-read b/apparmor.d/abstractions/devices-usb-read index 836a5f3c7..ea3131d59 100644 --- a/apparmor.d/abstractions/devices-usb-read +++ b/apparmor.d/abstractions/devices-usb-read @@ -3,26 +3,29 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - abi , +# Allow detection of usb devices. Leaks plugged in USB device info - /dev/ r, - /dev/bus/usb/ r, - /dev/bus/usb/@{int}/ r, - /dev/bus/usb/@{int}/@{int} r, + abi , @{sys}/class/ r, @{sys}/class/usbmisc/ r, @{sys}/bus/ r, @{sys}/bus/usb/ r, - @{sys}/bus/usb/devices/{,**} r, - - @{sys}/devices/**/usb@{int}/{,**} r, + @{sys}/bus/usb/devices/ r, + @{sys}/devices/**/usb@{int}/ r, + @{sys}/devices/**/usb@{int}/** r, # Udev data about usb devices (~equal to content of lsusb -v) @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c16[6,7]:@{int} r, # USB modems - @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters + @{run}/udev/data/b180:@{int} r, # USB block devices + @{run}/udev/data/c16{6,7}:@{d} r, # ACM USB modems + @{run}/udev/data/c18{0,8,9}:@{int} r, # USB character devices + + /dev/ r, + /dev/bus/usb/ r, + /dev/bus/usb/@{int}/ r, + /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r, include if exists From 26f905bcc2d7e454b66ff0329e4476ede43a97db Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:38:34 +0200 Subject: [PATCH 627/798] feat(abs): X-strict: use tunables. --- apparmor.d/abstractions/X-strict | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index 9330d2223..a92058206 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -5,10 +5,10 @@ abi , # The unix socket to use to connect to the display - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"), - unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), - unix type=stream addr="@/tmp/.ICE-unix/[0-9]*", - unix type=stream addr="@/tmp/.X11-unix/X[0-9]*", + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}), + unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}), + unix type=stream addr=@/tmp/.ICE-unix/@{int}, + unix type=stream addr=@/tmp/.X11-unix/X@{int}, /usr/share/X11/{,**} r, /usr/share/xsessions/{,*.desktop} r, # Available Xsessions @@ -16,13 +16,13 @@ /etc/X11/cursors/{,**} r, - owner @{HOME}/.ICEauthority rw, # ICEauthority files required for X authentication, per user + owner @{HOME}/.ICEauthority r, # ICEauthority files required for X authentication, per user owner @{HOME}/.Xauthority rw, # Xauthority files required for X connections, per user owner @{HOME}/.xsession-errors rw, - /tmp/.ICE-unix/* rw, + /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/* rw, + /tmp/.X11-unix/X@{int} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From 170575fbff343a6c376bbebb9acac171ffbba3b6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:40:54 +0200 Subject: [PATCH 628/798] feat(abs): ensure graphics devices are in nvidia-strict. --- apparmor.d/abstractions/graphics-full | 6 ------ apparmor.d/abstractions/nvidia-strict | 18 +++++++++++++----- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full index 1e2c97224..de5f865b5 100644 --- a/apparmor.d/abstractions/graphics-full +++ b/apparmor.d/abstractions/graphics-full @@ -8,13 +8,7 @@ include include - @{sys}/devices/@{pci}/numa_node r, - - @{PROC}/devices r, - /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools rw, include if exists diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 8fd78a702..a14691a9c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,7 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr, + /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, /usr/share/nvidia/nvidia-application-profiles-* r, @@ -24,13 +24,17 @@ owner @{user_cache_dirs}/nvidia/GLCache/ rw, owner @{user_cache_dirs}/nvidia/GLCache/** rwk, + @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, @{sys}/module/nvidia/version r, - @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, - @{PROC}/sys/vm/max_map_count r, - @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/driver/nvidia/capabilities/mig/monitor r, + @{PROC}/driver/nvidia/gpus/@{pci_id}/information r, + @{PROC}/driver/nvidia/params r, + @{PROC}/modules r, + @{PROC}/sys/vm/max_map_count r, + @{PROC}/sys/vm/mmap_min_addr r, + @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, @@ -43,6 +47,10 @@ # Nvidia graphics devices /dev/nvidia@{int} rw, + # Nvidia's Unified Memory driver + /dev/nvidia-uvm rw, + /dev/nvidia-uvm-tools rw, + # Nvidia's control device /dev/nvidiactl rw, From 34cc1ab131ef8400a104a2b93131663f3e2f21e8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:42:10 +0200 Subject: [PATCH 629/798] feat(abs): graphics: limit access to cpu sys value. --- apparmor.d/abstractions/graphics | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics index 79872ceb4..c4edd09b4 100644 --- a/apparmor.d/abstractions/graphics +++ b/apparmor.d/abstractions/graphics @@ -13,14 +13,22 @@ /etc/libva.conf r, @{sys}/bus/pci/devices/ r, - @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r, + + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r, + @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r, @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r, @{sys}/devices/system/cpu/cpu@{int}/online r, - @{sys}/devices/system/cpu/cpu@{int}/topology/* r, - @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r, + @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r, + @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r, + @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r, @{sys}/devices/system/cpu/present r, + @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{sys}/devices/system/node/node@{int}/cpumap r, include if exists From 51bcdd5e148cc6f44c4ba560c8aede87e437531c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:43:40 +0200 Subject: [PATCH 630/798] feat(abs): add the input abs. --- apparmor.d/abstractions/common/app | 5 +---- apparmor.d/abstractions/common/game | 5 +---- apparmor.d/abstractions/input | 26 ++++++++++++++++++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) create mode 100644 apparmor.d/abstractions/input diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index d0b36188b..70a50b8c1 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -26,6 +26,7 @@ include include include + include include include include @@ -72,8 +73,6 @@ @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/block/ r, @{sys}/bus/ r, @@ -143,8 +142,6 @@ owner @{att}/dev/shm/@{uuid} r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 6b97b014c..753d4cf0b 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -17,6 +17,7 @@ include include include + include include include @@ -108,11 +109,7 @@ /dev/ r, /dev/hidraw@{int} rw, - /dev/input/ r, - /dev/input/event@{int} rw, - /dev/input/js@{int} rw, /dev/tty rw, - /dev/uinput rw, include if exists diff --git a/apparmor.d/abstractions/input b/apparmor.d/abstractions/input new file mode 100644 index 000000000..57905fd0c --- /dev/null +++ b/apparmor.d/abstractions/input @@ -0,0 +1,26 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021 Canonical Ltd +# Copyright (C) 2022-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow reading and writing to raw input devices + + abi , + + # network netlink raw, + + # Allow reading for supported event reports for all input devices. See + # https://www.kernel.org/doc/Documentation/input/event-codes.txt + @{sys}/devices/**/input@{int}/capabilities/* r, + + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad + @{run}/udev/data/c13:@{int} r, # for /dev/input/* + + /dev/input/ r, + /dev/input/event@{int} rw, + /dev/input/mice rw, + /dev/input/mouse@{int} rw, + + include if exists + +# vim:syntax=apparmor From 8c6b0ce33f12020f067d530e1927310eab721605 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:47:50 +0200 Subject: [PATCH 631/798] feat(profile): cleanup profiles using the new abs. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/common/app | 3 +++ apparmor.d/abstractions/common/game | 5 +---- apparmor.d/groups/bluetooth/bluetoothd | 2 +- apparmor.d/groups/steam/steam | 4 +--- apparmor.d/profiles-s-z/spice-vdagentd | 2 +- 6 files changed, 8 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 725b57fca..efb108586 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -34,7 +34,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 70a50b8c1..043ed7125 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -28,8 +28,11 @@ include include include + include include include + include + include include include diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game index 753d4cf0b..2198c8537 100644 --- a/apparmor.d/abstractions/common/game +++ b/apparmor.d/abstractions/common/game @@ -20,6 +20,7 @@ include include include + include @{bin}/uname rix, @{bin}/xdg-settings rPx, @@ -67,9 +68,6 @@ owner /dev/shm/mono.@{int} rw, owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{sys}/ r, @{sys}/bus/ r, @{sys}/class/ r, @@ -80,7 +78,6 @@ @{sys}/devices/@{pci}/net/*/carrier r, @{sys}/devices/**/input@{int}/ r, @{sys}/devices/**/input@{int}/**/{vendor,product} r, - @{sys}/devices/**/input@{int}/capabilities/* r, @{sys}/devices/**/input/input@{int}/ r, @{sys}/devices/**/uevent r, @{sys}/devices/system/ r, diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 2800a4124..12c8e2e80 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -12,6 +12,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { include include include + include # Needed for configuring HCI interfaces capability net_admin, @@ -57,7 +58,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { @{PROC}/sys/kernel/hostname r, /dev/uhid rw, - /dev/uinput rw, /dev/rfkill rw, /dev/hidraw@{int} rw, diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index abfab75d7..e3fcb1931 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -41,6 +41,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include capability sys_ptrace, @@ -245,7 +246,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/input/ r, - /dev/uinput w, deny /opt/** r, @@ -353,8 +353,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{sys}/devices/**/report_descriptor r, @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r, - @{sys}/devices/system/cpu/kernel_max r, - @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/ r, @{PROC}/version r, diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd index 95013d8e0..33957504c 100644 --- a/apparmor.d/profiles-s-z/spice-vdagentd +++ b/apparmor.d/profiles-s-z/spice-vdagentd @@ -11,6 +11,7 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { include include include + include capability sys_nice, @@ -24,7 +25,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, - /dev/uinput rw, /dev/vport@{int}p@{int} rw, include if exists From ad406da5de2a886b916001956ee0ebc0fb463974 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:49:08 +0200 Subject: [PATCH 632/798] feat(abs): add org.freedesktop.portal.Settings. --- .../session/org.freedesktop.portal.Settings | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings new file mode 100644 index 000000000..01cf21c46 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=Read + peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), + + dbus send bus=session path=/org/freedesktop/portal/desktop + interface=org.freedesktop.portal.Settings + member=ReadAll + peer=(name=@{busname}, label=xdg-desktop-portal), + + include if exists + +# vim:syntax=apparmor From 608ff3db0ce9dece45f437253af461ce5d49e5ce Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:50:01 +0200 Subject: [PATCH 633/798] fix(abs): ColorManager peer name. --- apparmor.d/abstractions/bus/org.freedesktop.ColorManager | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager index 13d186898..46201fc23 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager @@ -16,17 +16,17 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member=CreateDevice - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={DeviceAdded,DeviceRemoved} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus (receive, send) bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager member={FindDeviceByProperty,FindDeviceById} - peer=(name="@{busname},org.freedesktop.ColorManager", label="@{p_colord}"), + peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), include if exists From 4bbe0a1a32072f0224d58d694614664bec56b505 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 00:55:32 +0200 Subject: [PATCH 634/798] feat(abs): use the new secrets-service abstraction. --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-g-l/gitg | 2 +- apparmor.d/profiles-m-r/protonmail | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 2 +- apparmor.d/profiles-s-z/vlc | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index efb108586..2b03d5011 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,7 +25,6 @@ include include include - include include include include @@ -40,6 +39,7 @@ include include include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 299d0738b..38122b7c0 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,12 +10,12 @@ include profile evolution-source-registry @{exec_path} { include include - include include include include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 8278ac648..a86ef9e37 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,7 +27,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -43,6 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 2f190dfab..3a643bad7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,11 +15,11 @@ profile seahorse @{exec_path} { include include include - include include include include include + include include #aa:dbus own bus=session name=org.gnome.seahorse.Application interface+=org.gnome.Shell.SearchProvider2 diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg index ff5e12444..d668fbfd2 100644 --- a/apparmor.d/profiles-g-l/gitg +++ b/apparmor.d/profiles-g-l/gitg @@ -10,10 +10,10 @@ include profile gitg @{exec_path} { include include - include include include include + include include network inet dgram, diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index 0ac23267b..f5548f696 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -17,8 +17,8 @@ include profile protonmail @{exec_path} flags=(attach_disconnected) { include include - include include + include network inet stream, network inet dgram, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 17ca1ec5a..23d13694e 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,6 @@ profile remmina @{exec_path} { include include include - include include include include @@ -25,6 +24,7 @@ profile remmina @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 56f5e91b8..8917fa3a2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -23,7 +23,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -33,6 +32,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 3a3a77313..dc6e4825a 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -14,7 +14,6 @@ profile vlc @{exec_path} { include include include - include include include include @@ -28,6 +27,7 @@ profile vlc @{exec_path} { include include include + include include include From ddfe75f23f4f661027a3e04c55f3f3911909aacc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:05:02 +0200 Subject: [PATCH 635/798] refractor(abs): move org.kde.StatusNotifierItem inside the session abs dir. --- .../bus/{ => session}/org.kde.StatusNotifierItem | 7 +------ apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/vlc | 1 + 3 files changed, 3 insertions(+), 7 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.StatusNotifierItem (79%) diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem similarity index 79% rename from apparmor.d/abstractions/bus/org.kde.StatusNotifierItem rename to apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem index 87fd06727..d017d44e3 100644 --- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem +++ b/apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem @@ -23,11 +23,6 @@ member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip} peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"), - dbus send bus=session path=/StatusNotifierWatcher - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell), - - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f7abf758b..ee8ee627b 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -24,7 +24,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index dc6e4825a..7e9c31866 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -16,6 +16,7 @@ profile vlc @{exec_path} { include include include + include include include include From f199cfe84dbe28b50c3136c738a42f5939c57f3f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:06:51 +0200 Subject: [PATCH 636/798] feat(abs): app: minor improvement to common app action. --- apparmor.d/abstractions/common/app | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 043ed7125..a05bc2364 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -40,7 +40,7 @@ dbus bus=session, dbus bus=system, - /usr/** r, + /usr/** rk, /usr/share/** rk, /etc/{,**} r, @@ -85,6 +85,7 @@ @{sys}/bus/pci/slots/@{int}/address r, @{sys}/class/*/ r, @{sys}/devices/** r, + @{sys}/devices/virtual/dmi/id/bios_version k, @{sys}/fs/cgroup/user.slice/* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r, @@ -96,11 +97,13 @@ @{PROC}/@{pid}/cmdline r, @{PROC}/@{pid}/comm rk, @{PROC}/@{pid}/fd/ r, + @{PROC}/@{pid}/maps r, @{PROC}/@{pid}/mountinfo r, @{PROC}/@{pid}/net/** r, @{PROC}/@{pid}/smaps r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/stat r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/bus/pci/devices r, From cd6bb7bd52c92085511aced5b6dcec89bf0278ef Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:09:31 +0200 Subject: [PATCH 637/798] feat(abs): add NEEDS-VARIABLE to abs using variable. Will be used by aa-logprof. --- apparmor.d/abstractions/app/chromium | 5 +++++ apparmor.d/abstractions/app/firefox | 4 ++++ apparmor.d/abstractions/common/app | 1 + apparmor.d/abstractions/common/bwrap | 1 + apparmor.d/abstractions/common/chromium | 1 + apparmor.d/abstractions/common/electron | 5 +++++ apparmor.d/abstractions/common/steam-game | 3 +++ 7 files changed, 20 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b03d5011..62a8432ba 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -2,6 +2,11 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all chromium based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 238bf9e8b..e0321f62f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -2,6 +2,10 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Full set of rules for all firefox based browsers. It works as a *function* # and requires some variables to be provided as *arguments* and set in the diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index a05bc2364..5a93050d6 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -2,6 +2,7 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only # LOGPROF-SUGGEST: no +# NEEDS-VARIABLE: att # Common rules for applications sandboxed using bwrap. diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap index da73b8217..2d3ab179f 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/common/bwrap @@ -1,6 +1,7 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: att # A minimal set of rules for sandboxed programs using bwrap. # A profile using this abstraction still needs to set: diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 78441fe08..340092f23 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -2,6 +2,7 @@ # Copyright (C) 2022 Mikhail Morfikov # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: domain # This abstraction is for chromium based application. Chromium based browsers # need to use abstractions/app/chromium instead. diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index b581c9073..253eab72b 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -1,6 +1,11 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: name +# NEEDS-VARIABLE: domain +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: config_dirs +# NEEDS-VARIABLE: cache_dirs # Minimal set of rules for all electron based UI application. It works as a # *function* and requires some variables to be provided as *arguments* and set diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game index b60e74a10..851588220 100644 --- a/apparmor.d/abstractions/common/steam-game +++ b/apparmor.d/abstractions/common/steam-game @@ -1,6 +1,9 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# NEEDS-VARIABLE: app_dirs +# NEEDS-VARIABLE: lib_dirs +# NEEDS-VARIABLE: share_dirs abi , From 84f3f947cb343c81af50d2cc1868260c7c8ab846 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 01:11:18 +0200 Subject: [PATCH 638/798] feat(abs): improve chromium common. --- apparmor.d/abstractions/common/chromium | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 340092f23..23f4544a3 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -17,9 +17,14 @@ userns, + # Required for dropping into PID namespace. Keep in mind that until the + # process drops this capability it can escape confinement, but once it + # drops CAP_SYS_ADMIN we are ok. + capability sys_admin, + + # All of these are for sanely dropping from root and chrooting capability setgid, # If kernel.unprivileged_userns_clone = 1 capability setuid, # If kernel.unprivileged_userns_clone = 1 - capability sys_admin, capability sys_chroot, capability sys_ptrace, @@ -33,20 +38,22 @@ owner @{tmp}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6}/ rw, - owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w, - owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w, + owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw, + owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw, owner @{tmp}/scoped_dir@{rand6}/ rw, - owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w, - owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w, - owner @{tmp}/scoped_dir@{rand6}/SS w, + owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw, + owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw, + owner @{tmp}/scoped_dir@{rand6}/SS rw, /dev/shm/ r, owner /dev/shm/.@{domain}.@{rand6} rw, @{sys}/devices/system/cpu/kernel_max r, + @{sys}/devices/virtual/tty/tty@{int}/active r, + + # Allow getting the manufacturer and model of the computer where chromium is currently running. @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, - @{sys}/devices/virtual/tty/tty@{int}/active r, # If kernel.unprivileged_userns_clone = 1 owner @{PROC}/@{pid}/setgroups w, From 31cbe5e2e9fdf0deaceb9bc2adee764809a68a6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:33:24 +0200 Subject: [PATCH 639/798] fix(profile): revert 06d476c fix #855 --- apparmor.d/groups/systemd/systemd-logind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index c5e87b3e2..6b102829d 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -137,7 +137,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{PROC}/sysvipc/{shm,sem,msg} r, owner @{PROC}/@{pid}/fdinfo/@{int} r, + /dev/dri/card@{int} rw, @{att}/dev/dri/card@{int} rw, + /dev/input/event@{int} rw, # Input devices (keyboard, mouse, etc) /dev/mqueue/ r, /dev/tty@{int} rw, From bd487d1b6653d0db9304873a9e52642b56b2f207 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 11:58:25 +0200 Subject: [PATCH 640/798] fear(profile): remove profile for spectre-meltdown-checker. --- .../profiles-s-z/spectre-meltdown-checker | 186 ------------------ 1 file changed, 186 deletions(-) delete mode 100644 apparmor.d/profiles-s-z/spectre-meltdown-checker diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker deleted file mode 100644 index 6e5af1288..000000000 --- a/apparmor.d/profiles-s-z/spectre-meltdown-checker +++ /dev/null @@ -1,186 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2019-2021 Mikhail Morfikov -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} -profile spectre-meltdown-checker @{exec_path} { - include - include - - # Needed to read the /dev/cpu/@{int}/msr device - capability sys_rawio, - - # Needed to read system logs - capability syslog, - - # Used by readlink - capability sys_ptrace, - ptrace (read), - - @{exec_path} r, - - @{bin}/ r, - @{bin}/{,@{multiarch}-}objdump rix, - @{bin}/{,@{multiarch}-}readelf rix, - @{bin}/{,@{multiarch}-}strings rix, - @{sh_path} rix, - @{bin}/{,e}grep rix, - @{bin}/{,g,m}awk rix, - @{bin}/base64 rix, - @{bin}/basename rix, - @{bin}/bunzip2 rix, - @{bin}/cat rix, - @{bin}/ccache rCx -> ccache, - @{bin}/cut rix, - @{bin}/date rix, - @{bin}/dd rix, - @{bin}/dirname rix, - @{bin}/dmesg rix, - @{bin}/find rix, - @{bin}/gunzip rix, - @{bin}/gzip rix, - @{bin}/head rix, - @{bin}/id rix, - @{sbin}/iucode_tool rix, - @{bin}/kmod rCx -> kmod, - @{bin}/lzop rix, - @{bin}/mktemp rix, - @{bin}/mount rix, - @{bin}/nproc rix, - @{bin}/od rix, - @{bin}/perl rix, - @{bin}/pgrep rCx -> pgrep, - @{sbin}/rdmsr rix, - @{bin}/readlink rix, - @{bin}/rm rix, - @{bin}/sed rix, - @{bin}/seq rix, - @{bin}/sort rix, - @{bin}/stat rix, - @{bin}/tail rix, - @{bin}/tr rix, - @{bin}/uname rix, - @{bin}/unzip rix, - @{bin}/xargs rix, - @{bin}/xz rix, - @{bin}/zstd rix, - - # To fetch MCE.db from the MCExtractor project - @{bin}/wget rCx -> mcedb, - @{bin}/sqlite3 rCx -> mcedb, - owner @{tmp}/mcedb-* rw, - owner @{tmp}/smc-* rw, - owner @{tmp}/{,smc-}intelfw-*/ rw, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw, - owner @{tmp}/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw, - - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{config,kernel}-* rw, - - owner /dev/cpu/@{int}/cpuid r, - owner /dev/cpu/@{int}/msr rw, - owner /dev/kmsg r, - - @{efi}/ r, - @{efi}/config r, - @{efi}/System.map-* r, - @{efi}/vmlinuz-* r, - - @{sys}/devices/system/cpu/vulnerabilities/* r, - @{sys}/module/kvm_intel/parameters/ept r, - - @{PROC}/ r, - @{PROC}/config.gz r, - @{PROC}/cmdline r, - @{PROC}/kallsyms r, - @{PROC}/modules r, - - # find and denoise - @{PROC}/@{pids}/{status,exe} r, - @{PROC}/@{pids}/fd/ r, - @{PROC}/*/ r, - - /var/lib/dbus/machine-id r, - /etc/machine-id r, - - # For shell pwd - /root/ r, - /etc/ r, - - profile ccache { - include - - @{bin}/ccache mr, - - @{lib}/llvm-[0-9]*/bin/clang rix, - @{bin}/{,@{multiarch}-}gcc-[0-9]* rix, - @{bin}/{,@{multiarch}-}g++-[0-9]* rix, - - /media/ccache/*/** rw, - - /etc/debian_version r, - - include if exists - } - - profile pgrep { - include - include - - include if exists - } - - profile mcedb { - include - include - include - include - - deny capability net_admin, - - network inet dgram, - network inet6 dgram, - network inet stream, - network inet6 stream, - network netlink raw, - - @{bin}/wget mr, - @{bin}/sqlite3 mr, - - /etc/wgetrc r, - owner @{HOME}/.wget-hsts rwk, - owner @{HOME}/.mcedb rw, - - /tmp/ r, - owner @{tmp}/{,smc-}mcedb-* rwk, - owner @{tmp}/{,smc-}intelfw-*/fw.zip rw, - - /usr/share/publicsuffix/public_suffix_list.* r, - - include if exists - } - - profile kmod { - include - include - - capability sys_module, - - owner @{sys}/module/cpuid/** r, - owner @{sys}/module/msr/** r, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor From 4982ff104ddf57c7e92d4fcff5f33437bf71cbaa Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 12:03:00 +0200 Subject: [PATCH 641/798] feat(profile): remove rules not needed anymore Moved into the nvidia-strict abs. --- apparmor.d/profiles-m-r/nvidia-settings | 2 -- apparmor.d/profiles-m-r/nvidia-smi | 2 -- apparmor.d/profiles-m-r/nvtop | 3 +-- 3 files changed, 1 insertion(+), 6 deletions(-) diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings index 771bbb3b6..893770a4b 100644 --- a/apparmor.d/profiles-m-r/nvidia-settings +++ b/apparmor.d/profiles-m-r/nvidia-settings @@ -33,8 +33,6 @@ profile nvidia-settings @{exec_path} flags=(attach_disconnected) { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} r, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi index 1d6d62e2b..eb42bd59b 100644 --- a/apparmor.d/profiles-m-r/nvidia-smi +++ b/apparmor.d/profiles-m-r/nvidia-smi @@ -26,8 +26,6 @@ profile nvidia-smi @{exec_path} { /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, - /dev/nvidia-uvm rw, - /dev/nvidia-uvm-tools r, include if exists } diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index d0553d186..fc51b5b9e 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -10,7 +10,7 @@ include profile nvtop @{exec_path} flags=(attach_disconnected) { include include - include + include include capability sys_ptrace, @@ -54,7 +54,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{PROC}/driver/nvidia/capabilities/mig/{config,monitor} r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, - /dev/dri/ r, /dev/nvidia-caps/ rw, /dev/nvidia-caps/nvidia-cap@{int} rw, From 34aa208ec98f3baafd7042543f79929f5658dc91 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 16:11:16 +0200 Subject: [PATCH 642/798] refractor(abs): reorganize dbus abstraction (1) --- .../abstractions/bus/org.freedesktop.resolve1 | 16 ---------------- .../bus/{ => system}/org.freedesktop.locale1 | 3 +-- .../bus/{ => system}/org.gnome.DisplayManager | 4 ++-- apparmor.d/groups/flatpak/flatpak | 2 +- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/kde/startplasma | 2 +- 9 files changed, 9 insertions(+), 26 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.resolve1 rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.locale1 (70%) rename apparmor.d/abstractions/bus/{ => system}/org.gnome.DisplayManager (73%) diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1 deleted file mode 100644 index fe6d52dc6..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 +++ /dev/null @@ -1,16 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}" - - dbus send bus=system path=/org/freedesktop/resolve1 - interface=org.freedesktop.resolve1.Manager - member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService} - peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 similarity index 70% rename from apparmor.d/abstractions/bus/org.freedesktop.locale1 rename to apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index 1348c8a39..e2377a14b 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -4,12 +4,11 @@ abi , - #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}" dbus send bus=system path=/org/freedesktop/locale1 interface=org.freedesktop.DBus.Properties member=GetAll peer=(name=org.freedesktop.locale1), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager similarity index 73% rename from apparmor.d/abstractions/bus/org.gnome.DisplayManager rename to apparmor.d/abstractions/bus/system/org.gnome.DisplayManager index 741631f4b..4833b1512 100644 --- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager +++ b/apparmor.d/abstractions/bus/system/org.gnome.DisplayManager @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -11,6 +11,6 @@ member=RegisterDisplay peer=(name="@{busname}", label=gdm), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index bd749db40..4ef675aef 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -13,7 +13,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index 56fd3ce3f..adf2aa264 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -11,7 +11,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index c08d12a07..5d2e3e21e 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -11,8 +11,8 @@ profile gdm-session @{exec_path} { include include include - include include + include signal receive set=(hup term) peer=gdm-session-worker, signal receive set=(term) peer=gdm, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a86ef9e37..1fb7efd7d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -23,7 +23,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index cbb8ccf71..80f19f93a 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -14,7 +14,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma index a8c8cbd13..64e332dc5 100644 --- a/apparmor.d/groups/kde/startplasma +++ b/apparmor.d/groups/kde/startplasma @@ -12,7 +12,7 @@ profile startplasma @{exec_path} { include include include - include + include include include From 3c49755d189be4fa86c714b22ba5d175bf1901c0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:52:37 +0200 Subject: [PATCH 643/798] refractor(abs): reorganize dbus abstraction (2) - new upower-observe abstraction --- apparmor.d/abstractions/app/chromium | 5 ++--- .../bus/{ => session}/org.gnome.ArchiveManager1 | 2 +- .../org.gnome.Nautilus.FileOperations2 | 2 +- .../bus/{ => system}/org.freedesktop.ColorManager | 4 ++-- .../bus/{ => system}/org.freedesktop.UPower | 2 +- apparmor.d/groups/cups/cupsd | 11 +---------- apparmor.d/groups/freedesktop/upower | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 ++- apparmor.d/groups/gnome/gnome-extension-ding | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 14 +++++++++++--- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/localsearch | 2 +- apparmor.d/groups/gnome/tracker-miner | 2 +- apparmor.d/groups/kde/kde-powerdevil | 2 +- apparmor.d/groups/kde/kscreenlocker_greet | 4 ++-- apparmor.d/groups/kde/plasmashell | 2 +- apparmor.d/groups/kde/sddm | 2 +- apparmor.d/groups/kde/sddm-greeter | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/profiles-m-r/power-profiles-daemon | 2 +- apparmor.d/profiles-s-z/thermald | 2 +- 22 files changed, 37 insertions(+), 38 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.ArchiveManager1 (86%) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Nautilus.FileOperations2 (76%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.ColorManager (90%) rename apparmor.d/abstractions/bus/{ => system}/org.freedesktop.UPower (94%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 62a8432ba..9c5b16edd 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -27,13 +27,11 @@ include include include - include + include include include - include include include - include include include include @@ -48,6 +46,7 @@ include include include + include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 similarity index 86% rename from apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 rename to apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index 6bfa6114b..f69667e08 100644 --- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -11,6 +11,6 @@ member=GetSupportedTypes peer=(name="@{busname}", label="@{p_file_roller}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 similarity index 76% rename from apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 rename to apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 index 178139a8d..8a3e7d74e 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 +++ b/apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2 @@ -6,6 +6,6 @@ #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager similarity index 90% rename from apparmor.d/abstractions/bus/org.freedesktop.ColorManager rename to apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager index 46201fc23..4b5dcc746 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager @@ -15,7 +15,7 @@ dbus send bus=system path=/org/freedesktop/ColorManager interface=org.freedesktop.ColorManager - member=CreateDevice + member={CreateProfile,CreateDevice,DeleteDevice} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), dbus receive bus=system path=/org/freedesktop/ColorManager @@ -28,6 +28,6 @@ member={FindDeviceByProperty,FindDeviceById} peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower similarity index 94% rename from apparmor.d/abstractions/bus/org.freedesktop.UPower rename to apparmor.d/abstractions/bus/system/org.freedesktop.UPower index 64b400a3e..aa6a61371 100644 --- a/apparmor.d/abstractions/bus/org.freedesktop.UPower +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.UPower @@ -29,6 +29,6 @@ member={DeviceAdded,DeviceRemoved} peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 642d7ef5c..0a23ce476 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,7 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include @@ -46,15 +46,6 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { signal (send) set=(term) peer=cups-notifier-dbus, - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=DeleteDevice - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - dbus send bus=system path=/org/freedesktop/ColorManager - interface=org.freedesktop.ColorManager - member=FindDeviceById - peer=(name=org.freedesktop.ColorManager, label="@{p_colord}"), - @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower index 0f6f9abeb..83652914f 100644 --- a/apparmor.d/groups/freedesktop/upower +++ b/apparmor.d/groups/freedesktop/upower @@ -13,7 +13,7 @@ profile upower @{exec_path} { include include - #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}" + #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}" @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 84d6675de..fc9029ef3 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -15,11 +15,12 @@ profile wireplumber @{exec_path} { include include include - include + include include include include include + include network bluetooth raw, network bluetooth seqpacket, diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index be7edcd79..e41718803 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -19,8 +19,8 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1fb7efd7d..d8853aa3b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -28,7 +28,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -45,6 +44,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include capability sys_nice, capability sys_ptrace, @@ -73,17 +73,25 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=com.canonical.{U,u}nity #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu} + #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting #aa:dbus own bus=session name=com.rastersoft.dingextension #aa:dbus own bus=session name=org.ayatana.NotificationItem #aa:dbus own bus=session name=org.freedesktop.a11y.Manager + #aa:dbus own bus=session name=org.gnome.Shell #aa:dbus own bus=session name=org.gtk.Actions path=/** #aa:dbus own bus=session name=org.gtk.MountOperationHandler #aa:dbus own bus=session name=org.gtk.Notifications + #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher - #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting + # Talk with gnome-shell + # The strategy with dbus rules in this profile is first to declare all communications + # needed on buses and to limit them only to their profiles in apparmor.d. As such, + # only dbus directive is used for this. Later, some communications could be + # restricted. + #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}" #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}" @@ -95,6 +103,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs + #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus @@ -102,7 +111,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" - # Session bus dbus send bus=session path=/org/gnome/** diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 7f02d8bf4..32869cdbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -16,7 +16,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 0f77b023e..f3be82dfd 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -31,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network netlink raw, diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index c041cdf99..66420cace 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,7 +11,6 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 7f7a3a8e4..e7cdc1a38 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,7 +11,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index 01706e649..f40c86e03 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -17,11 +17,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) include include include - include include include include include + include capability wake_alarm, diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet index ddd14b5c2..192d3f957 100644 --- a/apparmor.d/groups/kde/kscreenlocker_greet +++ b/apparmor.d/groups/kde/kscreenlocker_greet @@ -13,15 +13,15 @@ profile kscreenlocker_greet @{exec_path} { include include include - include include - include + include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index 45f0d43e9..cc9907266 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -18,7 +18,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include include @@ -31,6 +30,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include + include userns, diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm index 08835eaf0..1b8930f06 100644 --- a/apparmor.d/groups/kde/sddm +++ b/apparmor.d/groups/kde/sddm @@ -14,12 +14,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include include include + include include capability audit_write, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index c9aca546a..47383bb75 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -13,13 +13,13 @@ profile sddm-greeter @{exec_path} { include include include - include include include include include include include + include network netlink raw, diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index bcdcf108d..34284388e 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -17,7 +17,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -26,6 +25,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon index 178bf28c6..e4e923159 100644 --- a/apparmor.d/profiles-m-r/power-profiles-daemon +++ b/apparmor.d/profiles-m-r/power-profiles-daemon @@ -12,8 +12,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) { include include include - include include + include capability dac_read_search, capability net_admin, diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald index b663865e8..4c27ee2ca 100644 --- a/apparmor.d/profiles-s-z/thermald +++ b/apparmor.d/profiles-s-z/thermald @@ -13,7 +13,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) { include include include - include + include capability sys_boot, From 94444077a8be642422836617398638ebc6cafccc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 13 Sep 2025 23:53:05 +0200 Subject: [PATCH 644/798] feat(profile): update attachement for gnome-extension-ding --- apparmor.d/groups/gnome/gnome-extension-ding | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index e41718803..400b28b6e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -9,7 +9,7 @@ include @{share_dirs} = /usr/share/gnome-shell/extensions/ding@rastersoft.com @{share_dirs} += @{user_share_dirs}/gnome-shell/extensions/ding@rastersoft.com -@{exec_path} = @{share_dirs}/{,app/}ding.js +@{exec_path} = @{share_dirs}/app/{ding,createThumbnail}.js profile gnome-extension-ding @{exec_path} { include include From e4b6e7e92b80adbb548800663495a3e4e6c8117f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:10 +0200 Subject: [PATCH 645/798] feat(abs): add the devices-u2f abs. --- apparmor.d/abstractions/app/chromium | 4 +--- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/common/app | 2 +- apparmor.d/abstractions/devices-u2f | 23 +++++++++++++++++++++++ 4 files changed, 26 insertions(+), 5 deletions(-) create mode 100644 apparmor.d/abstractions/devices-u2f diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 9c5b16edd..1c504d2a8 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -36,6 +36,7 @@ include include include + include include include include @@ -154,9 +155,7 @@ @{sys}/class/**/ r, @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/report_descriptor r, @{sys}/devices/**/uevent r, - @{sys}/devices/virtual/**/report_descriptor r, @{PROC}/ r, @{PROC}/@{pid}/fd/ r, @@ -181,7 +180,6 @@ owner @{PROC}/@{pid}/task/@{tid}/stat r, /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, owner /dev/tty@{int} rw, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index e0321f62f..21534208f 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -31,6 +31,7 @@ include include include + include include include include @@ -164,7 +165,6 @@ owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1 /dev/ r, - /dev/hidraw@{int} rw, /dev/tty rw, /dev/video@{int} rw, owner /dev/tty@{int} rw, # File Inherit diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 5a93050d6..e83efdb89 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -21,6 +21,7 @@ include include include + include include include include @@ -148,7 +149,6 @@ @{att}/dev/dri/renderD129 rw, owner @{att}/dev/shm/@{uuid} r, - /dev/hidraw@{int} rw, /dev/ptmx rw, /dev/pts/ptmx rw, /dev/tty rw, diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f new file mode 100644 index 000000000..c707d66e0 --- /dev/null +++ b/apparmor.d/abstractions/devices-u2f @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows access to Universal 2nd Factor (U2F) devices + + abi , + + @{run}/udev/data/+power_supply:* r, # For power supply devices (batteries, AC adapters, USB chargers) + + # Needed for dynamic assignment of U2F devices + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + + @{sys}/devices/**/i2c*/**/report_descriptor r, + @{sys}/devices/**/usb@{int}/**/report_descriptor r, + + # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed + /dev/hidraw@{int} rw, + + include if exists + +# vim:syntax=apparmor From 939a2b7f4bd2068746b8be936fe5c66aa2140575 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:01:30 +0200 Subject: [PATCH 646/798] feat(abs): add upower-observe --- apparmor.d/abstractions/upower-observe | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 apparmor.d/abstractions/upower-observe diff --git a/apparmor.d/abstractions/upower-observe b/apparmor.d/abstractions/upower-observe new file mode 100644 index 000000000..67478bb6d --- /dev/null +++ b/apparmor.d/abstractions/upower-observe @@ -0,0 +1,13 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Can query UPower for power devices, history and statistics. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8e73353cc8c2335dfbc92c1e0fdc7628ade4b904 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 00:09:16 +0200 Subject: [PATCH 647/798] feat(abs): add pcscd --- apparmor.d/abstractions/app/chromium | 2 +- apparmor.d/abstractions/app/firefox | 2 +- apparmor.d/abstractions/pcscd | 19 +++++++++++++++++++ apparmor.d/groups/gnome/gsd-smartcard | 6 +++--- apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/profiles-m-r/pkcs11-register | 3 +-- apparmor.d/profiles-m-r/rngd | 2 +- 7 files changed, 27 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/pcscd diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1c504d2a8..6e447bf05 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -42,6 +42,7 @@ include include include + include include include include @@ -107,7 +108,6 @@ /etc/@{name}/{,**} r, /etc/fstab r, - /etc/{,opensc/}opensc.conf r, / r, owner @{HOME}/ r, diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 21534208f..7630b8576 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -37,6 +37,7 @@ include include include + include include include include @@ -80,7 +81,6 @@ /usr/share/webext/{,**} r, /usr/share/xul-ext/kwallet5/* r, - /etc/{,opensc/}opensc.conf r, /etc/@{name}/{,**} r, /etc/fstab r, /etc/lsb-release r, diff --git a/apparmor.d/abstractions/pcscd b/apparmor.d/abstractions/pcscd new file mode 100644 index 000000000..33a981279 --- /dev/null +++ b/apparmor.d/abstractions/pcscd @@ -0,0 +1,19 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows interacting with PC/SC Smart Card Daemon + + abi , + + # Configuration file for OPENSC + /etc/opensc.conf r, + /etc/opensc/opensc.conf r, + + # Socket for communication between PCSCD and PS/SC API library + @{run}/pcscd/pcscd.comm rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 98ce848ba..d42fb486b 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -9,13 +9,14 @@ include @{exec_path} = @{lib}/gsd-smartcard profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include - include include include + include include + include include include - include + include signal (receive) set=(term, hup) peer=gdm*, @@ -31,7 +32,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter-dconf-defaults r, - /etc/{,opensc/}opensc.conf r, /etc/tpm2-tss/* rk, /var/tmp/ r, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 3a643bad7..1fac28dfa 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -19,6 +19,7 @@ profile seahorse @{exec_path} { include include include + include include include @@ -34,7 +35,6 @@ profile seahorse @{exec_path} { /etc/pki/trust/blocklist/ r, /etc/gcrypt/hwf.deny r, - /etc/{,opensc/}opensc.conf r, owner @{HOME}/@{XDG_SSH_DIR}/{,**} r, diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register index 989f6ec8b..d775cafe5 100644 --- a/apparmor.d/profiles-m-r/pkcs11-register +++ b/apparmor.d/profiles-m-r/pkcs11-register @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/pkcs11-register profile pkcs11-register @{exec_path} { include + include @{exec_path} mr, - /etc/{,opensc/}opensc.conf r, - owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw, owner @{HOME}/.mozilla/firefox/profiles.ini r, owner @{HOME}/.pki/nssdb/pkcs11.txt r, diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index ebbf0a5ab..2e548d40c 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { include include include + include capability dac_read_search, capability net_admin, @@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/conf.d/rngd r, /etc/machine-id r, - /etc/{,opensc/}opensc.conf r, /var/lib/dbus/machine-id r, @{sys}/devices/virtual/misc/hw_random/rng_available r, From 962b372390f837f7162f97fa78fbe4b24204af26 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 01:08:15 +0200 Subject: [PATCH 648/798] fix(profile): qemu-ga path on opensuse. --- apparmor.d/profiles-m-r/qemu-ga | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index 5173c50d8..f8fd84d3f 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -6,7 +6,7 @@ abi , include -@{exec_path} = @{sbin}/qemu-ga +@{exec_path} = @{sbin}/qemu-ga @{bin}/qemu-ga #aa:lint ignore=sbin profile qemu-ga @{exec_path} { include From 2ceaa16d9a53027a77092739738ec0491e76c39a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:06:06 +0200 Subject: [PATCH 649/798] feat(abs): rewrite the avahi abs, add avahi-observe --- apparmor.d/abstractions/app/chromium | 3 +- apparmor.d/abstractions/avahi-observe | 25 +++++++++++++++ .../org.freedesktop.Avahi.AddressResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.DomainBrowser | 25 +++++++++++++++ .../org.freedesktop.Avahi.HostNameResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.RecordBrowser | 25 +++++++++++++++ .../bus/system/org.freedesktop.Avahi.Server | 31 +++++++++++++++++++ .../org.freedesktop.Avahi.ServiceBrowser | 23 ++++++++++++++ .../org.freedesktop.Avahi.ServiceResolver | 25 +++++++++++++++ .../org.freedesktop.Avahi.ServiceTypeBrowser | 25 +++++++++++++++ apparmor.d/abstractions/common/app | 2 +- apparmor.d/groups/avahi/avahi-browse | 8 ++--- apparmor.d/groups/avahi/avahi-resolve | 14 ++------- apparmor.d/groups/avahi/avahi-set-host-name | 3 ++ apparmor.d/groups/cups/cups-backend-dnssd | 2 +- apparmor.d/groups/cups/cups-browsed | 4 ++- apparmor.d/groups/cups/cupsd | 2 +- apparmor.d/groups/cups/ippfind | 2 +- apparmor.d/groups/freedesktop/colord | 3 +- apparmor.d/groups/freedesktop/geoclue | 3 +- apparmor.d/groups/freedesktop/pulseaudio | 21 +++---------- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- .../gnome/gnome-control-center-goa-helper | 2 +- .../groups/gnome/gsd-print-notifications | 25 +++------------ apparmor.d/groups/gnome/seahorse | 2 +- apparmor.d/groups/gvfs/gvfsd-dnssd | 3 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-m-r/murmurd | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- 30 files changed, 267 insertions(+), 71 deletions(-) create mode 100644 apparmor.d/abstractions/avahi-observe create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 6e447bf05..1635741ed 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -25,10 +25,9 @@ abi , include + include include include - include - include include include include diff --git a/apparmor.d/abstractions/avahi-observe b/apparmor.d/abstractions/avahi-observe new file mode 100644 index 000000000..aac14fa7d --- /dev/null +++ b/apparmor.d/abstractions/avahi-observe @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2016 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows domain, record, service, and service type browsing as well as address, +# host and service resolving + + abi , + + include + + include + include + include + include + include + include + include + + @{run}/avahi-daemon/socket rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver new file mode 100644 index 000000000..f6a1a251c --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Address resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=AddressResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/AddressResolver@{int} + interface=org.freedesktop.Avahi.AddressResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser new file mode 100644 index 000000000..39f5e4496 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Domain browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=DomainBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/DomainBrowser@{int} + interface=org.freedesktop.Avahi.DomainBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver new file mode 100644 index 000000000..403a4db0f --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Hostname resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=HostNameResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/HostNameResolver@{int} + interface=org.freedesktop.Avahi.HostNameResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser new file mode 100644 index 000000000..bff079b13 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Record browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=RecordBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} + interface=org.freedesktop.Avahi.RecordBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server new file mode 100644 index 000000000..bfc87b3cc --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server @@ -0,0 +1,31 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow service introspection + dbus send bus=system path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + # Allow accessing DBus properties and resolving + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member={Get*,Resolve*,IsNSSSupportAvailable} + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + # Allow receiving anything from the Avahi server + dbus receive bus=system + interface=org.freedesktop.Avahi.Server + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser new file mode 100644 index 000000000..6a3b1510d --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} + interface=org.freedesktop.Avahi.ServiceBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver new file mode 100644 index 000000000..d90e9ca14 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service resolving + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceResolverNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} + interface=org.freedesktop.Avahi.ServiceResolver + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser new file mode 100644 index 000000000..93affdc51 --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser @@ -0,0 +1,25 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Service type browsing + + abi , + + dbus send bus=system path=/ + interface=org.freedesktop.Avahi.Server + member=ServiceTypeBrowserNew + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + member=Free + peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), + + dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} + interface=org.freedesktop.Avahi.ServiceTypeBrowser + peer=(name=@{busname}, label="@{p_avahi_daemon}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index e83efdb89..091cfbbb4 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -13,6 +13,7 @@ abi , include + include include include include @@ -73,7 +74,6 @@ @{att}/@{run}/systemd/inhibit/@{int}.ref rw, - @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket. @{run}/host/{,**} r, @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket. @{run}/utmp rk, diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse index 3ac729baa..805d54b2b 100644 --- a/apparmor.d/groups/avahi/avahi-browse +++ b/apparmor.d/groups/avahi/avahi-browse @@ -11,14 +11,10 @@ include profile avahi-browse @{exec_path} { include include - include + include + include include - dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int} - interface=org.freedesktop.Avahi.ServiceTypeBrowser - member={ItemNew,AllForNow,CacheExhausted} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, @{lib}/@{multiarch}/avahi/service-types.db rwk, diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve index 1a66b4726..d45cffca3 100644 --- a/apparmor.d/groups/avahi/avahi-resolve +++ b/apparmor.d/groups/avahi/avahi-resolve @@ -11,19 +11,11 @@ include profile avahi-resolve @{exec_path} { include include - include + include + include + include include - dbus send bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Free,HostNameResolverNew} - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/AddressResolver@{int} - interface=org.freedesktop.Avahi.AddressResolver - member={Failure,Found} - peer=(name=:*, label="@{p_avahi_daemon}"), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name index dd9eaba6c..45df7ce93 100644 --- a/apparmor.d/groups/avahi/avahi-set-host-name +++ b/apparmor.d/groups/avahi/avahi-set-host-name @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2022 Jeroen Rijken +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,6 +10,8 @@ include @{exec_path} = @{bin}/avahi-set-host-name profile avahi-set-host-name @{exec_path} { include + include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-backend-dnssd b/apparmor.d/groups/cups/cups-backend-dnssd index 1009a0ef2..877200660 100644 --- a/apparmor.d/groups/cups/cups-backend-dnssd +++ b/apparmor.d/groups/cups/cups-backend-dnssd @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/cups/backend/dnssd profile cups-backend-dnssd @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 7330d67c9..1e47287ac 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -10,8 +10,10 @@ include profile cups-browsed @{exec_path} { include include - include include + include + include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index 0a23ce476..ec0bbfd67 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -11,7 +11,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index c2a944b11..fe4347237 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -10,7 +10,7 @@ include profile ippfind @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index b3cda6307..c069b7afd 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -11,8 +11,9 @@ include profile colord @{exec_path} flags=(attach_disconnected) { include include - include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index fbc7a7582..04eeba521 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -11,9 +11,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { include include include - include include include + include + include include include include diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index ce1dffd58..346ae7257 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -14,10 +14,12 @@ profile pulseaudio @{exec_path} { include include include - include - include include include + include + include + include + include include include include @@ -49,26 +51,11 @@ profile pulseaudio @{exec_path} { member=Introspect peer=(name=:*, label=gnome-shell), - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=:*, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=ItemRemove - peer=(name=:*, label="@{p_avahi_daemon}"), - dbus send bus=system path=/ interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects peer=(name=org.bluez), - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member={Found,Free} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - @{exec_path} mrix, @{lib}/pulse/gsettings-helper rix, diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index c1f255c75..fafdea3a5 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -14,7 +14,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 8ef24e9ce..b4128b1af 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -10,11 +10,11 @@ include profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 1fa7d7050..21a326fe6 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/gnome-control-center-goa-helper profile gnome-control-center-goa-helper @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index c5be27f27..5d037961f 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -9,11 +9,14 @@ include @{exec_path} = @{lib}/gsd-print-notifications profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include + include + include + include + include include include @@ -38,24 +41,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=RecordBrowserNew - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - dbus send bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label=avahi-daemon), - - dbus receive bus=system path=/Client@{int}/RecordBrowser@{int} - interface=org.freedesktop.Avahi.RecordBrowser - member={CacheExhausted,ItemNew} - peer=(name=@{busname}, label=avahi-daemon), - dbus receive bus=system path=/Client4/RecordBrowser3 - interface=org.freedesktop.Avahi.RecordBrowser - member=ItemNew - peer=(name=@{busname}, label=avahi-daemon), - @{exec_path} mr, @{lib}/gsd-printer rPx, diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 1fac28dfa..96b60ab72 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -9,11 +9,11 @@ include @{exec_path} = @{bin}/seahorse profile seahorse @{exec_path} { include + include include include include include - include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index ab786106c..a4eb42821 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,9 +12,10 @@ profile gvfsd-dnssd @{exec_path} { include include include - include include include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index de1c4a856..63f348f9b 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -11,11 +11,11 @@ include profile libreoffice @{exec_path} { include include + include include include include include - include include include include diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd index 2065dd814..e0bd8d976 100644 --- a/apparmor.d/profiles-m-r/murmurd +++ b/apparmor.d/profiles-m-r/murmurd @@ -10,7 +10,7 @@ include profile murmurd @{exec_path} { include include - include + include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 23d13694e..90db69a13 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -10,11 +10,11 @@ include profile remmina @{exec_path} { include include + include include include include include - include include include include From 63c9c8cc2da2085d884e80ca42f9c624106367dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:11:23 +0200 Subject: [PATCH 650/798] refractor(abs): move org.kde.kwalletd --- apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd | 4 ++-- apparmor.d/abstractions/secrets-service | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.kde.kwalletd (50%) diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/session/org.kde.kwalletd similarity index 50% rename from apparmor.d/abstractions/bus/org.kde.kwalletd rename to apparmor.d/abstractions/bus/session/org.kde.kwalletd index 1ae5a1ace..0afce1cdf 100644 --- a/apparmor.d/abstractions/bus/org.kde.kwalletd +++ b/apparmor.d/abstractions/bus/session/org.kde.kwalletd @@ -1,9 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/secrets-service b/apparmor.d/abstractions/secrets-service index 71b7c7d82..083672cc9 100644 --- a/apparmor.d/abstractions/secrets-service +++ b/apparmor.d/abstractions/secrets-service @@ -22,6 +22,7 @@ abi , include + include dbus send bus=session path=/org/gnome/keyring/daemon interface=org.gnome.keyring.Daemon From b471f8359a29e79d14f7e66648a136a85eaad3d0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 13:14:18 +0200 Subject: [PATCH 651/798] feat(profile): update cups-browsed --- apparmor.d/groups/cups/cups-browsed | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index 1e47287ac..ca1dc9630 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{sbin}/cups-browsed -profile cups-browsed @{exec_path} { +profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include @@ -18,9 +18,8 @@ profile cups-browsed @{exec_path} { include include -# capability net_admin, + capability net_admin, capability net_bind_service, -# capability sys_nice, network inet dgram, network inet6 dgram, @@ -28,20 +27,12 @@ profile cups-browsed @{exec_path} { network inet6 stream, network netlink raw, - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=:*, label="@{p_avahi_daemon}"), + #aa:dbus talk bus=system name=org.cups.cupsd.Notifier label=cups-notifier-dbus dbus receive bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.NetworkManager member=CheckPermissions - peer=(name=:*, label=NetworkManager), - - dbus receive bus=system path=/org/cups/cupsd/Notifier - interface=org.cups.cupsd.Notifier - member={PrinterDeleted,PrinterStopped} - peer=(name=@{busname}, label=cups-notifier-dbus), + peer=(name=@{busname}, label=NetworkManager), @{exec_path} mr, @@ -59,7 +50,7 @@ profile cups-browsed @{exec_path} { owner @{tmp}/@{hex} rw, @{run}/cups/certs/* r, - @{run}/avahi-daemon/socket rw, # TODO: in abs 'avahi' ? + @{run}/avahi-daemon/socket rw, @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r, From d9ff4aecd757f41b5b8e401e20611ab3e18862dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:24:49 +0200 Subject: [PATCH 652/798] build: add test build target. --- Justfile | 8 ++++++++ pkg/prebuild/cli/cli.go | 6 ++++++ pkg/prebuild/directive/filter.go | 4 ++++ pkg/prebuild/directories.go | 3 +++ 4 files changed, 21 insertions(+) diff --git a/Justfile b/Justfile index 2c4c0e8d4..64e333079 100644 --- a/Justfile +++ b/Justfile @@ -65,11 +65,19 @@ build: enforce: build @./{{build}}/prebuild --buildir {{build}} +# Prebuild the profiles in enforce mode (test) +enforce-test: build + @./{{build}}/prebuild --buildir {{build}} --test + # Prebuild the profiles in complain mode [group('build')] complain: build ./{{build}}/prebuild --buildir {{build}} --complain +# Prebuild the profiles in complain mode (test) +complain-test: build + @./{{build}}/prebuild --buildir {{build}} --complain --test + # Prebuild the profiles in FSP mode [group('build')] fsp: build diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index bf768c050..afed5aedf 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -37,6 +37,7 @@ Options: -s, --server Set AppArmor for server. -b, --buildir DIR Root build directory. -F, --file Only prebuild a given file. + --test Enable test mode. --debug Enable debug mode. ` ) @@ -48,6 +49,7 @@ var ( full bool server bool debug bool + test bool abi int version float64 file string @@ -74,6 +76,7 @@ func init() { flag.StringVar(&buildir, "b", "", "Root build directory.") flag.StringVar(&buildir, "buildir", "", "Root build directory.") flag.BoolVar(&debug, "debug", false, "Enable debug mode.") + flag.BoolVar(&test, "test", false, "Enable test mode.") } func Configure() { @@ -118,6 +121,9 @@ func Configure() { if debug { builder.Register("debug") } + if test { + prebuild.Test = true + } } else if enforce { builder.Register("enforce") } diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go index b6ec56816..ac632471b 100644 --- a/pkg/prebuild/directive/filter.go +++ b/pkg/prebuild/directive/filter.go @@ -43,6 +43,10 @@ func filterRuleForUs(opt *Option) bool { return true } + if prebuild.Test && slices.Contains(opt.ArgList, "test") { + return true + } + abiStr := fmt.Sprintf("abi%d", prebuild.ABI) if slices.Contains(opt.ArgList, abiStr) { return true diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go index 201d8c841..486a45d14 100644 --- a/pkg/prebuild/directories.go +++ b/pkg/prebuild/directories.go @@ -19,6 +19,9 @@ var ( // Either or not RBAC is enabled RBAC = false + // Either or not we are in test mode + Test = false + // Pkgname is the name of the package Pkgname = "apparmor.d" From 4609595c26bcf1e129f885186784922762f73f5f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:04 +0200 Subject: [PATCH 653/798] refractor(abs): common/apt -> apt. --- apparmor.d/abstractions/{common => }/apt | 2 +- apparmor.d/groups/apt/apt | 2 +- apparmor.d/groups/apt/apt-cache | 2 +- apparmor.d/groups/apt/apt-cdrom | 2 +- apparmor.d/groups/apt/apt-config | 2 +- apparmor.d/groups/apt/apt-extracttemplates | 2 +- apparmor.d/groups/apt/apt-file | 2 +- apparmor.d/groups/apt/apt-forktracer | 2 +- apparmor.d/groups/apt/apt-helper | 2 +- apparmor.d/groups/apt/apt-mark | 2 +- apparmor.d/groups/apt/apt-show-versions | 2 +- apparmor.d/groups/apt/aptitude | 2 +- apparmor.d/groups/apt/command-not-found | 2 +- apparmor.d/groups/apt/debtags | 2 +- apparmor.d/groups/apt/dpkg-checkbuilddeps | 2 +- apparmor.d/groups/apt/dpkg-db-backup | 2 +- apparmor.d/groups/apt/dpkg-maintscript-helper | 2 +- apparmor.d/groups/apt/querybts | 6 +++--- apparmor.d/groups/apt/reportbug | 2 +- apparmor.d/groups/apt/synaptic | 2 +- apparmor.d/groups/apt/unattended-upgrade | 2 +- apparmor.d/groups/apt/unattended-upgrade-shutdown | 2 +- apparmor.d/groups/apt/update-apt-xapian-index | 2 +- apparmor.d/groups/grub/grub-sort-version | 2 +- apparmor.d/groups/kde/kded | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/groups/ubuntu/apport-gtk | 2 +- apparmor.d/groups/ubuntu/apt-esm-hook | 2 +- apparmor.d/groups/ubuntu/apt-esm-json-hook | 2 +- apparmor.d/groups/ubuntu/apt_news | 2 +- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 +- apparmor.d/groups/ubuntu/do-release-upgrade | 2 +- apparmor.d/groups/ubuntu/hwe-support-status | 2 +- apparmor.d/groups/ubuntu/list-oem-metapackages | 2 +- apparmor.d/groups/ubuntu/package-data-downloader | 2 +- apparmor.d/groups/ubuntu/software-properties-dbus | 2 +- apparmor.d/groups/ubuntu/software-properties-gtk | 2 +- apparmor.d/groups/ubuntu/ubuntu-advantage | 2 +- apparmor.d/groups/ubuntu/update-manager | 2 +- apparmor.d/groups/ubuntu/update-motd-updates-available | 2 +- apparmor.d/groups/ubuntu/update-notifier | 2 +- apparmor.d/profiles-m-r/packagekitd | 2 +- apparmor.d/profiles-m-r/pycompile | 4 ++-- 43 files changed, 46 insertions(+), 46 deletions(-) rename apparmor.d/abstractions/{common => }/apt (95%) diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/apt similarity index 95% rename from apparmor.d/abstractions/common/apt rename to apparmor.d/abstractions/apt index bec8d9a20..2802ac2a8 100644 --- a/apparmor.d/abstractions/common/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index ade8bee61..8581fe724 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt @{bin}/apt-get @{sbin}/aptd profile apt @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache index 1251fe449..afd34f7e5 100644 --- a/apparmor.d/groups/apt/apt-cache +++ b/apparmor.d/groups/apt/apt-cache @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cache profile apt-cache @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom index a99b964c7..0ce146261 100644 --- a/apparmor.d/groups/apt/apt-cdrom +++ b/apparmor.d/groups/apt/apt-cdrom @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-cdrom profile apt-cdrom @{exec_path} flags=(complain) { include - include + include include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config index 505a4b037..834bcbd8c 100644 --- a/apparmor.d/groups/apt/apt-config +++ b/apparmor.d/groups/apt/apt-config @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-config profile apt-config @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates index beb563f31..6fbfad65b 100644 --- a/apparmor.d/groups/apt/apt-extracttemplates +++ b/apparmor.d/groups/apt/apt-extracttemplates @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/apt-extracttemplates @{lib}/apt/apt-extracttemplates profile apt-extracttemplates @{exec_path} { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file index bc140acd1..6551f21a7 100644 --- a/apparmor.d/groups/apt/apt-file +++ b/apparmor.d/groups/apt/apt-file @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-file profile apt-file @{exec_path} { include - include + include include @{exec_path} r, diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer index 2fbb5d95b..3eec09d60 100644 --- a/apparmor.d/groups/apt/apt-forktracer +++ b/apparmor.d/groups/apt/apt-forktracer @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-forktracer profile apt-forktracer @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper index f16e98d2f..18b6d7241 100644 --- a/apparmor.d/groups/apt/apt-helper +++ b/apparmor.d/groups/apt/apt-helper @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/apt/apt-helper profile apt-helper @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark index 4af469c30..c174267f5 100644 --- a/apparmor.d/groups/apt/apt-mark +++ b/apparmor.d/groups/apt/apt-mark @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-mark profile apt-mark @{exec_path} { include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions index 16dc584b3..514b952ff 100644 --- a/apparmor.d/groups/apt/apt-show-versions +++ b/apparmor.d/groups/apt/apt-show-versions @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/apt-show-versions profile apt-show-versions @{exec_path} { include - include + include include include diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude index 9254be27d..b3f411c84 100644 --- a/apparmor.d/groups/apt/aptitude +++ b/apparmor.d/groups/apt/aptitude @@ -10,9 +10,9 @@ include @{exec_path} = @{bin}/aptitude{,-curses} profile aptitude @{exec_path} flags=(complain) { include + include include include - include # To remove the following errors: # W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found index b42649d7c..6d09e34c0 100644 --- a/apparmor.d/groups/apt/command-not-found +++ b/apparmor.d/groups/apt/command-not-found @@ -12,7 +12,7 @@ include @{exec_path} += @{lib}/command-not-found profile command-not-found @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags index 3e3fd2ab9..53e5964bd 100644 --- a/apparmor.d/groups/apt/debtags +++ b/apparmor.d/groups/apt/debtags @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/debtags profile debtags @{exec_path} { include + include include - include include #capability sys_tty_config, diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps index 712a74e8c..297a45f84 100644 --- a/apparmor.d/groups/apt/dpkg-checkbuilddeps +++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/dpkg-checkbuilddeps profile dpkg-checkbuilddeps @{exec_path} flags=(complain) { include + include include - include @{exec_path} r, diff --git a/apparmor.d/groups/apt/dpkg-db-backup b/apparmor.d/groups/apt/dpkg-db-backup index d83bdbb45..8e99e70c5 100644 --- a/apparmor.d/groups/apt/dpkg-db-backup +++ b/apparmor.d/groups/apt/dpkg-db-backup @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/dpkg/dpkg-db-backup profile dpkg-db-backup @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/apt/dpkg-maintscript-helper b/apparmor.d/groups/apt/dpkg-maintscript-helper index dfb881e32..aa9232c73 100644 --- a/apparmor.d/groups/apt/dpkg-maintscript-helper +++ b/apparmor.d/groups/apt/dpkg-maintscript-helper @@ -21,8 +21,8 @@ profile dpkg-maintscript-helper @{exec_path} { profile dpkg { include + include include - include capability dac_read_search, diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts index 2a2063d8e..87967d164 100644 --- a/apparmor.d/groups/apt/querybts +++ b/apparmor.d/groups/apt/querybts @@ -10,14 +10,14 @@ include @{exec_path} = @{bin}/querybts profile querybts @{exec_path} { include - include - include + include include + include include + include include include include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug index a814eaaa9..a6584a23d 100644 --- a/apparmor.d/groups/apt/reportbug +++ b/apparmor.d/groups/apt/reportbug @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/reportbug profile reportbug @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic index 36e299a0c..c48286299 100644 --- a/apparmor.d/groups/apt/synaptic +++ b/apparmor.d/groups/apt/synaptic @@ -10,7 +10,7 @@ include @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec profile synaptic @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index ebdc88d08..d2da77bc3 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -10,11 +10,11 @@ include @{exec_path} = @{bin}/unattended-upgrade profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { include + include include include include include - include include include include diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown index 1fb667fae..f7b94d68d 100644 --- a/apparmor.d/groups/apt/unattended-upgrade-shutdown +++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown @@ -9,10 +9,10 @@ include @{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) { include + include include include include - include include include diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index index f829ab3ff..6ea4f19fb 100644 --- a/apparmor.d/groups/apt/update-apt-xapian-index +++ b/apparmor.d/groups/apt/update-apt-xapian-index @@ -10,8 +10,8 @@ include @{exec_path} = @{bin}/update-apt-xapian-index profile update-apt-xapian-index @{exec_path} { include + include include - include include @{exec_path} r, diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version index 5e65fe835..6ece8a60b 100644 --- a/apparmor.d/groups/grub/grub-sort-version +++ b/apparmor.d/groups/grub/grub-sort-version @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/grub/grub-sort-version profile grub-sort-version @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 93c70329e..2ebc6a5fa 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/kded5 @{bin}/kded6 profile kded @{exec_path} { include + include #aa:only apt include include include @@ -18,7 +19,6 @@ profile kded @{exec_path} { include include include - include #aa:only apt include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 2fa7bb92a..255dc551a 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -9,7 +9,7 @@ include @{exec_path} = /usr/share/apport/apport profile apport @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index d7480a212..b6815adea 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -9,12 +9,12 @@ include @{exec_path} = /usr/share/apport/apport-gtk profile apport-gtk @{exec_path} { include + include include include include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook index a04fc771d..2555d0373 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-hook profile apt-esm-hook @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook index 2edc09970..e8f03807d 100644 --- a/apparmor.d/groups/ubuntu/apt-esm-json-hook +++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt-esm-json-hook profile apt-esm-json-hook @{exec_path} { include - include + include include unix (receive, send) type=stream peer=(label=apt), diff --git a/apparmor.d/groups/ubuntu/apt_news b/apparmor.d/groups/ubuntu/apt_news index 9734803e4..91c8b29cc 100644 --- a/apparmor.d/groups/ubuntu/apt_news +++ b/apparmor.d/groups/ubuntu/apt_news @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-advantage/apt_news.py profile apt_news @{exec_path} flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 65a19e0e0..d0e5c8f1e 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/ubuntu-release-upgrader/check-new-release-gtk profile check-new-release-gtk @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade index 2d3eebbc2..e9c4c9ab3 100644 --- a/apparmor.d/groups/ubuntu/do-release-upgrade +++ b/apparmor.d/groups/ubuntu/do-release-upgrade @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/do-release-upgrade profile do-release-upgrade @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status index d5ad6e06c..c85fb9966 100644 --- a/apparmor.d/groups/ubuntu/hwe-support-status +++ b/apparmor.d/groups/ubuntu/hwe-support-status @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/hwe-support-status profile hwe-support-status @{exec_path} { include - include + include include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages index 91bc4876f..5e4b09ce3 100644 --- a/apparmor.d/groups/ubuntu/list-oem-metapackages +++ b/apparmor.d/groups/ubuntu/list-oem-metapackages @@ -9,8 +9,8 @@ include @{exec_path} = @{lib}/update-notifier/list-oem-metapackages profile list-oem-metapackages @{exec_path} { include + include include - include @{exec_path} mr, diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader index 37f7f72a5..1703d27cd 100644 --- a/apparmor.d/groups/ubuntu/package-data-downloader +++ b/apparmor.d/groups/ubuntu/package-data-downloader @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/package-data-downloader profile package-data-downloader @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus index cc7387709..72e016573 100644 --- a/apparmor.d/groups/ubuntu/software-properties-dbus +++ b/apparmor.d/groups/ubuntu/software-properties-dbus @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/software-properties/software-properties-dbus profile software-properties-dbus @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index cd858737b..5111a0278 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/software-properties-gtk profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -16,7 +17,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage index ea9742d4c..4ede61bc8 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/ubuntu-advantage profile ubuntu-advantage @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index 34284388e..d242ae0d6 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-manager profile update-manager @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -18,7 +19,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available index 88967baf8..09775cb6f 100644 --- a/apparmor.d/groups/ubuntu/update-motd-updates-available +++ b/apparmor.d/groups/ubuntu/update-motd-updates-available @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/update-motd-updates-available profile update-motd-updates-available @{exec_path} { include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 4c60b4aaf..70d980713 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/update-notifier profile update-notifier @{exec_path} { include + include include include include @@ -16,7 +17,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index 19f6a515e..e5b54c34e 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -9,11 +9,11 @@ include @{exec_path} = @{lib}/packagekitd profile packagekitd @{exec_path} flags=(attach_disconnected) { include + include #aa:only apt include include include include - include #aa:only apt include include diff --git a/apparmor.d/profiles-m-r/pycompile b/apparmor.d/profiles-m-r/pycompile index c308dcd91..105264ec2 100644 --- a/apparmor.d/profiles-m-r/pycompile +++ b/apparmor.d/profiles-m-r/pycompile @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/py{,3}compile @{bin}/py{,3}clean profile pycompile @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include @@ -32,8 +32,8 @@ profile pycompile @{exec_path} flags=(attach_disconnected,complain) { profile dpkg { include + include include - include capability dac_read_search, From ff21c9157c4608f49f6aa7b12665fd02d0a3922b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 15:34:32 +0200 Subject: [PATCH 654/798] tests(profile): add common autopkgtest paths. --- apparmor.d/abstractions/apt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 2802ac2a8..25106ad6e 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,6 +35,9 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor From bf3b8345fccd475b09da20ded1a9be6e32bd731a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:26:28 +0200 Subject: [PATCH 655/798] refractor(abs): move gtk bus interfaces. --- .../bus/session/org.gtk.MountOperationHandler | 14 ++++++++++++++ .../org.gtk.Private.RemoteVolumeMonitor | 2 +- .../bus/{ => session}/org.gtk.vfs.Daemon | 6 ++++-- .../bus/{ => session}/org.gtk.vfs.Metadata | 6 +++--- .../bus/session/org.gtk.vfs.MountOperation | 2 +- .../bus/{ => session}/org.gtk.vfs.MountTracker | 10 ++++++---- .../abstractions/bus/session/org.gtk.vfs.Spawner | 14 ++++++++++++++ 7 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler rename apparmor.d/abstractions/bus/{ => session}/org.gtk.Private.RemoteVolumeMonitor (91%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Daemon (72%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.Metadata (80%) rename apparmor.d/abstractions/bus/{ => session}/org.gtk.vfs.MountTracker (89%) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner diff --git a/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler new file mode 100644 index 000000000..3fce0d719 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/MountOperationHandler + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor similarity index 91% rename from apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor rename to apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor index 9060c8c15..b8160dcb2 100644 --- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor +++ b/apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor @@ -19,6 +19,6 @@ member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged} peer=(name="@{busname}", label=gvfs-*-volume-monitor), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon similarity index 72% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Daemon rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index 93ad35fe5..edf954ac5 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -1,7 +1,9 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Each daemon (main and for mounts) implement this. + abi , dbus send bus=session path=/org/gtk/vfs/Daemon @@ -14,6 +16,6 @@ member=GetConnection peer=(name=@{busname}), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata similarity index 80% rename from apparmor.d/abstractions/bus/org.gtk.vfs.Metadata rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata index ce6e60082..9f1a77daf 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata @@ -13,13 +13,13 @@ dbus send bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member={Set,Move,GetTreeFromDevice,Remove} - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), dbus receive bus=session path=/org/gtk/vfs/metadata interface=org.gtk.vfs.Metadata member=AttributeChanged - peer=(name="@{busname}", label=gvfsd-metadata), + peer=(name=@{busname}, label=gvfsd-metadata), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation index ff8c928f8..54dfc837f 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation @@ -6,7 +6,7 @@ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int} interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} + member={AskPassword,AskQuestion} peer=(name=@{busname}, label=gvfsd-*), include if exists diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker similarity index 89% rename from apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker rename to apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index c455d4f18..107c3dc13 100644 --- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,21 +2,23 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# The mount tracking interface. + abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMountableInfo + member=LookupMount peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=LookupMount + member=ListMounts2 peer=(name="@{busname}", label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker - member=ListMounts2 + member=ListMountableInfo peer=(name="@{busname}", label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker @@ -24,6 +26,6 @@ member={Mounted,Unmounted} peer=(name="@{busname}", label=gvfsd), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner new file mode 100644 index 000000000..71c0dd157 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} + interface=org.gtk.vfs.Spawner + member=Spawned + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor From 5cae18e064f6f3a7eb47b9553af322c781fbb068 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 16:45:54 +0200 Subject: [PATCH 656/798] feat(abs): add the gtk-strict abstraction. --- apparmor.d/abstractions/desktop | 2 +- apparmor.d/abstractions/gnome-strict | 2 +- apparmor.d/abstractions/gnome.d/complete | 2 +- apparmor.d/abstractions/kde-strict | 2 +- apparmor.d/abstractions/lxqt | 2 +- apparmor.d/abstractions/xfce | 2 +- apparmor.d/groups/apt/debconf-frontend | 2 +- apparmor.d/groups/kde/gmenudbusmenuproxy | 1 - apparmor.d/groups/kde/kcminit | 1 - apparmor.d/groups/kde/kconf_update | 1 - apparmor.d/groups/kde/kded | 1 - apparmor.d/groups/kde/kwalletd | 1 - apparmor.d/profiles-m-r/obconf | 2 +- 13 files changed, 8 insertions(+), 13 deletions(-) diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 3bfbcc887..316e7374e 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -12,7 +12,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 4d2d390ee..a3afccb76 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/gnome.d/complete b/apparmor.d/abstractions/gnome.d/complete index 3dece8578..3d4b47f9f 100644 --- a/apparmor.d/abstractions/gnome.d/complete +++ b/apparmor.d/abstractions/gnome.d/complete @@ -2,7 +2,7 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - include + include dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index b448c542d..f00594038 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index f20c24a32..ba7347d8c 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -7,7 +7,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index 3046c8f6d..eaf50f6d0 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -6,7 +6,7 @@ include include - include + include include include include diff --git a/apparmor.d/groups/apt/debconf-frontend b/apparmor.d/groups/apt/debconf-frontend index 6e80839fe..0a7706fe1 100644 --- a/apparmor.d/groups/apt/debconf-frontend +++ b/apparmor.d/groups/apt/debconf-frontend @@ -14,7 +14,7 @@ profile debconf-frontend @{exec_path} flags=(complain) { include include include - include + include capability dac_read_search, diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index b30e39cdc..f63a83295 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -13,7 +13,6 @@ profile gmenudbusmenuproxy @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit index 4f8b10a32..59f60c285 100644 --- a/apparmor.d/groups/kde/kcminit +++ b/apparmor.d/groups/kde/kcminit @@ -11,7 +11,6 @@ profile kcminit @{exec_path} { include include include - include include #aa:dbus own bus=session name=org.kde.{KCM,kcm}init path=/kcminit diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update index ee42fef98..6a01748fd 100644 --- a/apparmor.d/groups/kde/kconf_update +++ b/apparmor.d/groups/kde/kconf_update @@ -12,7 +12,6 @@ profile kconf_update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 2ebc6a5fa..ec5a1ee36 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -23,7 +23,6 @@ profile kded @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index de175635a..baaad7dcb 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -17,7 +17,6 @@ profile kwalletd @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf index 7b11aaac5..d283466f5 100644 --- a/apparmor.d/profiles-m-r/obconf +++ b/apparmor.d/profiles-m-r/obconf @@ -11,7 +11,7 @@ include profile obconf @{exec_path} { include include - include + include include include include From 784ced0da32c3b380b01336f72a20c36de431c6e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:08:44 +0200 Subject: [PATCH 657/798] feat(abs): reorganise the gtk/gvfs abs. --- .../abstractions/bus/session/org.gtk.vfs.Mountable | 14 ++++++++++++++ .../abstractions/bus/session/org.gtk.vfs.Spawner | 2 +- apparmor.d/abstractions/common/gnome | 1 - apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-dconf | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 1 - apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-x11 | 1 - apparmor.d/groups/flatpak/flatpak | 1 - .../groups/freedesktop/xdg-desktop-portal-gtk | 1 - .../xdg-desktop-portal-rewrite-launchers | 2 +- .../groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/deja-dup-monitor | 6 +++--- .../groups/gnome/evolution-addressbook-factory | 2 +- apparmor.d/groups/gnome/evolution-alarm-notify | 1 - apparmor.d/groups/gnome/evolution-calendar-factory | 4 ++-- apparmor.d/groups/gnome/evolution-source-registry | 2 +- apparmor.d/groups/gnome/gio-launch-desktop | 3 +-- apparmor.d/groups/gnome/gnome-calendar | 1 - apparmor.d/groups/gnome/gnome-characters | 1 - apparmor.d/groups/gnome/gnome-clocks | 1 - apparmor.d/groups/gnome/gnome-control-center | 1 - .../groups/gnome/gnome-control-center-goa-helper | 1 - .../gnome/gnome-control-center-search-provider | 1 - apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 +- apparmor.d/groups/gnome/gnome-extension-ding | 7 +++---- apparmor.d/groups/gnome/gnome-extension-gsconnect | 8 ++++---- apparmor.d/groups/gnome/gnome-initial-setup | 1 - apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/gnome-system-monitor | 5 ++--- apparmor.d/groups/gnome/gnome-terminal-server | 1 - apparmor.d/groups/gnome/goa-daemon | 1 - apparmor.d/groups/gnome/goa-identity-service | 2 +- apparmor.d/groups/gnome/gsd-color | 1 - apparmor.d/groups/gnome/gsd-housekeeping | 1 - apparmor.d/groups/gnome/gsd-keyboard | 1 - apparmor.d/groups/gnome/gsd-media-keys | 3 +-- apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/groups/gnome/gsd-wacom | 1 - apparmor.d/groups/gnome/localsearch | 5 ++--- apparmor.d/groups/gnome/mutter-x11-frames | 1 - apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/gnome/ptyxis | 1 - apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/gnome/seahorse | 1 - apparmor.d/groups/gnome/tracker-extract | 5 ++--- apparmor.d/groups/gnome/tracker-miner | 5 ++--- apparmor.d/groups/ubuntu/apport-gtk | 1 - apparmor.d/groups/ubuntu/check-new-release-gtk | 1 - apparmor.d/groups/ubuntu/livepatch-notification | 1 - apparmor.d/groups/ubuntu/software-properties-gtk | 1 - .../groups/ubuntu/ubuntu-advantage-notification | 1 - apparmor.d/groups/ubuntu/update-manager | 1 - apparmor.d/groups/ubuntu/update-notifier | 1 - apparmor.d/profiles-a-f/atril | 1 - apparmor.d/profiles-a-f/calibre | 1 - apparmor.d/profiles-a-f/engrampa | 3 +-- apparmor.d/profiles-a-f/file-roller | 2 -- apparmor.d/profiles-g-l/gimp | 1 + apparmor.d/profiles-g-l/libreoffice | 5 ++--- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spice-vdagent | 1 - apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/terminator | 1 - apparmor.d/profiles-s-z/virt-manager | 2 ++ 68 files changed, 57 insertions(+), 88 deletions(-) create mode 100644 apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable new file mode 100644 index 000000000..603ef709b --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus receive bus=session path=/org/gtk/vfs/mountable + interface=org.gtk.vfs.Mountable + member=Mount + peer=(name=@{busname}, label=gvfsd), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner index 71c0dd157..7090afe24 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2025 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index f0dd20f47..b9f36cf6c 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -10,7 +10,6 @@ include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index 3fdab031b..b326138d6 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -10,7 +10,7 @@ include profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index 817d63175..bac225ebc 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -11,7 +11,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index e900fc3f5..8bdc3c79c 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -11,7 +11,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 34d881a8a..0973fce49 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -12,7 +12,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index 5233f8603..b1f1445b3 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -10,7 +10,7 @@ include profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index 698eeedb6..cf7b40190 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -13,7 +13,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 4ef675aef..3fee701a8 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -14,7 +14,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 9688df798..35199d859 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -18,7 +18,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers index 62adb343b..2fa8cc01f 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers @@ -10,7 +10,7 @@ include profile xdg-desktop-portal-rewrite-launchers @{exec_path} { include include - include + include @{exec_path} mr, diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index cf488af63..1b818267f 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -11,7 +11,6 @@ profile xdg-user-dirs-gtk-update @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor index a0fb366ab..59b3c5d40 100644 --- a/apparmor.d/groups/gnome/deja-dup-monitor +++ b/apparmor.d/groups/gnome/deja-dup-monitor @@ -13,9 +13,9 @@ profile deja-dup-monitor @{exec_path} { include include include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory index adf2aa264..1b9051a4a 100644 --- a/apparmor.d/groups/gnome/evolution-addressbook-factory +++ b/apparmor.d/groups/gnome/evolution-addressbook-factory @@ -13,7 +13,7 @@ profile evolution-addressbook-factory @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 174cb323f..9f8c51a75 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -12,7 +12,6 @@ profile evolution-alarm-notify @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory index 2ee416bd9..87cce8fbc 100644 --- a/apparmor.d/groups/gnome/evolution-calendar-factory +++ b/apparmor.d/groups/gnome/evolution-calendar-factory @@ -12,8 +12,8 @@ profile evolution-calendar-factory @{exec_path} { include include include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry index 38122b7c0..0732646b5 100644 --- a/apparmor.d/groups/gnome/evolution-source-registry +++ b/apparmor.d/groups/gnome/evolution-source-registry @@ -10,7 +10,7 @@ include profile evolution-source-registry @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop index eb76f1207..3652dd6e9 100644 --- a/apparmor.d/groups/gnome/gio-launch-desktop +++ b/apparmor.d/groups/gnome/gio-launch-desktop @@ -19,8 +19,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar index 872fc6858..2173e3d62 100644 --- a/apparmor.d/groups/gnome/gnome-calendar +++ b/apparmor.d/groups/gnome/gnome-calendar @@ -14,7 +14,6 @@ profile gnome-calendar @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters index 7ce936e52..b5ae5672a 100644 --- a/apparmor.d/groups/gnome/gnome-characters +++ b/apparmor.d/groups/gnome/gnome-characters @@ -12,7 +12,6 @@ profile gnome-characters @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index bdffedb72..92886c887 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -12,7 +12,6 @@ profile gnome-clocks @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index b4128b1af..c27f32fec 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -16,7 +16,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 21a326fe6..aeb59295f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -14,7 +14,6 @@ profile gnome-control-center-goa-helper @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider index 51c8f5107..6d24e72c1 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-search-provider +++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider @@ -11,7 +11,6 @@ profile gnome-control-center-search-provider @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 519a248d8..55d49e250 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -13,7 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index 400b28b6e..f56af9f67 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -21,10 +21,9 @@ profile gnome-extension-ding @{exec_path} { include include include - include - include - include - include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 7af7b8b2f..8ac7830cc 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,10 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include - include - include - include + include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 40b8bc9b5..7f4b818e3 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -15,7 +15,6 @@ profile gnome-initial-setup @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index d8853aa3b..55e95d006 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -29,7 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 247436318..0b1602fbb 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -13,7 +13,6 @@ profile gnome-software @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor index 8bcb629a9..152b28ff7 100644 --- a/apparmor.d/groups/gnome/gnome-system-monitor +++ b/apparmor.d/groups/gnome/gnome-system-monitor @@ -10,9 +10,8 @@ include profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index cda4568c1..7a9bad4da 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -14,7 +14,6 @@ profile gnome-terminal-server @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon index 8176d6c7c..b7c138285 100644 --- a/apparmor.d/groups/gnome/goa-daemon +++ b/apparmor.d/groups/gnome/goa-daemon @@ -12,7 +12,6 @@ profile goa-daemon @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 3992811c2..4509a6159 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -11,7 +11,7 @@ profile goa-identity-service @{exec_path} { include include include - include + include #aa:dbus own bus=session name=org.gnome.Identity diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1b12a68cd..a0b3fac6b 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -16,7 +16,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 35714fa0b..8d8b9fc1b 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -12,7 +12,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 80f19f93a..f4f2830b8 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -16,7 +16,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 32869cdbc..9f6f70fbc 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -18,8 +18,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index f3be82dfd..a6165ddcf 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -22,7 +22,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 484dda29d..50da29b5f 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -14,7 +14,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/localsearch b/apparmor.d/groups/gnome/localsearch index 66420cace..ea1566757 100644 --- a/apparmor.d/groups/gnome/localsearch +++ b/apparmor.d/groups/gnome/localsearch @@ -11,9 +11,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index 92e619e5c..f50bdbd9b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -13,7 +13,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index a91a154a7..07abe1c08 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -18,7 +18,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis index ac47b5460..3195d7f03 100644 --- a/apparmor.d/groups/gnome/ptyxis +++ b/apparmor.d/groups/gnome/ptyxis @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/ptyxis profile ptyxis @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 2735e0c5d..6418193a6 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -10,7 +10,7 @@ include profile ptyxis-agent @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 96b60ab72..090a9cbe7 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -15,7 +15,6 @@ profile seahorse @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index 3f9f49281..e200ecb42 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -10,9 +10,8 @@ include profile tracker-extract @{exec_path} flags=(attach_disconnected) { include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index e7cdc1a38..85b7b0d53 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -11,9 +11,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index b6815adea..0cd509473 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -14,7 +14,6 @@ profile apport-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index d0e5c8f1e..5df19d897 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -13,7 +13,6 @@ profile check-new-release-gtk @{exec_path} { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index 4d5ecb46a..e003054a5 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -12,7 +12,6 @@ profile livepatch-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 5111a0278..2f6398f1e 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -16,7 +16,6 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index bf3d4c6c0..093fdbed7 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -12,7 +12,6 @@ profile ubuntu-advantage-notification @{exec_path} { include include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index d242ae0d6..a874ca346 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -18,7 +18,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index 70d980713..f66345b67 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -15,7 +15,6 @@ profile update-notifier @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 284c35911..c95f6be55 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -13,7 +13,6 @@ profile atril @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index bba3dfedb..60843b0a6 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -16,7 +16,6 @@ profile calibre @{exec_path} { include include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index c302ff400..8137edd8d 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -13,8 +13,7 @@ profile engrampa @{exec_path} { include include include - include - include + include include include include diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller index 5ec394807..3d13b813f 100644 --- a/apparmor.d/profiles-a-f/file-roller +++ b/apparmor.d/profiles-a-f/file-roller @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/file-roller profile file-roller @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 67b625d62..ad324e153 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -11,6 +11,7 @@ profile gimp @{exec_path} { include include include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 63f348f9b..bc6516fc2 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -18,9 +18,8 @@ profile libreoffice @{exec_path} { include include include - include - include - include + include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 90db69a13..b8b361e12 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -16,7 +16,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 158ea6a7f..18e3fc248 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -18,7 +18,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 8917fa3a2..f3c4acf4f 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,7 +24,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index ee8ee627b..a7adf91fa 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -23,7 +23,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 59c78396d..e9baf97e1 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -13,7 +13,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index f820d2953..9802ecd5a 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -16,6 +16,8 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) { include include include + include + include include include include From 1fba94a197d93e9032a4f99dbe46eca3afaba671 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:14:30 +0200 Subject: [PATCH 658/798] feat(profile): update gvfs services to the abs changes. --- .../groups/gvfs/gvfs-afc-volume-monitor | 2 +- .../groups/gvfs/gvfs-goa-volume-monitor | 4 +-- .../groups/gvfs/gvfs-gphoto2-volume-monitor | 2 +- .../groups/gvfs/gvfs-mtp-volume-monitor | 2 +- .../groups/gvfs/gvfs-udisks2-volume-monitor | 4 +-- apparmor.d/groups/gvfs/gvfsd | 8 +++-- apparmor.d/groups/gvfs/gvfsd-admin | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afc | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-archive | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-burn | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-cdda | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-computer | 9 ++++++ apparmor.d/groups/gvfs/gvfsd-dav | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-dnssd | 26 +++------------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-fuse | 16 +++------- apparmor.d/groups/gvfs/gvfsd-google | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-http | 24 +++++--------- apparmor.d/groups/gvfs/gvfsd-localtest | 3 ++ apparmor.d/groups/gvfs/gvfsd-metadata | 6 +++- apparmor.d/groups/gvfs/gvfsd-mtp | 16 ++++++++-- apparmor.d/groups/gvfs/gvfsd-network | 26 +++------------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-recent | 19 +++--------- apparmor.d/groups/gvfs/gvfsd-sftp | 31 ++++++------------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +++++++ apparmor.d/groups/gvfs/gvfsd-smb-browse | 18 +++++------ apparmor.d/groups/gvfs/gvfsd-trash | 22 +++---------- apparmor.d/groups/gvfs/gvfsd-wsdd | 24 +++----------- 32 files changed, 238 insertions(+), 167 deletions(-) diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor index 7f50d8b45..32136d710 100644 --- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor @@ -17,7 +17,7 @@ profile gvfs-afc-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor index 3f2fb0138..017a66e84 100644 --- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor @@ -17,12 +17,12 @@ profile gvfs-goa-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index dd03254b1..ece97e688 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -21,7 +21,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index 6fbbc6092..fd3b38012 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -20,7 +20,7 @@ profile gvfs-mtp-volume-monitor @{exec_path} { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 4ed214b71..80f7f86a9 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -12,7 +12,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include @@ -35,7 +35,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd index c124c5855..e3e3edfae 100644 --- a/apparmor.d/groups/gvfs/gvfsd +++ b/apparmor.d/groups/gvfs/gvfsd @@ -18,20 +18,22 @@ profile gvfsd @{exec_path} { #aa:dbus own bus=session name=org.gtk.vfs.Daemon #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker + # The server side of abstractions/bus/session/org.gtk.vfs.Mountable dbus send bus=session path=/org/gtk/vfs/mountable interface=org.gtk.vfs.Mountable member=Mount - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), + # The server side of abstractions/bus/session/org.gtk.vfs.Spawner dbus receive bus=session path=/org/gtk/gvfs/exec_spaw/@{int} interface=org.gtk.vfs.Spawner member=Spawned - peer=(name=:*, label=gvfsd-*), + peer=(name=@{busname}, label=gvfsd-*), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 44248cbe3..5a1fd1c82 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-admin profile gvfsd-admin @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index 68d4b689e..da231f469 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afc profile gvfsd-afc @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index eeaaec059..db6fe5a48 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp profile gvfsd-afp @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index 48680f12f..a39e25785 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-afp-browse profile gvfsd-afp-browse @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 918841320..68b1e7765 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -10,9 +10,20 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-archive profile gvfsd-archive @{exec_path} { include + include + include + include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index b70fa7110..09062241a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-burn profile gvfsd-burn @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 0648f5dc0..356f8dcd3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-cdda profile gvfsd-cdda @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 6eebca738..667b448c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,9 +11,18 @@ include profile gvfsd-computer @{exec_path} { include include + include + include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index 77e1a2f6f..b335724cb 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-dav profile gvfsd-dav @{exec_path} { include + include + include + include + include include include include @@ -24,6 +28,13 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a4eb42821..aad9de3a0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,32 +12,14 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/ - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 5b7c833a5..3b36fc4f1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-ftp profile gvfsd-ftp @{exec_path} { include + include + include + include + include include include include @@ -20,6 +24,13 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index 4741b0f31..f67068f49 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,7 +11,9 @@ include profile gvfsd-fuse @{exec_path} { include include - include + include + include + include include capability sys_admin, @@ -20,21 +22,13 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterFuse - peer=(name=@{busname}, label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/ + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-sftp), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index eb80f3a7a..819e84c39 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-google profile gvfsd-google @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 688f03c27..0544000c0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -10,6 +10,17 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-gphoto2 profile gvfsd-gphoto2 @{exec_path} { include + include + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index f51ef2afe..2678bde40 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,9 +11,11 @@ include profile gvfsd-http @{exec_path} { include include - include + include + include + include include - include + # include include include include @@ -25,25 +27,15 @@ profile gvfsd-http @{exec_path} { network netlink raw, unix type=stream peer=(label=gnome-shell), + unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=:*, label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name=:*, label=gvfsd), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index 5ffbabb40..d1af3c60c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -10,6 +10,9 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-localtest profile gvfsd-localtest @{exec_path} { include + include + include + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index f6f3820bb..8565856d9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,6 +11,9 @@ include profile gvfsd-metadata @{exec_path} { include include + include + include + include include network netlink raw, @@ -18,11 +21,12 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 3c747b8b3..8d5ad78c5 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-mtp profile gvfsd-mtp @{exec_path} { include + include + include + include + include include include include @@ -19,10 +23,18 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, - owner @{HOME}/{,**} rw, # FIXME: ? - owner @{MOUNTS}/{,**} rw, + owner @{HOME}/ r, + owner @{HOME}/** rw, + owner @{MOUNTS}/** rw, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 46f543fa4..7874686bc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,38 +11,20 @@ include profile gvfsd-network @{exec_path} { include include - include - include + include + include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member={MountLocation,LookupMount,RegisterMount} - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect peer=(name=@{busname}, label=gnome-shell), - dbus send bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index 575d9de39..aae859d73 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -10,12 +10,23 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-nfs profile gvfsd-nfs @{exec_path} { include + include + include + include + include include network inet stream, network inet6 stream, network netlink raw, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index 1219c8cbd..ca59d75cd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,27 +11,16 @@ include profile gvfsd-recent @{exec_path} { include include - include - include + include + include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 1019a1525..862ef88aa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,32 +11,21 @@ include profile gvfsd-sftp @{exec_path} { include include - include + include + include + include include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.{M,m}ountTracker label=gvfsd - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}), - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name=@{busname}, label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name=@{busname}, label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} - interface=org.gtk.vfs.MountOperation - member={AskQuestion,AskPassword} - peer=(name=@{busname}), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 24891e9c3..9d99a43af 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -10,6 +10,10 @@ include @{exec_path} = @{lib}/{,gvfs/}gvfsd-smb profile gvfsd-smb @{exec_path} { include + include + include + include + include include include @@ -19,6 +23,13 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index a90cddc50..66099563e 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,7 +11,9 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include + include + include + include include include include @@ -23,16 +25,12 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index e13f870c7..070c41a84 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,7 +11,9 @@ include profile gvfsd-trash @{exec_path} { include include - include + include + include + include include include include @@ -21,26 +23,12 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 7f4c20718..4ea39c7d0 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,32 +11,16 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include + include + include + include include network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - - dbus receive bus=session path=/org/gtk/vfs/mountable - interface=org.gtk.vfs.Mountable - member=Mount - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int} - interface=org.gtk.vfs.Spawner - member=Spawned - peer=(name="@{busname}", label=gvfsd), - dbus send bus=session path=/org/gtk/vfs/mounttracker - interface=org.gtk.vfs.MountTracker - member=RegisterMount - peer=(name="@{busname}", label=gvfsd), - - dbus receive bus=session path=/org/gtk/vfs/Daemon - interface=org.gtk.vfs.Daemon - member=GetConnection - peer=(name=@{busname}, label=gvfsd-network), + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd dbus receive bus=session interface=org.freedesktop.DBus.Introspectable From 14ec69cd150a8926d52c5e9495edb46e37923c5b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 18:38:02 +0200 Subject: [PATCH 659/798] profile(abs): rewrite the way we manage accessibility - Add some missing dbus access - Split bus access in abstractions - Use trough the new accessibility abs. --- apparmor.d/abstractions/accessibility | 15 +++++ .../abstractions/bus/accessibility/org.a11y | 65 +++++++++++++++++++ apparmor.d/abstractions/bus/org.a11y | 63 ------------------ apparmor.d/abstractions/bus/session/org.a11y | 29 +++++++++ 4 files changed, 109 insertions(+), 63 deletions(-) create mode 100644 apparmor.d/abstractions/accessibility create mode 100644 apparmor.d/abstractions/bus/accessibility/org.a11y delete mode 100644 apparmor.d/abstractions/bus/org.a11y create mode 100644 apparmor.d/abstractions/bus/session/org.a11y diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility new file mode 100644 index 000000000..5bd8c98e7 --- /dev/null +++ b/apparmor.d/abstractions/accessibility @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI + + abi , + + include + include + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/accessibility/org.a11y b/apparmor.d/abstractions/bus/accessibility/org.a11y new file mode 100644 index 000000000..0145fc494 --- /dev/null +++ b/apparmor.d/abstractions/bus/accessibility/org.a11y @@ -0,0 +1,65 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2017 Canonical Ltd +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + # Allow the accessibility services in the user session to send us any events + + dbus receive bus=accessibility + peer=(label="@{p_at_spi2_registryd}"), + + # Allow querying for capabilities and registering + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Socket + member=Embed + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry + interface=org.a11y.atspi.Registry + member=GetRegisteredEvents + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member={GetKeystrokeListeners,GetDeviceEventListeners} + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller + interface=org.a11y.atspi.DeviceEventController + member=NotifyListenersSync + peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), + + # org.a11y.atspi is not designed for application isolation and these rules + # can be used to send change events for other processes. + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Event.Object + member=ChildrenChanged + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/root + interface=org.a11y.atspi.Accessible + member=Get* + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.a11y.atspi.Event.Object + member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int} + interface=org.freedesktop.DBus.Properties + member={Get,GetAll} + peer=(label="@{p_at_spi2_registryd}"), + + dbus send bus=accessibility path=/org/a11y/atspi/cache + interface=org.a11y.atspi.Cache + member={AddAccessible,RemoveAccessible} + peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y deleted file mode 100644 index c99f5f8bd..000000000 --- a/apparmor.d/abstractions/bus/org.a11y +++ /dev/null @@ -1,63 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - # Accessibility bus - - dbus receive bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=EventListenerDeregistered - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry - interface=org.a11y.atspi.Registry - member=GetRegisteredEvents - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller - interface=org.a11y.atspi.DeviceEventController - member={GetKeystrokeListeners,GetDeviceEventListeners} - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.freedesktop.DBus.Properties - member=Set - peer=(name="@{busname}", label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"), - - dbus send bus=accessibility path=/org/a11y/atspi/accessible/root - interface=org.a11y.atspi.Socket - member=Embed - peer=(name=org.a11y.atspi.Registry), - - # Session bus - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.freedesktop.DBus.Properties - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=Get - peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), - - dbus send bus=session path=/org/a11y/bus - interface=org.a11y.Bus - member=GetAddress - peer=(name=org.a11y.Bus), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/session/org.a11y b/apparmor.d/abstractions/bus/session/org.a11y new file mode 100644 index 000000000..8f517fe99 --- /dev/null +++ b/apparmor.d/abstractions/bus/session/org.a11y @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.freedesktop.DBus.Properties + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=Get + peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"), + + dbus send bus=session path=/org/a11y/bus + interface=org.a11y.Bus + member=GetAddress + peer=(name=org.a11y.Bus), + + include if exists + +# vim:syntax=apparmor From af6fbd2bfdf5a7d158a08f159c534867f5ccc1d2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:15:43 +0200 Subject: [PATCH 660/798] feat(profile): set accessibility use. --- apparmor.d/abstractions/accessibility | 2 +- apparmor.d/abstractions/app/firefox | 1 - apparmor.d/abstractions/app/open | 4 +--- apparmor.d/abstractions/common/app | 2 -- apparmor.d/abstractions/common/gnome | 2 -- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 3 ++- apparmor.d/abstractions/xfce | 1 + apparmor.d/groups/bluetooth/blueman | 1 - apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 -- apparmor.d/groups/bus/ibus-x11 | 2 -- apparmor.d/groups/flatpak/flatpak | 2 -- .../groups/freedesktop/polkit-gnome-authentication-agent | 1 - .../groups/freedesktop/polkit-kde-authentication-agent | 2 -- apparmor.d/groups/freedesktop/xdg-dbus-proxy | 3 +-- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 -- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 2 -- apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update | 1 - apparmor.d/groups/gnome/evolution-alarm-notify | 2 -- apparmor.d/groups/gnome/gnome-control-center | 2 -- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 -- .../groups/gnome/gnome-control-center-print-renderer | 2 -- apparmor.d/groups/gnome/gnome-disk-image-mounter | 2 -- apparmor.d/groups/gnome/gnome-extension-ding | 2 -- apparmor.d/groups/gnome/gnome-extension-gsconnect | 2 -- apparmor.d/groups/gnome/gnome-initial-setup | 2 -- apparmor.d/groups/gnome/gnome-session-binary | 2 -- apparmor.d/groups/gnome/gnome-shell | 3 --- apparmor.d/groups/gnome/gnome-terminal-server | 2 -- apparmor.d/groups/gnome/gsd-color | 2 -- apparmor.d/groups/gnome/gsd-keyboard | 2 -- apparmor.d/groups/gnome/gsd-media-keys | 2 -- apparmor.d/groups/gnome/gsd-power | 2 -- apparmor.d/groups/gnome/gsd-wacom | 2 -- apparmor.d/groups/gnome/gsd-xsettings | 2 -- apparmor.d/groups/gnome/loupe | 2 -- apparmor.d/groups/gnome/mutter-x11-frames | 2 -- apparmor.d/groups/gnome/nautilus | 2 -- apparmor.d/groups/gnome/seahorse | 2 -- apparmor.d/groups/kde/DiscoverNotifier | 2 -- apparmor.d/groups/kde/baloorunner | 2 -- apparmor.d/groups/kde/gmenudbusmenuproxy | 2 -- apparmor.d/groups/kde/kaccess | 2 -- apparmor.d/groups/kde/kactivitymanagerd | 1 - apparmor.d/groups/kde/kde-powerdevil | 2 -- apparmor.d/groups/kde/kded | 4 +--- apparmor.d/groups/kde/kglobalacceld | 2 -- apparmor.d/groups/kde/konsole | 2 -- apparmor.d/groups/kde/kscreen_backend_launcher | 2 -- apparmor.d/groups/kde/ksmserver | 1 - apparmor.d/groups/kde/ksmserver-logout-greeter | 2 -- apparmor.d/groups/kde/ksplashqml | 2 -- apparmor.d/groups/kde/kstart | 1 - apparmor.d/groups/kde/kwalletd | 2 -- apparmor.d/groups/kde/kwin_wayland | 2 -- apparmor.d/groups/kde/kwin_x11 | 1 - apparmor.d/groups/kde/plasmashell | 2 -- apparmor.d/groups/kde/systemsettings | 2 -- apparmor.d/groups/kde/xembedsniproxy | 2 -- apparmor.d/groups/lxqt/lxqt-globalkeysd | 1 - apparmor.d/groups/lxqt/lxqt-session | 1 - apparmor.d/groups/network/mullvad-gui | 2 -- apparmor.d/groups/systemd/busctl | 2 -- apparmor.d/groups/ubuntu/apport-gtk | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/groups/ubuntu/livepatch-notification | 2 -- apparmor.d/groups/ubuntu/software-properties-gtk | 2 -- apparmor.d/groups/ubuntu/ubuntu-advantage-notification | 2 -- apparmor.d/groups/ubuntu/update-manager | 2 -- apparmor.d/groups/ubuntu/update-notifier | 2 -- apparmor.d/groups/xfce/thunar | 1 - apparmor.d/groups/xfce/thunar-volman | 1 - apparmor.d/groups/xfce/xfce-clipman-settings | 1 - apparmor.d/groups/xfce/xfce-notifyd | 1 - apparmor.d/groups/xfce/xfce-panel | 1 - apparmor.d/groups/xfce/xfce-power-manager | 1 - apparmor.d/groups/xfce/xfce-screensaver | 1 - apparmor.d/groups/xfce/xfce-session | 1 - apparmor.d/groups/xfce/xfce-terminal | 1 - apparmor.d/groups/xfce/xfdesktop | 1 - apparmor.d/groups/xfce/xfsettingsd | 1 - apparmor.d/groups/xfce/xfwm | 1 - apparmor.d/profiles-a-f/alacarte | 2 -- apparmor.d/profiles-a-f/atril | 7 +------ apparmor.d/profiles-a-f/calibre | 2 -- apparmor.d/profiles-a-f/engrampa | 2 -- apparmor.d/profiles-a-f/evince | 2 -- apparmor.d/profiles-a-f/evince-previewer | 2 +- apparmor.d/profiles-g-l/kerneloops-applet | 2 -- apparmor.d/profiles-g-l/libreoffice | 2 -- apparmor.d/profiles-m-r/qbittorrent | 2 -- apparmor.d/profiles-m-r/remmina | 2 -- apparmor.d/profiles-m-r/rustdesk | 2 -- apparmor.d/profiles-s-z/YACReaderLibrary | 1 - apparmor.d/profiles-s-z/simple-scan | 2 -- apparmor.d/profiles-s-z/spice-vdagent | 2 -- apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/transmission | 2 -- apparmor.d/profiles-s-z/virt-manager | 2 -- apparmor.d/profiles-s-z/vlc | 3 --- apparmor.d/profiles-s-z/wireshark | 1 - 106 files changed, 14 insertions(+), 185 deletions(-) diff --git a/apparmor.d/abstractions/accessibility b/apparmor.d/abstractions/accessibility index 5bd8c98e7..894ee467e 100644 --- a/apparmor.d/abstractions/accessibility +++ b/apparmor.d/abstractions/accessibility @@ -2,7 +2,7 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# Allow communication with Assistive Technology Service Provider Interface (AT-SPI +# Allow communication with Assistive Technology Service Provider Interface (AT-SPI) abi , diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 7630b8576..0648e68d1 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -22,7 +22,6 @@ include include include - include include include include diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open index 3d91de235..8dffc39b9 100644 --- a/apparmor.d/abstractions/app/open +++ b/apparmor.d/abstractions/app/open @@ -7,8 +7,8 @@ abi , + include include - include include # We cannot use `@{open_path} mrix,` here because it includes: @@ -31,8 +31,6 @@ # if @{DE} == kde include - include - include include include diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app index 091cfbbb4..28badc6db 100644 --- a/apparmor.d/abstractions/common/app +++ b/apparmor.d/abstractions/common/app @@ -14,10 +14,8 @@ include include - include include include - include include include include diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome index b9f36cf6c..6dcb26860 100644 --- a/apparmor.d/abstractions/common/gnome +++ b/apparmor.d/abstractions/common/gnome @@ -6,9 +6,7 @@ abi , - include include - include include include include diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 316e7374e..66742f02a 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -9,6 +9,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index a3afccb76..47efde306 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index f00594038..17952414c 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index ba7347d8c..8d83aefdc 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -4,8 +4,9 @@ abi , - include + include include + include include include include diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index eaf50f6d0..c7e464236 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,6 +4,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 469fb24a0..08a553c1d 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -11,7 +11,6 @@ include profile blueman @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c254fcd2d..910ae0008 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -11,7 +11,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 0973fce49..2fa49e50f 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/{,ibus/}ibus-extension-gtk3 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11 index cf7b40190..ce1c2b108 100644 --- a/apparmor.d/groups/bus/ibus-x11 +++ b/apparmor.d/groups/bus/ibus-x11 @@ -10,9 +10,7 @@ include profile ibus-x11 @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 3fee701a8..341db555e 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent index f1ca0fd31..bb48d0c5b 100644 --- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent @@ -13,7 +13,6 @@ include profile polkit-gnome-authentication-agent @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent index 5e7a75a8d..8a08f02d0 100644 --- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent +++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9] profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy index fafdea3a5..031f03ac4 100644 --- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy +++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy @@ -9,11 +9,10 @@ include @{exec_path} = @{bin}/xdg-dbus-proxy profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) { include + include include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index b6c77f336..95daf2935 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gnome profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index 35199d859..d1ae86e15 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-gtk profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update index 1b818267f..feb1b9bd6 100644 --- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update +++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xdg-user-dirs-gtk-update profile xdg-user-dirs-gtk-update @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify index 9f8c51a75..501685b22 100644 --- a/apparmor.d/groups/gnome/evolution-alarm-notify +++ b/apparmor.d/groups/gnome/evolution-alarm-notify @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify profile evolution-alarm-notify @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index c27f32fec..9f78fb4fd 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -11,10 +11,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index aeb59295f..8b813d260 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -10,10 +10,8 @@ include profile gnome-control-center-goa-helper @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer index 59679deb8..cbd1f1a75 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer +++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/gnome-control-center-print-renderer profile gnome-control-center-print-renderer @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter index 55d49e250..d9959691b 100644 --- a/apparmor.d/groups/gnome/gnome-disk-image-mounter +++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/gnome-disk-image-mounter profile gnome-disk-image-mounter @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding index f56af9f67..9f848be8e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-ding +++ b/apparmor.d/groups/gnome/gnome-extension-ding @@ -13,11 +13,9 @@ include profile gnome-extension-ding @{exec_path} { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 8ac7830cc..2592eb77e 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -13,10 +13,8 @@ include profile gnome-extension-gsconnect @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7f4b818e3..7439e0fb6 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-initial-setup profile gnome-initial-setup @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index f4c61c5c6..5359a70df 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gnome-session-binary profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 55e95d006..a82278a6c 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -10,15 +10,12 @@ include profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include include include include include - include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index 7a9bad4da..fe380dadd 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -10,9 +10,7 @@ include profile gnome-terminal-server @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index a0b3fac6b..0acdbaf38 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -10,10 +10,8 @@ include profile gsd-color @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index f4f2830b8..b700a7df9 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -10,10 +10,8 @@ include profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9f6f70fbc..3ca105656 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -10,10 +10,8 @@ include profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index a6165ddcf..d20ad65d0 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -10,11 +10,9 @@ include profile gsd-power @{exec_path} flags=(attach_disconnected) { include include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 50da29b5f..0bb1d50d1 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -10,9 +10,7 @@ include profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 7618dc3b6..84abb82e0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -9,10 +9,8 @@ include @{exec_path} = @{lib}/gsd-xsettings profile gsd-xsettings @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index cabcca062..ea55ee902 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/loupe profile loupe @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index f50bdbd9b..d5c83a31b 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -10,9 +10,7 @@ include profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index 07abe1c08..d3906051c 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -9,11 +9,9 @@ include @{exec_path} = @{bin}/nautilus profile nautilus @{exec_path} flags=(attach_disconnected) { include - include include include include - include include include include diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse index 090a9cbe7..c34526ee1 100644 --- a/apparmor.d/groups/gnome/seahorse +++ b/apparmor.d/groups/gnome/seahorse @@ -10,10 +10,8 @@ include profile seahorse @{exec_path} { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier index 0965396ab..b5e1b4ae8 100644 --- a/apparmor.d/groups/kde/DiscoverNotifier +++ b/apparmor.d/groups/kde/DiscoverNotifier @@ -10,10 +10,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier profile DiscoverNotifier @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner index 64372f497..33660a776 100644 --- a/apparmor.d/groups/kde/baloorunner +++ b/apparmor.d/groups/kde/baloorunner @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner profile baloorunner @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy index f63a83295..dbca9fcf5 100644 --- a/apparmor.d/groups/kde/gmenudbusmenuproxy +++ b/apparmor.d/groups/kde/gmenudbusmenuproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/gmenudbusmenuproxy profile gmenudbusmenuproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess index 8258d1bde..1fdb4b920 100644 --- a/apparmor.d/groups/kde/kaccess +++ b/apparmor.d/groups/kde/kaccess @@ -10,9 +10,7 @@ include profile kaccess @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd index ead285e5f..1cc6b41d1 100644 --- a/apparmor.d/groups/kde/kactivitymanagerd +++ b/apparmor.d/groups/kde/kactivitymanagerd @@ -11,7 +11,6 @@ include profile kactivitymanagerd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil index f40c86e03..7d6daeda6 100644 --- a/apparmor.d/groups/kde/kde-powerdevil +++ b/apparmor.d/groups/kde/kde-powerdevil @@ -11,10 +11,8 @@ include profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index ec5a1ee36..678c64e71 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -11,14 +11,12 @@ profile kded @{exec_path} { include include #aa:only apt include - include include include - include - include include include include + include include include include diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld index b9c09d0c6..156bdf928 100644 --- a/apparmor.d/groups/kde/kglobalacceld +++ b/apparmor.d/groups/kde/kglobalacceld @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/kglobalaccel5 @{lib}/kglobalacceld profile kglobalacceld @{exec_path} { include - include include - include include #aa:dbus own bus=session name=org.kde.KGlobalAccel path=/kglobalaccel diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole index fa55e177d..446d8a08d 100644 --- a/apparmor.d/groups/kde/konsole +++ b/apparmor.d/groups/kde/konsole @@ -11,9 +11,7 @@ include profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher index 00b4c9630..e44ee1f83 100644 --- a/apparmor.d/groups/kde/kscreen_backend_launcher +++ b/apparmor.d/groups/kde/kscreen_backend_launcher @@ -10,9 +10,7 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kf{5,6}/kscreen_backend_launcher profile kscreen_backend_launcher @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver index f4d54c295..09a228e29 100644 --- a/apparmor.d/groups/kde/ksmserver +++ b/apparmor.d/groups/kde/ksmserver @@ -11,7 +11,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter index e46237c2a..711da6e9d 100644 --- a/apparmor.d/groups/kde/ksmserver-logout-greeter +++ b/apparmor.d/groups/kde/ksmserver-logout-greeter @@ -11,10 +11,8 @@ include @{exec_path} += @{lib}/@{multiarch}/{,libexec/}ksmserver-logout-greeter profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include - include include include include diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml index ea80e28cd..770625988 100644 --- a/apparmor.d/groups/kde/ksplashqml +++ b/apparmor.d/groups/kde/ksplashqml @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/ksplashqml profile ksplashqml @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart index fa0f88f75..04d084d0c 100644 --- a/apparmor.d/groups/kde/kstart +++ b/apparmor.d/groups/kde/kstart @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/kstart profile kstart @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd index baaad7dcb..0a685d8e5 100644 --- a/apparmor.d/groups/kde/kwalletd +++ b/apparmor.d/groups/kde/kwalletd @@ -11,9 +11,7 @@ include profile kwalletd @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index e2e3ecfe0..224835ac2 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -10,10 +10,8 @@ include profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11 index ac80b3b18..8cc233ff2 100644 --- a/apparmor.d/groups/kde/kwin_x11 +++ b/apparmor.d/groups/kde/kwin_x11 @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/kwin_x11 profile kwin_x11 @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index cc9907266..600d1be48 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -11,10 +11,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings index a78225b67..9558a6528 100644 --- a/apparmor.d/groups/kde/systemsettings +++ b/apparmor.d/groups/kde/systemsettings @@ -10,9 +10,7 @@ include profile systemsettings @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy index 93259822e..5c36f579e 100644 --- a/apparmor.d/groups/kde/xembedsniproxy +++ b/apparmor.d/groups/kde/xembedsniproxy @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/xembedsniproxy profile xembedsniproxy @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/groups/lxqt/lxqt-globalkeysd b/apparmor.d/groups/lxqt/lxqt-globalkeysd index 8729b1abb..a9a75aa90 100644 --- a/apparmor.d/groups/lxqt/lxqt-globalkeysd +++ b/apparmor.d/groups/lxqt/lxqt-globalkeysd @@ -10,7 +10,6 @@ include @{exec_path} = @{bin}/lxqt-globalkeysd profile lxqt-globalkeysd @{exec_path} { include - include include include diff --git a/apparmor.d/groups/lxqt/lxqt-session b/apparmor.d/groups/lxqt/lxqt-session index 085b444b1..910ea7c5f 100644 --- a/apparmor.d/groups/lxqt/lxqt-session +++ b/apparmor.d/groups/lxqt/lxqt-session @@ -11,7 +11,6 @@ include profile lxqt-session @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 639d3ce4b..132e25e6d 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,9 +15,7 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include - include include network inet stream, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index 04ed76e72..eed7080f8 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,10 +9,8 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk index 0cd509473..6d90cadda 100644 --- a/apparmor.d/groups/ubuntu/apport-gtk +++ b/apparmor.d/groups/ubuntu/apport-gtk @@ -11,9 +11,7 @@ profile apport-gtk @{exec_path} { include include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 5df19d897..2b7b2b4ee 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -10,9 +10,7 @@ include profile check-new-release-gtk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification index e003054a5..fb8eb259e 100644 --- a/apparmor.d/groups/ubuntu/livepatch-notification +++ b/apparmor.d/groups/ubuntu/livepatch-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/livepatch-notification profile livepatch-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 2f6398f1e..836adbb55 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -11,10 +11,8 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification index 093fdbed7..a44e226bc 100644 --- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification +++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification @@ -9,9 +9,7 @@ include @{exec_path} = @{lib}/update-notifier/ubuntu-advantage-notification profile ubuntu-advantage-notification @{exec_path} { include - include include - include include include diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager index a874ca346..873f06b67 100644 --- a/apparmor.d/groups/ubuntu/update-manager +++ b/apparmor.d/groups/ubuntu/update-manager @@ -11,10 +11,8 @@ profile update-manager @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier index f66345b67..06e851b45 100644 --- a/apparmor.d/groups/ubuntu/update-notifier +++ b/apparmor.d/groups/ubuntu/update-notifier @@ -11,10 +11,8 @@ profile update-notifier @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar index 2fcd83048..10096bce2 100644 --- a/apparmor.d/groups/xfce/thunar +++ b/apparmor.d/groups/xfce/thunar @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar profile thunar @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman index fc73a14c9..41e098548 100644 --- a/apparmor.d/groups/xfce/thunar-volman +++ b/apparmor.d/groups/xfce/thunar-volman @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/thunar-volman profile thunar-volman @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings index 9e74d8046..021a377b8 100644 --- a/apparmor.d/groups/xfce/xfce-clipman-settings +++ b/apparmor.d/groups/xfce/xfce-clipman-settings @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-clipman-settings profile xfce-clipman-settings @{exec_path} { include - include include include diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd index c594b8ed3..be813a84d 100644 --- a/apparmor.d/groups/xfce/xfce-notifyd +++ b/apparmor.d/groups/xfce/xfce-notifyd @@ -10,7 +10,6 @@ include @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd profile xfce-notifyd @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel index b04ed2eb9..00c5d8700 100644 --- a/apparmor.d/groups/xfce/xfce-panel +++ b/apparmor.d/groups/xfce/xfce-panel @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0 profile xfce-panel @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager index 91be9eede..11ccca455 100644 --- a/apparmor.d/groups/xfce/xfce-power-manager +++ b/apparmor.d/groups/xfce/xfce-power-manager @@ -10,7 +10,6 @@ include profile xfce-power-manager @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver index 2c0f13bc1..e9e19cca5 100644 --- a/apparmor.d/groups/xfce/xfce-screensaver +++ b/apparmor.d/groups/xfce/xfce-screensaver @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-screensaver profile xfce-screensaver @{exec_path} flags=(attach_disconnected) { include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index beddcce1f..be0f5c73d 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -11,7 +11,6 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal index 8d2f06a75..0f8836326 100644 --- a/apparmor.d/groups/xfce/xfce-terminal +++ b/apparmor.d/groups/xfce/xfce-terminal @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfce4-terminal profile xfce-terminal @{exec_path} { include - include include include include diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop index ff36e8459..6bc5ec15c 100644 --- a/apparmor.d/groups/xfce/xfdesktop +++ b/apparmor.d/groups/xfce/xfdesktop @@ -10,7 +10,6 @@ include profile xfdesktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd index 22db3f80d..d3f88c196 100644 --- a/apparmor.d/groups/xfce/xfsettingsd +++ b/apparmor.d/groups/xfce/xfsettingsd @@ -10,7 +10,6 @@ include profile xfsettingsd @{exec_path} { include include - include include include include diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm index 7ecd2c8fe..c41e5254f 100644 --- a/apparmor.d/groups/xfce/xfwm +++ b/apparmor.d/groups/xfce/xfwm @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/xfwm4 profile xfwm @{exec_path} { include - include include include include diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte index b4cfb56e6..87908dc9e 100644 --- a/apparmor.d/profiles-a-f/alacarte +++ b/apparmor.d/profiles-a-f/alacarte @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/alacarte profile alacarte @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index c95f6be55..55502dd3e 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -10,18 +10,13 @@ include @{exec_path} = @{bin}/atril{,-*} profile atril @{exec_path} { include - include include - include include include - include - include - include + include include include include - include network netlink raw, diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre index 60843b0a6..281d15718 100644 --- a/apparmor.d/profiles-a-f/calibre +++ b/apparmor.d/profiles-a-f/calibre @@ -12,9 +12,7 @@ include @{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk profile calibre @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 8137edd8d..3e650962f 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -10,9 +10,7 @@ include @{exec_path} = @{bin}/engrampa profile engrampa @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index e07c91f3d..d6969807f 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/evince @{lib}/evinced profile evince @{exec_path} { include - include include - include include include include diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer index 1597c35af..dcd28ddc9 100644 --- a/apparmor.d/profiles-a-f/evince-previewer +++ b/apparmor.d/profiles-a-f/evince-previewer @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/evince-previewer profile evince-previewer @{exec_path} { include - include + include include include include diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet index 758ead716..d9d556879 100644 --- a/apparmor.d/profiles-g-l/kerneloops-applet +++ b/apparmor.d/profiles-g-l/kerneloops-applet @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/kerneloops-applet profile kerneloops-applet @{exec_path} { include - include include include - include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index bc6516fc2..cc2ee8c2a 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -12,10 +12,8 @@ profile libreoffice @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index 5d9cba087..e0d430443 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -10,10 +10,8 @@ include @{exec_path} = @{bin}/qbittorrent profile qbittorrent @{exec_path} { include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index b8b361e12..80e58fd7c 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -11,10 +11,8 @@ profile remmina @{exec_path} { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk index acdad5640..3e6791ddc 100644 --- a/apparmor.d/profiles-m-r/rustdesk +++ b/apparmor.d/profiles-m-r/rustdesk @@ -10,9 +10,7 @@ include profile rustdesk @{exec_path} { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary index 38336fbc7..e6c231df3 100644 --- a/apparmor.d/profiles-s-z/YACReaderLibrary +++ b/apparmor.d/profiles-s-z/YACReaderLibrary @@ -9,7 +9,6 @@ include @{exec_path} = @{bin}/YACReaderLibrary profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted) { include - include include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index f79b284fb..a005708db 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -9,8 +9,6 @@ include @{exec_path} = @{bin}/simple-scan profile simple-scan @{exec_path} { include - include - include include include include diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent index 18e3fc248..2af3f99ae 100644 --- a/apparmor.d/profiles-s-z/spice-vdagent +++ b/apparmor.d/profiles-s-z/spice-vdagent @@ -11,10 +11,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) { include include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f3c4acf4f..a3c4b822a 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,11 +17,9 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include - include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index a7adf91fa..b84322ae0 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,10 +16,8 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e9baf97e1..e8a2533b9 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -10,9 +10,7 @@ include profile terminator @{exec_path} flags=(attach_disconnected) { include include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission index 78d67787d..9c4a8e673 100644 --- a/apparmor.d/profiles-s-z/transmission +++ b/apparmor.d/profiles-s-z/transmission @@ -9,9 +9,7 @@ include @{exec_path} = @{bin}/transmission-{gtk,qt} profile transmission @{exec_path} flags=(attach_disconnected) { include - include include - include include include include diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager index 9802ecd5a..92dc977d9 100644 --- a/apparmor.d/profiles-s-z/virt-manager +++ b/apparmor.d/profiles-s-z/virt-manager @@ -12,10 +12,8 @@ include profile virt-manager @{exec_path} flags=(attach_disconnected) { include include - include include include - include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 7e9c31866..bda3010fa 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -11,10 +11,7 @@ include profile vlc @{exec_path} { include include - include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark index c29543d6b..a07d6bad1 100644 --- a/apparmor.d/profiles-s-z/wireshark +++ b/apparmor.d/profiles-s-z/wireshark @@ -11,7 +11,6 @@ include @{exec_path} = @{bin}/wireshark profile wireshark @{exec_path} { include - include include include include From efa28446f930af3032645b0b9e3197f2d439e6e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 19:23:43 +0200 Subject: [PATCH 661/798] feat(abs): add bus-session to electron As it is a layer 2 abstraction, we can safelly add it. --- apparmor.d/abstractions/common/electron | 1 + apparmor.d/groups/network/mullvad-gui | 1 - apparmor.d/profiles-a-f/cider | 8 ++------ apparmor.d/profiles-a-f/discord | 1 - apparmor.d/profiles-a-f/element-desktop | 1 - apparmor.d/profiles-a-f/freetube | 1 - apparmor.d/profiles-m-r/protonmail | 1 - apparmor.d/profiles-s-z/session-desktop | 1 - apparmor.d/profiles-s-z/signal-desktop | 2 +- apparmor.d/profiles-s-z/spotify | 1 - apparmor.d/profiles-s-z/superproductivity | 2 +- 11 files changed, 5 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron index 253eab72b..dd4976f5e 100644 --- a/apparmor.d/abstractions/common/electron +++ b/apparmor.d/abstractions/common/electron @@ -20,6 +20,7 @@ abi , + include include include include diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui index 132e25e6d..133e4bc00 100644 --- a/apparmor.d/groups/network/mullvad-gui +++ b/apparmor.d/groups/network/mullvad-gui @@ -15,7 +15,6 @@ include @{exec_path} = @{lib_dirs}/mullvad-gui profile mullvad-gui @{exec_path} flags=(attach_disconnected) { include - include include network inet stream, diff --git a/apparmor.d/profiles-a-f/cider b/apparmor.d/profiles-a-f/cider index 2b203e989..be59811a1 100644 --- a/apparmor.d/profiles-a-f/cider +++ b/apparmor.d/profiles-a-f/cider @@ -15,15 +15,11 @@ include @{exec_path} = @{bin}/{C,c}ider @{lib_dirs}/Cider profile cider @{exec_path} { include - include - include + include + include include - include include include - include - include - include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord index e12c25b9d..0991a243e 100644 --- a/apparmor.d/profiles-a-f/discord +++ b/apparmor.d/profiles-a-f/discord @@ -17,7 +17,6 @@ include profile discord @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop index f87486af3..59cfa3577 100644 --- a/apparmor.d/profiles-a-f/element-desktop +++ b/apparmor.d/profiles-a-f/element-desktop @@ -16,7 +16,6 @@ include profile element-desktop @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index 958f9b5ee..be75567cd 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,6 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail index f5548f696..8a6a2982e 100644 --- a/apparmor.d/profiles-m-r/protonmail +++ b/apparmor.d/profiles-m-r/protonmail @@ -16,7 +16,6 @@ include @{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton* profile protonmail @{exec_path} flags=(attach_disconnected) { include - include include include diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop index cafccd791..4fd9dff69 100644 --- a/apparmor.d/profiles-s-z/session-desktop +++ b/apparmor.d/profiles-s-z/session-desktop @@ -16,7 +16,6 @@ include profile session-desktop @{exec_path} { include include - include include include include diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop index 4abe053f6..53f3d20b1 100644 --- a/apparmor.d/profiles-s-z/signal-desktop +++ b/apparmor.d/profiles-s-z/signal-desktop @@ -17,7 +17,7 @@ include profile signal-desktop @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index a3c4b822a..f70d4e7c9 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -17,7 +17,6 @@ include profile spotify @{exec_path} flags=(attach_disconnected) { include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index b84322ae0..838944aa8 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -16,7 +16,7 @@ include profile superproductivity @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From 59bdb157cf260eb2dd46651e063c2e226bbe401f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:00:12 +0200 Subject: [PATCH 662/798] feat(abs): add the mediakeys abs. --- .../bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys | 0 apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-s-z/spotify | 4 +--- 3 files changed, 2 insertions(+), 4 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SettingsDaemon.MediaKeys (100%) diff --git a/apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys similarity index 100% rename from apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys rename to apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index d6969807f..89087df4b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -16,6 +16,7 @@ profile evince @{exec_path} { include include include + include include include include @@ -28,7 +29,6 @@ profile evince @{exec_path} { #aa:dbus own bus=session name=org.gnome.evince - #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label="@{p_gsd_media_keys}" #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @{exec_path} rix, diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index f70d4e7c9..052757da2 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -18,14 +18,12 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include - include include - include include - include include include include + include include include include From 4526e96318610985fd66ff7cd5626a63410666da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:03:22 +0200 Subject: [PATCH 663/798] feat(abs): add the gtk-strict abs. --- apparmor.d/abstractions/gtk-strict | 74 ++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 apparmor.d/abstractions/gtk-strict diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict new file mode 100644 index 000000000..0bf0ab41c --- /dev/null +++ b/apparmor.d/abstractions/gtk-strict @@ -0,0 +1,74 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + include + include + include + + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, + @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + /usr/share/gtk-2.0/ r, + /usr/share/gtk-2.0/gtkrc r, + + /usr/share/gtk-3.0/ r, + /usr/share/gtk-3.0/settings.ini r, + + /usr/share/gtk-4.0/ r, + /usr/share/gtk-4.0/settings.ini r, + + /etc/gtk/gtkrc r, + + /etc/gtk-2.0/ r, + /etc/gtk-2.0/gtkrc r, + + /etc/gtk-3.0/ r, + /etc/gtk-3.0/*.conf r, + /etc/gtk-3.0/settings.ini r, + + /etc/gtk-4.0/ r, + /etc/gtk-4.0/*.conf r, + /etc/gtk-4.0/settings.ini r, + + owner @{HOME}/.gtk r, + owner @{HOME}/.gtkrc r, + owner @{HOME}/.gtkrc-2.0 r, + owner @{HOME}/.gtk-bookmarks r, + + owner @{user_cache_dirs}/gtk-4.0/ rw, + owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw, + owner @{user_cache_dirs}/gtkrc r, + owner @{user_cache_dirs}/gtkrc-2.0 r, + + owner @{user_config_dirs}/gtk-2.0/ rw, + owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw, + + owner @{user_config_dirs}/gtk-3.0/ rw, + owner @{user_config_dirs}/gtk-3.0/bookmarks r, + owner @{user_config_dirs}/gtk-3.0/colors.css r, + owner @{user_config_dirs}/gtk-3.0/gtk.css r, + owner @{user_config_dirs}/gtk-3.0/servers r, + owner @{user_config_dirs}/gtk-3.0/settings.ini r, + owner @{user_config_dirs}/gtk-3.0/window_decorations.css r, + + owner @{user_config_dirs}/gtk-4.0/ rw, + owner @{user_config_dirs}/gtk-4.0/bookmarks r, + owner @{user_config_dirs}/gtk-4.0/colors.css r, + owner @{user_config_dirs}/gtk-4.0/gtk.css r, + owner @{user_config_dirs}/gtk-4.0/servers r, + owner @{user_config_dirs}/gtk-4.0/settings.ini r, + owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + + include if exists + +# vim:syntax=apparmor From f3a4372966569d58fd20addc9c2d00a493af85f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:08:51 +0200 Subject: [PATCH 664/798] refractor(profile): bus/org.bluez -> bus/system/org.bluez. --- apparmor.d/abstractions/app/chromium | 1 + apparmor.d/abstractions/bus/{ => system}/org.bluez | 2 +- apparmor.d/groups/freedesktop/pulseaudio | 2 +- apparmor.d/groups/freedesktop/upowerd | 2 +- apparmor.d/groups/freedesktop/wireplumber | 3 +-- apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/network/NetworkManager | 2 +- apparmor.d/profiles-a-f/fwupd | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 3 +-- apparmor.d/profiles-s-z/spotify | 1 + 10 files changed, 10 insertions(+), 9 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/org.bluez (96%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 1635741ed..313f51687 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -31,6 +31,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/system/org.bluez similarity index 96% rename from apparmor.d/abstractions/bus/org.bluez rename to apparmor.d/abstractions/bus/system/org.bluez index 461ad9f94..acaa7bb36 100644 --- a/apparmor.d/abstractions/bus/org.bluez +++ b/apparmor.d/abstractions/bus/system/org.bluez @@ -36,6 +36,6 @@ member=RegisterApplication peer=(name=org.bluez, label="@{p_bluetoothd}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 346ae7257..206958062 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -16,7 +16,7 @@ profile pulseaudio @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index d58385831..201e49f3c 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -11,7 +11,7 @@ include profile upowerd @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index fc9029ef3..90eb46dc4 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -12,10 +12,9 @@ profile wireplumber @{exec_path} { include include include - include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a82278a6c..f46a8461d 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -27,6 +27,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index 2959441c4..fca80465d 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -11,7 +11,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd index 8447bff3e..65793364d 100644 --- a/apparmor.d/profiles-a-f/fwupd +++ b/apparmor.d/profiles-a-f/fwupd @@ -11,7 +11,7 @@ include profile fwupd @{exec_path} flags=(attach_disconnected,complain) { include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 2f31aea79..3a5dfffb6 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -11,8 +11,7 @@ profile mpris-proxy @{exec_path} { include include include - include - include + include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 dbus receive bus=session path=/ diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index 052757da2..d1a60a8c7 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -21,6 +21,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include From 48aeefa0a306efd28dfa5c83fa73e2e14639ea13 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:13:37 +0200 Subject: [PATCH 665/798] fix: linting issue. --- .../abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys index 3a461a85a..93d830828 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys +++ b/apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys @@ -18,6 +18,6 @@ interface=org.gnome.SettingsDaemon.MediaKeys peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys), - include if exists + include if exists # vim:syntax=apparmor From 5559670a37d611bcb053f26a6d0588498442b97f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:37:47 +0200 Subject: [PATCH 666/798] feat(abs): add mediakeys --- apparmor.d/abstractions/mediakeys | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/mediakeys diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys new file mode 100644 index 000000000..ecf839cda --- /dev/null +++ b/apparmor.d/abstractions/mediakeys @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow requesting interest in receiving media key events. This tells Gnome +# settings that our application should be notified when key events we are +# interested in are pressed, and allows us to receive those events. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From 8c66d39a1e64c721ebb6f6c1421922d70abc0e3c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:39:38 +0200 Subject: [PATCH 667/798] feat(profile): merge dpkg-script-* profile into dpkg-scripts. --- apparmor.d/groups/apt/dpkg-script-apparmor | 74 --------------------- apparmor.d/groups/apt/dpkg-script-kmod | 18 ----- apparmor.d/groups/apt/dpkg-script-linux | 56 ---------------- apparmor.d/groups/apt/dpkg-script-systemd | 77 ---------------------- apparmor.d/groups/apt/dpkg-scripts | 5 +- 5 files changed, 4 insertions(+), 226 deletions(-) delete mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor delete mode 100644 apparmor.d/groups/apt/dpkg-script-kmod delete mode 100644 apparmor.d/groups/apt/dpkg-script-linux delete mode 100644 apparmor.d/groups/apt/dpkg-script-systemd diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor deleted file mode 100644 index 73a4f6c46..000000000 --- a/apparmor.d/groups/apt/dpkg-script-apparmor +++ /dev/null @@ -1,74 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: merge with dpkg-scripts - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/apparmor* -profile dpkg-script-apparmor @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/{,e}grep ix, - @{bin}/cat ix, - @{bin}/chmod ix, - @{bin}/mkdir ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg Px -> child-dpkg, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-divert ix, - @{bin}/systemctl Cx -> systemctl, - @{sbin}/apparmor_parser Px, - - /usr/share/apparmor.d/** rw, - - /etc/apparmor.d/** rw, - - /var/lib/dpkg/diversions rw, - /var/lib/dpkg/diversions-new rw, - /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions, - - /var/lib/dpkg/info/*.list r, - /var/lib/dpkg/info/format r, - /var/lib/dpkg/status r, - /var/lib/dpkg/triggers/File r, - /var/lib/dpkg/triggers/Unincorp r, - /var/lib/dpkg/updates/ r, - /var/lib/dpkg/updates/@{int} r, - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - capability dac_override, - capability dac_read_search, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent rix, - - @{run}/user/@{uid}/systemd/ask-password/ rw, - @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw, - - owner @{run}/systemd/ask-password/ rw, - owner @{run}/systemd/ask-password-block/{,*} rw, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod deleted file mode 100644 index f900bba17..000000000 --- a/apparmor.d/groups/apt/dpkg-script-kmod +++ /dev/null @@ -1,18 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/kmod* -profile dpkg-script-kmod @{exec_path} { - include - - @{exec_path} mrix, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux deleted file mode 100644 index af578be50..000000000 --- a/apparmor.d/groups/apt/dpkg-script-linux +++ /dev/null @@ -1,56 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/linux* -profile dpkg-script-linux @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{bin}/cat ix, - @{bin}/mkdir ix, - @{bin}/rm ix, - @{bin}/run-parts ix, - @{bin}/stty ix, - - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/dpkg-trigger Px, - @{bin}/kmod Px, - @{bin}/linux-check-removal Px, - @{bin}/linux-update-symlinks Px, - @{bin}/systemctl Cx -> systemctl, - - /usr/share/{update,reboot}-notifier/notify-reboot-required Px, - /etc/kernel/{,header_}postinst.d/* Px, - /etc/kernel/postrm.d/* Px, - /etc/kernel/preinst.d/* Px, - /etc/kernel/prerm.d/* Px, - - /etc/kernel/*.d/ r, - - @{lib}/linux/triggers/* w, - @{lib}/modules/*/.fresh-install w, - - profile systemctl { - include - include - - capability net_admin, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd deleted file mode 100644 index 6c76e6f70..000000000 --- a/apparmor.d/groups/apt/dpkg-script-systemd +++ /dev/null @@ -1,77 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2025 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -abi , - -include - -@{exec_path} = /var/lib/dpkg/info/systemd* -profile dpkg-script-systemd @{exec_path} { - include - include - - capability dac_read_search, - - @{exec_path} mrix, - - @{coreutils_path} rix, - @{bin}/bootctl Px, - @{bin}/deb-systemd-helper Px, - @{bin}/deb-systemd-invoke Px, - @{bin}/dpkg Cx -> dpkg, - @{bin}/dpkg-divert Px, - @{bin}/dpkg-maintscript-helper Px, - @{bin}/journalctl Px, - @{bin}/kernel-install mrPx, - @{bin}/systemctl Cx -> systemctl, - @{bin}/systemd-machine-id-setup Px, - @{bin}/systemd-sysusers Px, - @{bin}/systemd-tmpfiles Px, - @{lib}/systemd/systemd-sysctl Px, - @{sbin}/pam-auth-update Px, - - /etc/systemd/system/*.wants/ rw, - /etc/systemd/system/*.wants/* rw, - - /etc/pam.d/sed@{rand6} rw, - /etc/pam.d/common-password rw, - - @{efi}/ r, - - /var/lib/systemd/{,*} rw, - /var/log/journal/ rw, - - profile dpkg { - include - include - include - - capability dac_read_search, - - @{bin}/dpkg mr, - - /etc/dpkg/dpkg.cfg r, - /etc/dpkg/dpkg.cfg.d/{,*} r, - - include if exists - } - - profile systemctl { - include - include - - capability net_admin, - capability sys_resource, - - signal send set=(cont term) peer=systemd-tty-ask-password-agent, - - @{bin}/systemd-tty-ask-password-agent Px, - - include if exists - } - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index acde577de..2434c9db9 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} { /*/ r, @{bin}/ r, @{bin}/* w, + @{sbin}/ r, + @{sbin}/* w, @{lib}/ r, - @{lib}/** w, + @{lib}/** wl -> @{lib}/**, /opt/*/** rw, #aa:lint ignore=too-wide @@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} { /tmp/grub.@{rand10} rw, /tmp/sed@{rand6} rw, /tmp/tmp.@{rand10} rw, + /tmp/updateppds.@{rand6} rw, @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/mountinfo r, From d2e941163fb0221c0ddc1e99a492e65e490dc364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:43:39 +0200 Subject: [PATCH 668/798] feat(abs): add mpris --- .../{ => session}/org.mpris.MediaPlayer2.Player | 4 ++-- apparmor.d/abstractions/mpris | 17 +++++++++++++++++ apparmor.d/profiles-s-z/spotify | 4 +--- apparmor.d/profiles-s-z/vlc | 4 +--- 4 files changed, 21 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.mpris.MediaPlayer2.Player (89%) create mode 100644 apparmor.d/abstractions/mpris diff --git a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player similarity index 89% rename from apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player rename to apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player index d71b7ac1e..b2b934074 100644 --- a/apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player +++ b/apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2023-2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -33,6 +33,6 @@ member=Seeked peer=(name=org.freedesktop.DBus), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/mpris b/apparmor.d/abstractions/mpris new file mode 100644 index 000000000..f06c8560e --- /dev/null +++ b/apparmor.d/abstractions/mpris @@ -0,0 +1,17 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow operating as an MPRIS player. + + abi , + + include + + # Allow binding to the well-known DBus mpris interface based on the app's name + # See: https://specifications.freedesktop.org/mpris-spec/latest/ + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name} + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index d1a60a8c7..b04432e39 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -25,6 +25,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -35,8 +36,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify - #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys @@ -46,7 +45,6 @@ profile spotify @{exec_path} flags=(attach_disconnected) { member=RetrieveSecret peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal), - @{exec_path} mrix, @{sh_path} mr, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index bda3010fa..05866296d 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -22,6 +22,7 @@ profile vlc @{exec_path} { include include include + include include include include @@ -35,9 +36,6 @@ profile vlc @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.vlc - #aa:dbus talk bus=session name=org.mpris.MediaPlayer2.Player label=unconfined - @{exec_path} mrix, @{open_path} rPx -> child-open-help, From 5492ab1c4ecef1c09b007bbe05c29eee1c4faa7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:48:25 +0200 Subject: [PATCH 669/798] feat(profile): rewrite the gjs profile. --- apparmor.d/groups/gnome/gjs | 133 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gjs-console | 108 ------------------- apparmor.d/groups/gnome/gnome-extension | 29 ++++++ apparmor.d/groups/gnome/gnome-shell | 2 +- 4 files changed, 163 insertions(+), 109 deletions(-) create mode 100644 apparmor.d/groups/gnome/gjs delete mode 100644 apparmor.d/groups/gnome/gjs-console create mode 100644 apparmor.d/groups/gnome/gnome-extension diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs new file mode 100644 index 000000000..f726ab66b --- /dev/null +++ b/apparmor.d/groups/gnome/gjs @@ -0,0 +1,133 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# GNOME JavaScript interpreter. It is used to run some gnome internal app +# as well as third party extensions. +# +# Therefore, by default, some extension are confined under this profile. To fix +# this, the various programs using gjs must never run gjs as module, they need +# to run it as executable with a specific script. +# +# This currently concerns: +# - gnome-extension-ding (used to not be started as a module) +# - org.gnome.ScreenSaver (simple dbus service) +# - org.gnome.Shell.Extensions (full UI app, requires gnome-strict, graphics, ...) +# - org.gnome.Shell.Notifications (simple dbus service) +# - org.gnome.Shell.Screencast (simple dbus service) + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gjs @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + + # Only needed by org.gnome.Shell.Extensions + include + include + + # Only needed by gnome-extension-ding + include + include + include + include + include + include + include + include + + unix type=stream peer=(label=gnome-shell), + + signal receive set=(term hup) peer=gdm, + + #aa:dbus own bus=session name=com.rastersoft.ding interface+=org.gtk.Actions + #aa:dbus talk bus=session name=com.rastersoft.dingextension label=gnome-shell interface+=org.gtk.Actions + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=system path=/org/freedesktop/DBus + interface=org.freedesktop.DBus* + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + + #aa:dbus own bus=session name=org.gnome.Shell.Screencast + #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell + + #aa:dbus own bus=session name=org.freedesktop.Notifications + #aa:dbus own bus=session name=org.gnome.ScreenSaver + #aa:dbus own bus=session name=org.gnome.Shell.Extensions + #aa:dbus own bus=session name=org.gnome.Shell.Notifications + + @{exec_path} mrix, + + # gnome-extension-ding + @{sh_path} rix, + @{bin}/env rix, + @{bin}/gnome-control-center rPx, + @{bin}/nautilus rPx, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + @{lib}/gstreamer-1.0/gst-plugin-scanner rCx -> gstreamer, + + /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gnome-shell/{,**} r, + /usr/share/xkeyboard-config-2/{,**} r, + /usr/share/thumbnailers/{,**} r, + + owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_config_dirs}/dconf/user r, + owner @{GDM_HOME}/greeter-dconf-defaults r, + + owner @{user_cache_dirs}/gstreamer-1.0/ rw, + owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + + owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, + owner @{user_share_dirs}/nautilus/scripts/ r, + + owner @{user_desktop_dirs}/ r, + owner @{user_templates_dirs}/ r, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + /dev/ r, + /dev/dri/ r, + + deny @{user_share_dirs}/gvfs-metadata/* r, + + profile gstreamer { + include + include + include + include + include + + network (bind create getattr setopt getopt) netlink raw, + + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, + @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console deleted file mode 100644 index 6d6d6ea85..000000000 --- a/apparmor.d/groups/gnome/gjs-console +++ /dev/null @@ -1,108 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2021-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app -# as well as third party extensions. Therefore, by default, some extension are -# confined under this profile. The resulting profile is quite broad. -# This architecture needs to be rethinked. - -abi , - -include - -@{exec_path} = @{bin}/gjs-console -profile gjs-console @{exec_path} flags=(attach_disconnected) { - include - include - include - include - include - include - include - include - include - include - include - include - include - include - include - - network netlink raw, - - unix type=stream peer=(label=gnome-shell), - - signal receive set=(term hup) peer=gdm*, - - #aa:dbus own bus=session name=org.freedesktop.Notifications - #aa:dbus own bus=session name=org.gnome.ScreenSaver - #aa:dbus own bus=session name=org.gnome.Shell.Extensions - #aa:dbus own bus=session name=org.gnome.Shell.Notifications - #aa:dbus own bus=session name=org.gnome.Shell.Screencast - - #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell - - dbus send bus=session path=/org/gnome/Shell - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=:*, label=gnome-shell), - dbus send bus=session path=/org/gnome/Shell - interface=org.gnome.Shell.Extensions - member=ListExtensions - peer=(name=:*, label=gnome-shell), - - @{exec_path} mr, - - @{bin}/ r, - @{bin}/* PUx, - @{lib}/** PUx, - - /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - - /etc/openni2/OpenNI.ini r, - - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/gnome-shell/{,**} r, - /usr/share/thumbnailers/{,**} r, - - /tmp/ r, - /var/tmp/ r, - - owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwl, - owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - - owner @{HOME}/ r, - - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, - owner @{user_share_dirs}/nautilus/scripts/ r, - - owner @{user_desktop_dirs}/ r, - owner @{user_templates_dirs}/ r, - - owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, - - owner @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/fd/ r, - owner @{PROC}/@{pid}/mounts r, - owner @{PROC}/@{pid}/stat r, - owner @{PROC}/@{pid}/task/ r, - owner @{PROC}/@{pid}/task/@{tid}/comm rw, - owner @{PROC}/@{pid}/task/@{tid}/stat r, - - /dev/ r, - /dev/tty rw, - - deny @{user_share_dirs}/gvfs-metadata/* r, - - include if exists -} - -# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-extension b/apparmor.d/groups/gnome/gnome-extension new file mode 100644 index 000000000..e13eca832 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-extension @@ -0,0 +1,29 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# gjs started from gnome-shell should (in theory) only run gnome extensions. + +abi , + +include + +@{exec_path} = @{bin}/gjs-console +profile gnome-extension { + include + include + include + include + include + include + + @{exec_path} mr, + + owner @{PROC}/@{pid}/mounts r, + owner @{PROC}/@{pid}/stat r, + owner @{PROC}/@{pid}/task/@{tid}/stat r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index f46a8461d..24c069e72 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -162,7 +162,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, @{bin}/flatpak rPx, - @{bin}/gjs-console rPx, + @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, @{bin}/sensors rPx, From b76fe7c3429e4323834953d2e2d08e1b65e8a244 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:57:37 +0200 Subject: [PATCH 670/798] refractor(profile): move org.gnome.SessionManager This is the stage 1 of rewriting access to the session manager. --- apparmor.d/abstractions/app/chromium | 2 +- .../{ => session}/org.gnome.SessionManager | 22 +++++++++---------- apparmor.d/groups/bus/at-spi2-registryd | 2 +- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 2 +- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 2 +- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 2 +- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- .../groups/gnome/gsd-print-notifications | 1 - apparmor.d/groups/gnome/gsd-printer | 5 +++-- apparmor.d/groups/gnome/gsd-rfkill | 2 +- apparmor.d/groups/gnome/gsd-screensaver-proxy | 2 +- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 3 +++ apparmor.d/groups/gnome/gsd-wacom | 2 +- apparmor.d/groups/gnome/gsd-xsettings | 5 ++--- apparmor.d/groups/gnome/nautilus | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-a-f/filezilla | 2 +- apparmor.d/profiles-a-f/freetube | 2 +- apparmor.d/profiles-g-l/libreoffice | 2 +- apparmor.d/profiles-s-z/superproductivity | 2 +- apparmor.d/profiles-s-z/totem | 2 +- 31 files changed, 45 insertions(+), 45 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.SessionManager (61%) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 313f51687..dcb29fecb 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -30,7 +30,7 @@ include include include - include + include include include include diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager similarity index 61% rename from apparmor.d/abstractions/bus/org.gnome.SessionManager rename to apparmor.d/abstractions/bus/session/org.gnome.SessionManager index a532b67f2..4c641776b 100644 --- a/apparmor.d/abstractions/bus/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -1,48 +1,46 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# FIXME: Too large, restrict it. - abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary + #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Inhibit,Uninhibit} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus send bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), dbus receive bus=session path=/org/gnome/SessionManager/Presence interface=org.gnome.SessionManager.Presence member=StatusChanged - peer=(name="@{busname}", label=gnome-session-binary), + peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index 26311b575..fec6d7897 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -13,7 +13,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 910ae0008..c9b9a1538 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,7 +12,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index d1ae86e15..b7906c5e2 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 595b3fd48..e39ef0dc0 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -15,7 +15,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 34ce2884d..22aaba164 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,7 +10,7 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 0acdbaf38..1a52321b1 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -13,7 +13,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index af1784e68..0364f3f2b 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,7 +10,7 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 8d8b9fc1b..497462a03 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index b700a7df9..be27a873e 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -13,7 +13,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 3ca105656..b299ab7ff 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,7 +15,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d20ad65d0..d3ac6b456 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 5d037961f..22ec520cb 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,7 +11,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index b85a40f04..a768c8d1e 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -9,10 +9,11 @@ include @{exec_path} = @{lib}/gsd-printer profile gsd-printer @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 5f1c13d9d..7283c5c00 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -15,7 +15,7 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index 546a252d7..ac2f9229d 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -11,7 +11,7 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b6d90d5e3..9d432ae13 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index d42fb486b..5143b9984 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,7 +10,7 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 2b64ddf06..ff2d30766 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -12,8 +12,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { include include include - include - include + include + include include include diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index 59e67d9bf..bcdb353a8 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -10,6 +10,9 @@ include profile gsd-usb-protection @{exec_path} { include include + include + include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 0bb1d50d1..3d4f2cb05 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -11,7 +11,7 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 84abb82e0..20151eec0 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,10 +13,9 @@ profile gsd-xsettings @{exec_path} { include include include - include + include include - include - include + include include include include diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index d3906051c..c405a3bf8 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -15,7 +15,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 255dc551a..211dda9cc 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,7 +11,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 89087df4b..10b5ad4af 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -12,7 +12,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla index 78781ba28..16bafb886 100644 --- a/apparmor.d/profiles-a-f/filezilla +++ b/apparmor.d/profiles-a-f/filezilla @@ -11,7 +11,7 @@ include profile filezilla @{exec_path} { include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index be75567cd..b820f249c 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -17,7 +17,7 @@ include profile freetube @{exec_path} flags=(attach_disconnected) { include include - include + include include include include diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index cc2ee8c2a..7e4feed45 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -15,7 +15,7 @@ profile libreoffice @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 838944aa8..f812fc570 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -20,7 +20,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d8b464956..d1e429d45 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -10,7 +10,7 @@ include profile totem @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From e6e0cc07102a54a8557c155ffb817b0608339a48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 20:59:12 +0200 Subject: [PATCH 671/798] fix(profile): missing updated bus abstraction paths. --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 3 +-- apparmor.d/groups/virt/libvirtd | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 95daf2935..30b415204 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -14,8 +14,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { include include include - include - include + include include include include diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 23e8e20d1..378449352 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -19,7 +19,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include From 6a77b7ed8b9683ebcaf92470b64cc33deca9b9d8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 14 Sep 2025 21:07:43 +0200 Subject: [PATCH 672/798] fix(profile): missing updated bus abstraction paths. --- apparmor.d/abstractions/mediakeys | 2 +- apparmor.d/groups/gnome/gjs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/mediakeys b/apparmor.d/abstractions/mediakeys index ecf839cda..d9aafa764 100644 --- a/apparmor.d/abstractions/mediakeys +++ b/apparmor.d/abstractions/mediakeys @@ -8,7 +8,7 @@ abi , - include + include include if exists diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f726ab66b..de9d25a14 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -115,7 +115,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { include include include - include + include include network (bind create getattr setopt getopt) netlink raw, From 9db6bf4a3583a94d4109e0b0eb9d95e121fc8119 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 20:42:35 +0200 Subject: [PATCH 673/798] feat(abs): add the themes abs. fix #860 --- apparmor.d/abstractions/desktop | 1 + apparmor.d/abstractions/gnome-strict | 1 + apparmor.d/abstractions/kde-strict | 1 + apparmor.d/abstractions/lxqt | 1 + apparmor.d/abstractions/themes | 14 ++++++++++++++ apparmor.d/abstractions/xfce | 1 + 6 files changed, 19 insertions(+) create mode 100644 apparmor.d/abstractions/themes diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index 66742f02a..c4abbd574 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -18,6 +18,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 47efde306..227377f3a 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 17952414c..79e97b23f 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -13,6 +13,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt index 8d83aefdc..913ab3eb3 100644 --- a/apparmor.d/abstractions/lxqt +++ b/apparmor.d/abstractions/lxqt @@ -10,6 +10,7 @@ include include include + include include include include diff --git a/apparmor.d/abstractions/themes b/apparmor.d/abstractions/themes new file mode 100644 index 000000000..13fe70bc6 --- /dev/null +++ b/apparmor.d/abstractions/themes @@ -0,0 +1,14 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + /usr/share/themes/{,**} r, + + owner @{HOME}/.themes/{,**} r, + owner @{user_share_dirs}/themes/{,**} r, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index c7e464236..df13363fc 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -8,6 +8,7 @@ include include include + include include include include From 8e488e0c5345f7aa2e4488c46024f4fe3a4ce05b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 16 Sep 2025 23:41:22 +0200 Subject: [PATCH 674/798] feat(profile): update simple-scan. --- apparmor.d/profiles-s-z/simple-scan | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index a005708db..64ee9fb11 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -7,10 +7,13 @@ abi , include @{exec_path} = @{bin}/simple-scan -profile simple-scan @{exec_path} { +profile simple-scan @{exec_path} flags=(attach_disconnected) { include + include + include include include + include include network inet dgram, @@ -21,9 +24,14 @@ profile simple-scan @{exec_path} { @{open_path} rPx -> child-open-help, - /usr/share/snmp/{,**} r, + @{system_share_dirs}/snmp/{,**} r, /etc/sane.d/{,**} r, + /etc/snmp/snmp.conf r, + + owner /var/lib/snmp/{mib,cert}_indexes/ rw, + owner /var/lib/snmp/mibs/{iana,ietf}/ r, + owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, @{sys}/bus/scsi/devices/ r, @{sys}/devices/virtual/dmi/id/board_name r, @@ -34,6 +42,9 @@ profile simple-scan @{exec_path} { @{sys}/devices/virtual/dmi/id/sys_vendor r, @{PROC}/scsi/scsi r, + @{PROC}/sys/dev/parport/ r, + @{PROC}/sys/dev/parport/parport@{int}/base-addr r, + @{PROC}/sys/dev/parport/parport@{int}/irq r, /dev/video@{int} rw, From 6cca455112200e7a12359f5fd6eb6addd121a041 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:49:16 +0200 Subject: [PATCH 675/798] fix(profile): ensure systemd-logind works with systemd 258 fix #867 --- apparmor.d/groups/systemd/systemd-logind | 20 +++++++++---------- apparmor.d/groups/systemd/systemd-update-done | 3 +++ apparmor.d/groups/systemd/systemd-userwork | 3 +++ 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index 6b102829d..e2612ff16 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-logind -profile systemd-logind @{exec_path} flags=(attach_disconnected) { +profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -94,23 +94,21 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw, @{run}/systemd/inhibit/ rw, - @{run}/systemd/inhibit/.#* rw, - @{run}/systemd/inhibit/@{int}{,.ref} rw, + @{run}/systemd/inhibit/* rwlk, @{run}/systemd/seats/ rw, - @{run}/systemd/seats/.#seat* rw, - @{run}/systemd/seats/seat@{int} rw, - @{run}/systemd/sessions/{,*} rw, - @{run}/systemd/sessions/*.ref rw, - @{run}/systemd/shutdown/.#scheduled* rw, - @{run}/systemd/shutdown/scheduled rw, + @{run}/systemd/seats/* rwlk, + @{run}/systemd/sessions/ rw, + @{run}/systemd/sessions/* rwlk, + @{run}/systemd/shutdown/ rw, + @{run}/systemd/shutdown/* rwlk, @{run}/systemd/users/ rw, - @{run}/systemd/users/.#* rw, - @{run}/systemd/users/@{uid} rw, + @{run}/systemd/users/* rwlk, @{sys}/bus/serial-base/drivers/port/uevent r, @{sys}/class/drm/ r, @{sys}/class/power_supply/ r, @{sys}/devices/** r, + @{sys}/devices/**/uevent rw, @{sys}/devices/**/brightness rw, @{sys}/devices/virtual/tty/tty@{int}/active r, @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done index e7a44d01d..76ba6f5c4 100644 --- a/apparmor.d/groups/systemd/systemd-update-done +++ b/apparmor.d/groups/systemd/systemd-update-done @@ -16,8 +16,11 @@ profile systemd-update-done @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, + /etc/ r, /etc/.#.updated@{hex} rw, /etc/.updated w, + + /var/ r, /var/.#.updated@{hex} rw, /var/.updated w, diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork index 2521c655e..ed75125c9 100644 --- a/apparmor.d/groups/systemd/systemd-userwork +++ b/apparmor.d/groups/systemd/systemd-userwork @@ -21,6 +21,9 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) { /etc/gshadow r, /etc/machine-id r, /etc/shadow r, + /etc/userdb/ r, + + @{run}/userdb/ r, include if exists } From 49e34eca0ed984f4ab6fdbbf4d022a6629e52850 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:57:12 +0200 Subject: [PATCH 676/798] feat(profile): dbus: ensure dbus can receive any user files. --- apparmor.d/groups/bus/dbus-session | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 27e228e2c..1b3ac11c8 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -56,6 +56,7 @@ profile dbus-session flags=(attach_disconnected) { # Dbus can receive any user files owner @{HOME}/** r, + owner @{att}/@{HOME}/** r, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, From 415afe2116a66d5a7eea442d61d78e601b71a186 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 10:59:37 +0200 Subject: [PATCH 677/798] feat(profile): update upowerd --- apparmor.d/groups/freedesktop/upowerd | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd index 201e49f3c..3d79c706f 100644 --- a/apparmor.d/groups/freedesktop/upowerd +++ b/apparmor.d/groups/freedesktop/upowerd @@ -16,6 +16,9 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, + capability sys_admin, + network netlink raw, #aa:dbus own bus=system name=org.freedesktop.UPower @@ -28,6 +31,11 @@ profile upowerd @{exec_path} flags=(attach_disconnected) { /var/lib/upower/ r, /var/lib/upower/history-*.dat{,.*} rw, + owner /tmp/tmp@{rand8} r, + owner /tmp/umockdev.@{rand6}/{,**} rw, + owner /tmp/upower-cfg-@{word8} rw, + owner /tmp/upower-history-@{word8}/{,**} rw, + @{run}/udev/data/ r, # Lists all udev data files @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) From 4ccead34fda556cc55e6eb002bae8fb7003b9f7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:01:48 +0200 Subject: [PATCH 678/798] feat(profile): update system profiles. --- apparmor.d/groups/systemd/systemd-journald | 2 ++ apparmor.d/groups/systemd/systemd-sleep | 2 ++ apparmor.d/groups/systemd/systemd-sleep-sysstat | 1 + apparmor.d/groups/systemd/systemd-tty-ask-password-agent | 2 +- apparmor.d/groups/systemd/systemd-udevd | 1 + 5 files changed, 7 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald index e0a8a2e47..cd51fcc16 100644 --- a/apparmor.d/groups/systemd/systemd-journald +++ b/apparmor.d/groups/systemd/systemd-journald @@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) @{run}/udev/data/+bluetooth:* r, # For bluetooth adapters, controllers, and active connections. @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) @{run}/udev/data/+ieee80211:* r, # For Wi-Fi devices, such as wireless network cards and access points. @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+mdio_bus:* r, # For Management Data Input/Output (Ethernet PHY (physical layer) devices) @@ -64,6 +65,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted @{run}/udev/data/b259:@{int} r, # Block Extended Major @{run}/udev/data/c1:@{int} r, # For RAM disk @{run}/udev/data/c4:@{int} r, # For TTY devices + @{run}/udev/data/c7:@{int} r, # For Virtual console capture devices @{run}/udev/data/b8:@{int} r, # for /dev/sd* @{run}/udev/data/c10:@{int} r, # For non-serial mice, misc features @{run}/udev/data/c108:@{int} r, # For /dev/ppp diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep index a55bf752d..c566a8b0a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep +++ b/apparmor.d/groups/systemd/systemd-sleep @@ -17,6 +17,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) { capability sys_admin, capability sys_resource, + unix bind type=stream addr=@@{udbus}/bus/systemd-sleep/system, + @{exec_path} mr, @{sh_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat index e29a41a7a..83ecc284a 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-sysstat +++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat @@ -11,6 +11,7 @@ profile systemd-sleep-sysstat @{exec_path} { include @{exec_path} mr, + @{sh_path} r, @{lib}/sysstat/sa{1,2} Px, @{lib}/sysstat/debian-sa{1,2} Px, diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent index b318bf3dd..24e0522a5 100644 --- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent +++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/systemd-tty-ask-password-agent -profile systemd-tty-ask-password-agent @{exec_path} { +profile systemd-tty-ask-password-agent @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index cb9592d47..decffb428 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -72,6 +72,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { @{lib}/open-iscsi/net-interface-handler rPx, @{lib}/pm-utils/power.d/* rPUx, @{lib}/snapd/snap-device-helper rPx, + @{lib}/switcheroo-control-check-discrete-amdgpu rPUx, @{lib}/systemd/systemd-* rPx, @{lib}/udev/* rPUx, /usr/share/hplip/config_usb_printer.py rPUx, From 659f7b4a22150e41f11baf06561223eaac8468e5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:03:41 +0200 Subject: [PATCH 679/798] feat(profile): update some kde profiles. --- apparmor.d/groups/kde/kwin_wayland | 2 ++ apparmor.d/groups/kde/sddm-greeter | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 224835ac2..6a0ef608b 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -18,7 +18,9 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include + # See https://community.kde.org/Distributions/Packaging_Recommendations#KWin_package_configuration capability sys_nice, + capability sys_ptrace, network netlink raw, diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 47383bb75..8b05b9cb9 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -23,6 +23,8 @@ profile sddm-greeter @{exec_path} { network netlink raw, + signal receive set=term peer=sddm, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member=ListActivatableNames From 0bf8f9337f5ec88aecac213f6d9206af38d1db76 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:10:12 +0200 Subject: [PATCH 680/798] feat(profile): minor profiles improvments. --- apparmor.d/groups/gnome/gjs | 2 ++ apparmor.d/profiles-s-z/sfdisk | 2 ++ apparmor.d/profiles-s-z/update-info-dir | 6 ++++++ apparmor.d/profiles-s-z/update-shells | 8 ++++---- apparmor.d/profiles-s-z/xsane-gimp | 4 +++- 5 files changed, 17 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index de9d25a14..388c90b14 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -93,6 +93,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{HOME}/ r, + owner @{user_cache_dirs}/gstreamer-1.0/ rw, owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk index 05ab2273f..ea282f269 100644 --- a/apparmor.d/profiles-s-z/sfdisk +++ b/apparmor.d/profiles-s-z/sfdisk @@ -17,6 +17,8 @@ profile sfdisk @{exec_path} { @{exec_path} mr, + /var/tmp/.#sfdisk@{hex16} rw, + # For backups owner @{HOME}/**.{bak,back} rwk, owner @{MOUNTS}/*/**.{bak,back} rwk, diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir index dc2a0d7aa..bbd5222a9 100644 --- a/apparmor.d/profiles-s-z/update-info-dir +++ b/apparmor.d/profiles-s-z/update-info-dir @@ -19,8 +19,14 @@ profile update-info-dir @{exec_path} { @{bin}/install-info Px, @{bin}/rm ix, + /usr/share/info/ r, + /usr/share/info/dir rw, + /usr/share/info/dir.old w, + /etc/environment r, + / r, + include if exists } diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells index 5922c1a14..007982632 100644 --- a/apparmor.d/profiles-s-z/update-shells +++ b/apparmor.d/profiles-s-z/update-shells @@ -26,11 +26,11 @@ profile update-shells @{exec_path} { /usr/share/debianutils/shells.d/{,**} r, /usr/share/dpkg/sh/dpkg-error.sh r, - /etc/shells r, - /etc/shells.tmp w, + /etc/shells rw, + /etc/shells.tmp rw, - /var/lib/shells.state r, - /var/lib/shells.state.tmp w, + /var/lib/shells.state rw, + /var/lib/shells.state.tmp rw, include if exists } diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp index 4273e803d..633035a1b 100644 --- a/apparmor.d/profiles-s-z/xsane-gimp +++ b/apparmor.d/profiles-s-z/xsane-gimp @@ -34,7 +34,9 @@ profile xsane-gimp @{exec_path} { @{sys}/devices/@{pci}/{model,type,vendor} r, @{PROC}/scsi/scsi r, - @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r, + @{PROC}/sys/dev/parport/ r, + @{PROC}/sys/dev/parport/parport@{int}/base-addr r, + @{PROC}/sys/dev/parport/parport@{int}/irq r, include if exists } From 4dd4d3ebd100cedf861d17a2d3690a24edfa8325 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 11:30:26 +0200 Subject: [PATCH 681/798] feat(tunable): add support for gnucoreutils. New alternative location in ubuntu 25.10 --- apparmor.d/tunables/multiarch.d/paths | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths index cca544370..c3db2c200 100644 --- a/apparmor.d/tunables/multiarch.d/paths +++ b/apparmor.d/tunables/multiarch.d/paths @@ -12,6 +12,7 @@ # Coreutils programs that should not have dedicated profile @{coreutils_path} = @{bin}/@{coreutils} +@{coreutils_path} += @{bin}/gnu@{coreutils} #aa:only ubuntu # Python interpreters @{python_path} = @{bin}/@{python_name} From 86d9bbad4c34eec32f7945293b86778d306dbc48 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:09:45 +0200 Subject: [PATCH 682/798] feat(abs): update nvidia-strict. --- apparmor.d/abstractions/nvidia-strict | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index a14691a9c..7d975ad8c 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -11,6 +11,7 @@ /usr/share/nvidia/nvidia-application-profiles-* r, /etc/nvidia/nvidia-application-profiles-* r, + /etc/nvidia/nvidia-application-profiles-rc.d/{,*} r, /etc/vdpau_wrapper.cfg r, owner @{HOME}/.nv/ w, @@ -26,6 +27,7 @@ @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/memory/block_size_bytes r, + @{sys}/module/nvidia_drm/version r, @{sys}/module/nvidia/version r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @@ -36,7 +38,7 @@ @{PROC}/sys/vm/mmap_min_addr r, @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/comm r, + @{PROC}/@{pid}/comm r, owner @{PROC}/@{pid}/task/@{tid}/comm r, /dev/char/195:@{u8} w, # Nvidia graphics devices From b4ba960c387b8d2c66e7f477eede13fa700bb707 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:10:56 +0200 Subject: [PATCH 683/798] feat(profile): firefox: add integration with 1Password --- apparmor.d/groups/browsers/firefox | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index f9ba190a3..3f83775d9 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -52,6 +52,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/browserpass rPx, @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, @{lib}/browserpass/browserpass-native rPx, + /opt/1Password/1Password-BrowserSupport rPx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, From 5382e8f865c9690f92afdb43f0bc3c3ac2b1da84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 19 Sep 2025 17:14:02 +0200 Subject: [PATCH 684/798] fix(profile): ensure sddm-greeter has the disconnected flag. --- apparmor.d/groups/kde/sddm-greeter | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 8b05b9cb9..56c142787 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/sddm-greeter{,-qt6} -profile sddm-greeter @{exec_path} { +profile sddm-greeter @{exec_path} flags=(attach_disconnected) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index cd9a0e5a6..94eb1c07b 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -278,7 +278,7 @@ run-parts complain runuser complain sdcv complain sddm attach_disconnected,mediate_deleted,complain -sddm-greeter complain +sddm-greeter attach_disconnected,complain secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain From eef0e922edebed7c62fa157ed3797b06f2b4e7be Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 13:39:53 +0200 Subject: [PATCH 685/798] feat(profile): put back some chromium tmp files. Some access are covered by common/chromium, however, the full browser needs more. fix #865 --- apparmor.d/abstractions/app/chromium | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index dcb29fecb..2b5dfbfa6 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -139,7 +139,11 @@ /tmp/ r, /var/tmp/ r, + owner @{tmp}/.@{domain}.@{rand6}/** rw, owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw, + owner @{tmp}/cache/Default/ rw, + owner @{tmp}/cache/Default/** rwk, + owner @{tmp}/scoped_dir@{rand6}/{,**} rw, owner @{tmp}/tmp.@{rand10} rw, owner @{tmp}/tmp.@{rand6} rw, owner @{tmp}/tmp.@{rand6}/ rw, @@ -161,6 +165,7 @@ @{PROC}/@{pid}/fd/ r, @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/statm r, + @{PROC}/@{pid}/status r, @{PROC}/@{pid}/task/@{tid}/status r, @{PROC}/pressure/{memory,cpu,io} r, @{PROC}/sys/fs/inotify/max_user_watches r, From e806708ebdfa1147eed12e4d9b5f81b8bf91eb7e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:39:14 +0200 Subject: [PATCH 686/798] feat(profile): mkfs-btrfs add sys_rawio fix #844 --- apparmor.d/groups/filesystem/mkfs-btrfs | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/filesystem/mkfs-btrfs b/apparmor.d/groups/filesystem/mkfs-btrfs index 54c83e559..fc619228b 100644 --- a/apparmor.d/groups/filesystem/mkfs-btrfs +++ b/apparmor.d/groups/filesystem/mkfs-btrfs @@ -13,6 +13,7 @@ profile mkfs-btrfs @{exec_path} { include capability sys_admin, + capability sys_rawio, @{exec_path} mr, From e5ca8623498a91e4689432dcc12d7274777ce783 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:41:53 +0200 Subject: [PATCH 687/798] fix(profile): flatpak: remove denied gvfs data. fix #862 --- apparmor.d/groups/flatpak/flatpak | 2 -- 1 file changed, 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 341db555e..0b33cb6dc 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -134,8 +134,6 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /dev/tty rw, /dev/tty@{int} rw, - deny owner @{user_share_dirs}/gvfs-metadata/* r, - profile gpg { include include From 356acec7d620745a084b2b8dd99dde46e78df322 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:53:36 +0200 Subject: [PATCH 688/798] feat(profile): gnome-shell: improve icon management. fix #861 --- apparmor.d/groups/gnome/gnome-shell | 9 +++++---- apparmor.d/tunables/multiarch.d/extensions | 4 ++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 24c069e72..a1090a15a 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -183,8 +183,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{user_share_dirs}/gnome-shell/extensions/*/** rPUx, /usr/share/gnome-shell/extensions/*/** rPUx, - /snap/*/@{uid}/**.@{image_ext} r, - /usr/share/**.@{image_ext} r, + /snap/*/@{uid}/**.@{icon_ext} r, + /usr/share/**.@{icon_ext} r, /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, @@ -246,7 +246,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{HOME}/.mozilla/native-messaging-hosts/ rw, owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw, - owner @{HOME}/.var/app/**.@{image_ext} r, + owner @{HOME}/.var/app/**.@{icon_ext} r, owner @{HOME}/.var/app/**/ r, owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw, owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw, @@ -286,6 +286,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw, @{run}/gdm{3,}/dbus/dbus-@{rand8} rw, + owner @{run}/user/@{uid}/app/*/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{run}/user/@{uid}/app/*/*.@{rand6} r, owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw, owner @{run}/user/@{uid}/gnome-shell/{,**} rw, @@ -300,7 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /tmp/dbus-@{rand8} rw, owner @{tmp}/.org.chromium.Chromium.@{rand6} r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, - owner @{tmp}/.org.chromium.Chromium.@{rand6}/status_icon_@{int}.png r, + owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions index d7f7450aa..4d9ea7d65 100644 --- a/apparmor.d/tunables/multiarch.d/extensions +++ b/apparmor.d/tunables/multiarch.d/extensions @@ -432,6 +432,10 @@ @{image_ext} += [xX][wW][dD] # xwd @{image_ext} += [xX][yY][zZ][eE] # xyze +# Icons +@{icon_ext} = [pP][nN][gG] # png +@{icon_ext} += [iI][cC][oO] # ico + # Models @{model_ext} = [bB][aA][rR][yY] # bary @{model_ext} += [bB][sS][pP] # bsp From a18f73f3266ba7fd3fcad0309fdd5b8dbfe68512 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:56:49 +0200 Subject: [PATCH 689/798] fix(profile): ensure ffmpeg works with any graphics hardware. fix #851 --- apparmor.d/profiles-a-f/ffmpeg | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg index 8633444d8..8ab42e392 100644 --- a/apparmor.d/profiles-a-f/ffmpeg +++ b/apparmor.d/profiles-a-f/ffmpeg @@ -12,7 +12,7 @@ profile ffmpeg @{exec_path} { include include include - include + include include include include @@ -33,12 +33,9 @@ profile ffmpeg @{exec_path} { owner @{user_music_dirs}/** rw, owner @{user_videos_dirs}/** rw, - owner @{tmp}/*.{png,jpg} rw, # To generate thumbnails in some apps + owner @{tmp}/*.@{image_ext} rw, # To generate thumbnails in some apps owner @{tmp}/vidcutter/** rw, # TMP files for apps using ffmpeg - @{sys}/devices/system/node/ r, - @{sys}/devices/system/node/node@{int}/meminfo r, - include if exists } From 35993bde5969bf0a111d2973c8647ce95ca9e91e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 14:58:33 +0200 Subject: [PATCH 690/798] fix(profile): hyprland fix #848 --- apparmor.d/groups/hyprland/hyprland | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index cd3270e49..164253f1d 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -39,6 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.hyprpicker_* rw, owner @{run}/user/@{uid}/hypr/{,**} rw, owner @{att}/dev/shm/.org.chromium.Chromium.@{rand6} rw, + owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, @{run}/systemd/sessions/@{int} r, From a57a6f5267e30f839969e64cb3b82b1ac958958b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:00:59 +0200 Subject: [PATCH 691/798] fix: temporary remove comments. precise network control is still a wip. fix #856 --- apparmor.d/groups/gvfs/gvfsd-wsdd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 4ea39c7d0..bc672de04 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -16,7 +16,7 @@ profile gvfsd-wsdd @{exec_path} { include include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + network inet dgram, network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd From 8371a9d1a98d9eb5ff4afd6af8c71dbee58c67ea Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:07:26 +0200 Subject: [PATCH 692/798] feat(profile): update zfs profiles. fix #845 --- apparmor.d/profiles-s-z/zfs | 6 ++++-- apparmor.d/profiles-s-z/zpool | 7 +++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs index e28a2e439..a4608ca44 100644 --- a/apparmor.d/profiles-s-z/zfs +++ b/apparmor.d/profiles-s-z/zfs @@ -6,7 +6,7 @@ abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/zfs +@{exec_path} = @{bin}/zfs profile zfs @{exec_path} { include include @@ -23,10 +23,12 @@ profile zfs @{exec_path} { # Sanoid generates temorary files with random names including underscores, directly under /tmp. # https://github.com/jimsalterjrs/sanoid/issues/758 - /tmp/* rw, + /tmp/@{word10} rw, @{run}/zfs-list.cache@* rw, + @{sys}/module/zfs/*/ r, + @{PROC}/@{pids}/mounts r, @{PROC}/sys/fs/pipe-max-size r, diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index e6033d9d2..89a3e1b29 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -6,17 +6,20 @@ abi , include -@{exec_path} = /{usr/,}{local/,}{s,}bin/zpool +@{exec_path} = @{bin}/zpool profile zpool @{exec_path} { include include capability sys_admin, + mount fstype=zfs options=(rw noatime) hdzpool -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) sszpool -> @{MOUNTS}/, + @{exec_path} mr, @{sh_path} rix, - /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix, + @{lib}/zfs-linux/zpool.d/* rix, /usr/share/zfs/{,**} r, From 9e901bfbcea5fa5cf743defb38896f0d19a47bb7 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 18 Sep 2025 08:21:38 -0600 Subject: [PATCH 693/798] Create profile for tickrs --- apparmor.d/profiles-s-z/tickrs | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 apparmor.d/profiles-s-z/tickrs diff --git a/apparmor.d/profiles-s-z/tickrs b/apparmor.d/profiles-s-z/tickrs new file mode 100644 index 000000000..9a4f7cd69 --- /dev/null +++ b/apparmor.d/profiles-s-z/tickrs @@ -0,0 +1,32 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Zane Zakraisek +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/tickrs +profile tickrs @{exec_path} { + include + include + include + include + + network inet dgram, + network inet6 dgram, + network inet stream, + network inet6 stream, + network netlink raw, + + @{exec_path} mr, + + owner @{HOME}/.config/tickrs/{,**} rw, + + @{sys}/fs/cgroup/**/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, + + include if exists +} + +# vim:syntax=apparmor From 26048d938eb634947e6b82531ddcd537e9960d50 Mon Sep 17 00:00:00 2001 From: doublez13 Date: Thu, 18 Sep 2025 08:33:32 -0600 Subject: [PATCH 694/798] tickrs: make the linter happy --- apparmor.d/profiles-s-z/tickrs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/tickrs b/apparmor.d/profiles-s-z/tickrs index 9a4f7cd69..131e1102b 100644 --- a/apparmor.d/profiles-s-z/tickrs +++ b/apparmor.d/profiles-s-z/tickrs @@ -21,7 +21,7 @@ profile tickrs @{exec_path} { @{exec_path} mr, - owner @{HOME}/.config/tickrs/{,**} rw, + owner @{user_config_dirs}/tickrs/{,**} rw, @{sys}/fs/cgroup/**/cpu.max r, owner @{PROC}/@{pid}/cgroup r, From e3ace801c4a8c63cddf5b9bfdff5c8d84a02f82c Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 9 Sep 2025 22:15:25 +0200 Subject: [PATCH 695/798] add poppler tools --- apparmor.d/profiles-m-r/pdfattach | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfdetach | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdffonts | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/pdfimages | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfinfo | 21 +++++++++++++++++++++ apparmor.d/profiles-m-r/pdfseparate | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdfsig | 23 +++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftocairo | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftohtml | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftoppm | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftops | 22 ++++++++++++++++++++++ apparmor.d/profiles-m-r/pdftotext | 2 +- apparmor.d/profiles-m-r/pdfunite | 22 ++++++++++++++++++++++ 13 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/profiles-m-r/pdfattach create mode 100644 apparmor.d/profiles-m-r/pdfdetach create mode 100644 apparmor.d/profiles-m-r/pdffonts create mode 100644 apparmor.d/profiles-m-r/pdfimages create mode 100644 apparmor.d/profiles-m-r/pdfinfo create mode 100644 apparmor.d/profiles-m-r/pdfseparate create mode 100644 apparmor.d/profiles-m-r/pdfsig create mode 100644 apparmor.d/profiles-m-r/pdftocairo create mode 100644 apparmor.d/profiles-m-r/pdftohtml create mode 100644 apparmor.d/profiles-m-r/pdftoppm create mode 100644 apparmor.d/profiles-m-r/pdftops create mode 100644 apparmor.d/profiles-m-r/pdfunite diff --git a/apparmor.d/profiles-m-r/pdfattach b/apparmor.d/profiles-m-r/pdfattach new file mode 100644 index 000000000..5a063422e --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfattach @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfattach +profile pdfattach @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfdetach b/apparmor.d/profiles-m-r/pdfdetach new file mode 100644 index 000000000..bf6e589cc --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfdetach @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfdetach +profile pdfdetach @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdffonts b/apparmor.d/profiles-m-r/pdffonts new file mode 100644 index 000000000..8cc71b246 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdffonts @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdffonts +profile pdffonts @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfimages b/apparmor.d/profiles-m-r/pdfimages new file mode 100644 index 000000000..0f3a6681b --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfimages @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfimages +profile pdfimages @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfinfo b/apparmor.d/profiles-m-r/pdfinfo new file mode 100644 index 000000000..a481ad323 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfinfo @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfinfo +profile pdfinfo @{exec_path} { + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfseparate b/apparmor.d/profiles-m-r/pdfseparate new file mode 100644 index 000000000..1026719f8 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfseparate @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfseparate +profile pdfseparate @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdfsig b/apparmor.d/profiles-m-r/pdfsig new file mode 100644 index 000000000..5f4cb3ce7 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfsig @@ -0,0 +1,23 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfsig +profile pdfsig @{exec_path} { + include + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftocairo b/apparmor.d/profiles-m-r/pdftocairo new file mode 100644 index 000000000..65a880057 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftocairo @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftocairo +profile pdftocairo @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftohtml b/apparmor.d/profiles-m-r/pdftohtml new file mode 100644 index 000000000..3c44be2f5 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftohtml @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftohtml +profile pdftohtml @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm new file mode 100644 index 000000000..4924a91d8 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftoppm +profile pdftoppm @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftops b/apparmor.d/profiles-m-r/pdftops new file mode 100644 index 000000000..1a390c576 --- /dev/null +++ b/apparmor.d/profiles-m-r/pdftops @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdftops +profile pdftops @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext index 0394687f7..7fb2bed7b 100644 --- a/apparmor.d/profiles-m-r/pdftotext +++ b/apparmor.d/profiles-m-r/pdftotext @@ -1,5 +1,5 @@ # apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 valoq +# Copyright (C) 2025 valoq # SPDX-License-Identifier: GPL-2.0-only abi , diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite new file mode 100644 index 000000000..ea2b776ae --- /dev/null +++ b/apparmor.d/profiles-m-r/pdfunite @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 valoq +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/pdfunite +profile pdfunite @{exec_path} { + include + include + include + + @{exec_path} mr, + + /usr/share/poppler/{,**} r, + + include if exists +} + +# vim:syntax=apparmor From 3f7b83904ae8807fa04d4be38306f0a18cfa751d Mon Sep 17 00:00:00 2001 From: valoq Date: Tue, 9 Sep 2025 22:59:35 +0200 Subject: [PATCH 696/798] remove whitespace --- apparmor.d/profiles-m-r/pdfunite | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdfunite b/apparmor.d/profiles-m-r/pdfunite index ea2b776ae..7b2019af5 100644 --- a/apparmor.d/profiles-m-r/pdfunite +++ b/apparmor.d/profiles-m-r/pdfunite @@ -11,7 +11,7 @@ profile pdfunite @{exec_path} { include include include - + @{exec_path} mr, /usr/share/poppler/{,**} r, From f5d7140b283556407155588bd6e70c0a58728283 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 11:42:13 +0200 Subject: [PATCH 697/798] fix pdftoppm --- apparmor.d/profiles-m-r/pdftoppm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 4924a91d8..86953b8b9 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -9,8 +9,10 @@ include @{exec_path} = @{bin}/pdftoppm profile pdftoppm @{exec_path} { include + include include include + include @{exec_path} mr, From eeb42cc089f47d5ef83e41503a7244974b6c60e9 Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 11:50:56 +0200 Subject: [PATCH 698/798] fix pdftoppm --- apparmor.d/profiles-m-r/pdftoppm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 86953b8b9..3ae603bf1 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -12,12 +12,13 @@ profile pdftoppm @{exec_path} { include include include - include @{exec_path} mr, /usr/share/poppler/{,**} r, + owner /tmp/{,**} rw, + include if exists } From 793c085fa0bb0996a7c687beaac353a14d14ea1a Mon Sep 17 00:00:00 2001 From: valoq Date: Wed, 10 Sep 2025 14:47:49 +0200 Subject: [PATCH 699/798] restrict tmp writes --- apparmor.d/profiles-m-r/pdftoppm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/profiles-m-r/pdftoppm b/apparmor.d/profiles-m-r/pdftoppm index 3ae603bf1..4be131bd3 100644 --- a/apparmor.d/profiles-m-r/pdftoppm +++ b/apparmor.d/profiles-m-r/pdftoppm @@ -17,7 +17,11 @@ profile pdftoppm @{exec_path} { /usr/share/poppler/{,**} r, - owner /tmp/{,**} rw, + owner /tmp/{,**}.ppm w, + owner /tmp/{,**}.png w, + owner /tmp/{,**}.jpg w, + owner /tmp/{,**}.jpeg w, + owner /tmp/{,**}.tiff w, include if exists } From 03d82fbed1ca6527865e66282e3b35c938369fc4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:49:48 +0200 Subject: [PATCH 700/798] feat(profile): ensure that all systemd generator can ptrace systemd. --- .../groups/systemd-generators/systemd-generator-bless-boot | 2 ++ .../groups/systemd-generators/systemd-generator-cloud-init | 2 ++ .../groups/systemd-generators/systemd-generator-cryptsetup | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-debug | 2 ++ .../systemd-generators/systemd-generator-environment-arch | 2 ++ .../systemd-generators/systemd-generator-environment-flatpak | 2 ++ .../systemd-generators/systemd-generator-environment-snapd | 2 ++ .../systemd-generators/systemd-generator-friendly-recovery | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-fstab | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-getty | 3 +++ .../groups/systemd-generators/systemd-generator-gpt-auto | 2 ++ .../systemd-generators/systemd-generator-hibernate-resume | 2 ++ .../groups/systemd-generators/systemd-generator-integritysetup | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-openvpn | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-ostree | 2 ++ apparmor.d/groups/systemd-generators/systemd-generator-snapd | 2 ++ .../groups/systemd-generators/systemd-generator-sshd-socket | 2 ++ .../groups/systemd-generators/systemd-generator-system-update | 2 ++ .../groups/systemd-generators/systemd-generator-user-autostart | 2 ++ .../systemd-generators/systemd-generator-user-environment | 2 ++ .../groups/systemd-generators/systemd-generator-veritysetup | 2 +- 21 files changed, 42 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot index 32e2aac65..88c1d3ad4 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot +++ b/apparmor.d/groups/systemd-generators/systemd-generator-bless-boot @@ -11,6 +11,8 @@ profile systemd-generator-bless-boot @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init index 698a4fcb9..fae2afac0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cloud-init @@ -12,6 +12,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup index 1979dba1d..beffa8e17 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-cryptsetup @@ -12,6 +12,8 @@ profile systemd-generator-cryptsetup @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/crypttab r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-debug b/apparmor.d/groups/systemd-generators/systemd-generator-debug index 4ce9d2974..d0ec3f82e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-debug +++ b/apparmor.d/groups/systemd-generators/systemd-generator-debug @@ -11,6 +11,8 @@ profile systemd-generator-debug @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch index 738144547..aee9ee573 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-arch @@ -12,6 +12,8 @@ profile systemd-generator-environment-arch @{exec_path} { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak index a4ba2afe1..7d0e91e79 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-flatpak @@ -11,6 +11,8 @@ profile systemd-generator-environment-flatpak @{exec_path} { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd index b18bd6bd5..162be1303 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd +++ b/apparmor.d/groups/systemd-generators/systemd-generator-environment-snapd @@ -10,6 +10,8 @@ include profile systemd-generator-environment-snapd @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery index 1af9fe22f..f2f6554e6 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery +++ b/apparmor.d/groups/systemd-generators/systemd-generator-friendly-recovery @@ -10,6 +10,8 @@ include profile systemd-generator-friendly-recovery @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-fstab b/apparmor.d/groups/systemd-generators/systemd-generator-fstab index 193ff22af..44a3f8db4 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-fstab +++ b/apparmor.d/groups/systemd-generators/systemd-generator-fstab @@ -15,6 +15,8 @@ profile systemd-generator-fstab @{exec_path} { capability dac_read_search, capability mknod, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, /etc/fstab r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-getty b/apparmor.d/groups/systemd-generators/systemd-generator-getty index 0eadabec8..78f08c3ad 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-getty +++ b/apparmor.d/groups/systemd-generators/systemd-generator-getty @@ -12,12 +12,15 @@ profile systemd-generator-getty @{exec_path} flags=(attach_disconnected) { include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{run}/systemd/generator/getty.target.wants/ w, @{run}/systemd/generator/getty.target.wants/serial-getty@ttyS@{int}.service w, @{sys}/devices/virtual/tty/console/active r, + @{sys}/devices/virtual/tty/tty@{int}/active r, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 4bf0092d0..444315108 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -14,6 +14,8 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { capability sys_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, / r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume index 7c5e9ec80..8979388dc 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume +++ b/apparmor.d/groups/systemd-generators/systemd-generator-hibernate-resume @@ -11,6 +11,8 @@ profile systemd-generator-hibernate-resume @{exec_path} flags=(attach_disconnect include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup index 72ef28061..5ac1ea004 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-integritysetup @@ -11,6 +11,8 @@ profile systemd-generator-integritysetup @{exec_path} flags=(attach_disconnected include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn index 780c63d56..7b2130db3 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -10,6 +10,8 @@ include profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ostree b/apparmor.d/groups/systemd-generators/systemd-generator-ostree index ce2ecaf43..9a3d610cb 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-ostree +++ b/apparmor.d/groups/systemd-generators/systemd-generator-ostree @@ -10,6 +10,8 @@ include profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/cmdline r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-snapd b/apparmor.d/groups/systemd-generators/systemd-generator-snapd index 8544a7938..85ea9734c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-snapd +++ b/apparmor.d/groups/systemd-generators/systemd-generator-snapd @@ -10,6 +10,8 @@ include profile systemd-generator-snapd @{exec_path} flags=(attach_disconnected) { include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/1/mountinfo r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket index f08df7d90..8e90be300 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket +++ b/apparmor.d/groups/systemd-generators/systemd-generator-sshd-socket @@ -15,6 +15,8 @@ profile systemd-generator-sshd-socket @{exec_path} { network inet6 dgram, network netlink raw, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{etc_ro}/ssh/sshd_config r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-system-update b/apparmor.d/groups/systemd-generators/systemd-generator-system-update index 9767a2e72..84127551f 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-system-update +++ b/apparmor.d/groups/systemd-generators/systemd-generator-system-update @@ -11,6 +11,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) include include + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{PROC}/@{pids}/cgroup r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart index ff4c74664..7e98e166e 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart @@ -15,6 +15,8 @@ profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{etc_ro}/xdg/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment index 27db22078..d62127fa0 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-user-environment +++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-environment @@ -14,6 +14,8 @@ profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnect capability net_admin, + ptrace read peer=@{p_systemd}, + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup index 97776312f..9cdb1c157 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup +++ b/apparmor.d/groups/systemd-generators/systemd-generator-veritysetup @@ -11,7 +11,7 @@ profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) { include include - ptrace (read) peer=@{p_systemd}, + ptrace read peer=@{p_systemd}, @{exec_path} mr, From fdf4d60b72b198d60a7731ff315f2e347d56ee09 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:50:50 +0200 Subject: [PATCH 701/798] feat(profile): simplify unattended-upgrade. --- apparmor.d/groups/apt/unattended-upgrade | 29 +----------------------- 1 file changed, 1 insertion(+), 28 deletions(-) diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade index d2da77bc3..94a10b075 100644 --- a/apparmor.d/groups/apt/unattended-upgrade +++ b/apparmor.d/groups/apt/unattended-upgrade @@ -74,34 +74,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) { /usr/share/distro-info/* r, /usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r, - @{etc_ro}/login.defs r, - @{etc_ro}/security/capability.conf r, - /etc/apport/report-ignore/{,**} r, - /etc/apt/*.list r, - /etc/apt/apt.conf.d/{,**} r, - /etc/debian_version r, - /etc/default/{,**} r, - /etc/dpkg/origins/{,debian,ubuntu} r, - /etc/fwupd/{,**} r, - /etc/grub.d/* r, - /etc/init.d/* r, - /etc/issue{.net,} r, - /etc/kernel/*.d/*grub* r, - /etc/legal r, - /etc/lsb-release r, - /etc/machine-id r, - /etc/pam.d/* r, - /etc/pki/fwupd-metadata/{,**} r, - /etc/pki/fwupd/{,**} r, - /etc/profile.d/* r, - /etc/ssh/moduli r, - @{etc_ro}/ssh/sshd_config r, - @{etc_ro}/ssh/sshd_config.d/{,*} r, - /etc/ufw/{,**} r, - /etc/update-manager/{,**} r, - /etc/update-motd.d/{,**} r, - /etc/vim/{,**} r, - /etc/vmware-tools/{,**} r, + @{etc_ro}/** r, /var/log/unattended-upgrades/{,**} rw, /var/crash/*.crash rw, From 10cabcfe8e66cd2f86b2a3a0b57d8091100ed977 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 15:55:32 +0200 Subject: [PATCH 702/798] feat(profile): update apt profiles. Add support for autopkgtest in test mode. --- apparmor.d/groups/apt/apt-ftparchive | 4 +--- apparmor.d/groups/apt/apt-methods-copy | 8 +------- apparmor.d/groups/apt/apt-methods-file | 7 +------ apparmor.d/groups/apt/dpkg-buildflags | 5 ++++- apparmor.d/groups/apt/dpkg-deb | 3 +++ apparmor.d/groups/apt/dpkg-genbuildinfo | 3 +++ apparmor.d/groups/apt/dpkg-genchanges | 3 +++ apparmor.d/groups/apt/dpkg-split | 3 +++ 8 files changed, 19 insertions(+), 17 deletions(-) diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive index f7e9b4651..a60bf9a06 100644 --- a/apparmor.d/groups/apt/apt-ftparchive +++ b/apparmor.d/groups/apt/apt-ftparchive @@ -10,12 +10,10 @@ include @{exec_path} = @{bin}/apt-ftparchive profile apt-ftparchive @{exec_path} { include + include @{exec_path} mr, - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, - # For package building @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy index e2878e108..238a2bdd9 100644 --- a/apparmor.d/groups/apt/apt-methods-copy +++ b/apparmor.d/groups/apt/apt-methods-copy @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/apt/methods/copy profile apt-methods-copy @{exec_path} { include + include include include @@ -35,13 +36,6 @@ profile apt-methods-copy @{exec_path} { /etc/ r, /root/ r, - /etc/apt/apt.conf.d/{,*} r, - /etc/apt/apt.conf r, - - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - - /var/lib/apt/lists/{,**} r, owner /var/lib/apt/lists/* rw, owner /var/lib/apt/lists/partial/* rw, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 781f9714e..25afbcb35 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -10,6 +10,7 @@ include @{exec_path} = @{lib}/apt/methods/file profile apt-methods-file @{exec_path} { include + include include include @@ -31,19 +32,13 @@ profile apt-methods-file @{exec_path} { @{lib}/apt/apt-helper rix, /etc/apt/apt-mirrors.txt r, - /etc/apt/apt.conf r, - /etc/apt/apt.conf.d/{,*} r, /etc/apt/mirrors/* r, - /usr/share/dpkg/cputable r, - /usr/share/dpkg/tupletable r, - # For shell pwd / r, /etc/ r, /root/ r, - /var/lib/apt/lists/{,**} rw, owner /var/lib/apt/lists/partial/* rw, /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags index 1a4055f77..86a748f69 100644 --- a/apparmor.d/groups/apt/dpkg-buildflags +++ b/apparmor.d/groups/apt/dpkg-buildflags @@ -8,12 +8,15 @@ abi , include @{exec_path} = @{bin}/dpkg-buildflags -profile dpkg-buildflags @{exec_path} flags=(complain) { +profile dpkg-buildflags @{exec_path} flags=(attach_disconnected) { include include @{exec_path} r, + @{bin}/dpkg Px -> child-dpkg, + @{bin}/@{multiarch}gcc-@{int} mrix, + /usr/share/lto-disabled-list/lto-disabled-list r, /usr/share/dpkg/cputable r, diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 4fedbcd5f..97d4d382c 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -33,6 +33,9 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6}/ rw, owner @{tmp}/dpkg-deb.@{rand6}/* rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index b9853ca32..536098fa0 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -37,6 +37,9 @@ profile dpkg-genbuildinfo @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 7c7ad1681..0ba28c80a 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -26,6 +26,9 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rw, + #aa:only test + /tmp/autopkgtest.@{rand6}/{,**} rw, + include if exists } diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index e307e9867..28dff622e 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -29,6 +29,9 @@ profile dpkg-split @{exec_path} { @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists } From 90db4b14f2fbac55b7e8d8ad6ddf2a912007f66b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:09:49 +0200 Subject: [PATCH 703/798] feat(abs): globally deny LTTng. --- apparmor.d/abstractions/base-strict | 1 + apparmor.d/abstractions/lttng | 21 +++++++++++++++++++ apparmor.d/groups/freedesktop/wireplumber | 4 ---- .../groups/gnome/gnome-desktop-thumbnailers | 3 --- 4 files changed, 22 insertions(+), 7 deletions(-) create mode 100644 apparmor.d/abstractions/lttng diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 22ca5ec5e..63169d497 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -17,6 +17,7 @@ include include include + include # Allow us to signal ourselves signal peer=@{profile_name}, diff --git a/apparmor.d/abstractions/lttng b/apparmor.d/abstractions/lttng new file mode 100644 index 000000000..922065531 --- /dev/null +++ b/apparmor.d/abstractions/lttng @@ -0,0 +1,21 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# LTTng is an open source tracing framework for Linux - https://lttng.org +# +# Lttng tracing is very noisy and should not be allowed by confined apps. + + abi , + + deny @{run}/shm/lttng-ust-@{int} rw, + deny owner @{run}/shm/lttng-ust-@{int}-@{uid} rw, + deny owner @{run}/shm/lttng-ust-@{int}-@{int} rw, + + deny /dev/shm/lttng-ust-wait-@{int} rw, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, + deny owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 90eb46dc4..2df34a4f4 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -60,10 +60,6 @@ profile wireplumber @{exec_path} { owner @{run}/user/@{uid}/pipewire-@{int} rw, owner @{run}/user/@{uid}/pipewire-@{int}-manager rw, - /dev/shm/lttng-ust-wait-@{int} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw, - @{run}/systemd/users/@{uid} r, @{run}/udev/data/c14:@{int} r, # Open Sound System (OSS) diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 8c637920b..436d82443 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -27,9 +27,6 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { owner @{tmp}/gnome-desktop-thumbnailer.png w, owner @{tmp}/gsf-thumbnailer-@{rand6} rw, - owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw, - owner /dev/shm/lttng-ust-wait-@{int} rw, - include if exists } From 4503ad63cf22a668eb2161396cd75a8a8ec4b871 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:11:38 +0200 Subject: [PATCH 704/798] feat(profile): update own apparmor profles. --- apparmor.d/groups/apparmor/aa-log | 3 +++ apparmor.d/groups/apparmor/apparmor_parser | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 1a3e0aeff..80e396125 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,6 +21,9 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, + /dev/tty@{int} rw, profile journalctl { diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index a5769931c..4e3216d72 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -21,15 +21,17 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, + /opt/Mullvad*/resources/apparmor_mullvad r, + + /usr/share/apparmor-features/{,**} r, + /usr/share/apparmor/{,**} r, + /etc/apparmor.d/{,**} r, /etc/apparmor.d/cache.d/{,**} rw, /etc/apparmor/{,**} r, /etc/apparmor/cache.d/{,**} rw, /etc/apparmor/earlypolicy/{,**} rw, - /usr/share/apparmor-features/{,**} r, - /usr/share/apparmor/{,**} r, - owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} r, owner /snap/core@{int}/@{int}/etc/apparmor/* r, owner /var/cache/apparmor/{,**} rw, @@ -46,7 +48,6 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/mounts r, deny network netlink raw, # file_inherit - /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad? include if exists } From dc1b69d0be6189f99ae04805e0bb8888b6de59ff Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:13:38 +0200 Subject: [PATCH 705/798] feat(profles): update core fsp profiles. --- apparmor.d/groups/_full/sd | 7 ++++++- apparmor.d/groups/_full/sdu | 5 +++-- apparmor.d/groups/_full/systemd-user | 7 +++++++ 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd index ccdbf338b..93d3e362c 100644 --- a/apparmor.d/groups/_full/sd +++ b/apparmor.d/groups/_full/sd @@ -2,6 +2,8 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +#aa:lint ignore=too-wide + # Part of the systemd (as PID 1) profile. # sd is a profile for SystemD-executor run as root, it is used to run all services @@ -58,7 +60,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { capability sys_tty_config, capability syslog, - network alg seqpacket, + network alg seqpacket, # kernel crypto API network bluetooth, network inet dgram, network inet stream, @@ -94,6 +96,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { mqueue (read getattr) type=posix /, + signal peer=*//&sd, signal peer=sd//&*, signal receive peer=@{p_systemd}, signal send, @@ -183,12 +186,14 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) { @{run}/* rw, @{run}/*/ rw, @{run}/*/* rw, + @{run}/*/*/ rw, @{run}/systemd/{,**} rw, owner @{run}/*/** rw, @{run}/udev/**/ r, @{run}/udev/data/+*:* r, # Identifies all subsystems @{run}/udev/data/c@{int}:@{int} r, # Identifies all character devices + @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/** r, @{sys}/fs/bpf/systemd/{,**} w, diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu index f9c50b65f..51b2325ea 100644 --- a/apparmor.d/groups/_full/sdu +++ b/apparmor.d/groups/_full/sdu @@ -35,6 +35,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { unix type=dgram peer=(label=@{p_systemd_user}), + #aa:dbus talk bus=system name=org label="*" dbus bus=session, @{exec_path} mr, @@ -113,7 +114,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { deny capability net_admin, - profile shell flags=(attach_disconnected,mediate_deleted,complain) { + profile shell flags=(attach_disconnected,mediate_deleted) { include @{sh_path} mr, @@ -122,7 +123,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) { include if exists } - profile systemctl flags=(attach_disconnected,mediate_deleted,complain) { + profile systemctl flags=(attach_disconnected,mediate_deleted) { include include diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user index b3d751be1..af3011e83 100644 --- a/apparmor.d/groups/_full/systemd-user +++ b/apparmor.d/groups/_full/systemd-user @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +#aa:lint ignore=too-wide + # Profile for 'systemd --user', not PID 1 but the user manager for any UID. # It does not specify an attachment path because it is intended to be used only # via "px -> systemd-user" exec transitions from the `systemd` profile. @@ -36,6 +38,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) { #aa:dbus own bus=session name=org.freedesktop.systemd1 + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mrix, # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.) From ee67dbba6f55dd9c716b5aeaee978a359e67f2d3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:16:54 +0200 Subject: [PATCH 706/798] feat(profile): ensure child-open-* profile can open app through snap/flatpak. --- apparmor.d/groups/children/child-open-browsers | 4 +++- apparmor.d/groups/children/child-open-editor | 4 +++- apparmor.d/groups/children/child-open-help | 6 ++++-- apparmor.d/groups/children/child-open-strict | 6 ++++-- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers index 473276bff..2a65321a3 100644 --- a/apparmor.d/groups/children/child-open-browsers +++ b/apparmor.d/groups/children/child-open-browsers @@ -19,7 +19,9 @@ profile child-open-browsers flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} rPx, + @{browsers_path} Px, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-editor b/apparmor.d/groups/children/child-open-editor index 16d3dc868..45c22fde5 100644 --- a/apparmor.d/groups/children/child-open-editor +++ b/apparmor.d/groups/children/child-open-editor @@ -19,7 +19,9 @@ profile child-open-editor flags=(attach_disconnected,mediate_deleted) { include include - @{editor_ui_path} PUx, + @{editor_ui_path} PUx, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help index 1150d16d3..0b80bca63 100644 --- a/apparmor.d/groups/children/child-open-help +++ b/apparmor.d/groups/children/child-open-help @@ -10,8 +10,10 @@ profile child-open-help flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} rPx, - @{help_path} rPx, + @{browsers_path} Px, + @{help_path} Px, + @{bin}/flatpak Px, + @{bin}/snap Px, include if exists include if exists diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict index 4296f03af..46e3569db 100644 --- a/apparmor.d/groups/children/child-open-strict +++ b/apparmor.d/groups/children/child-open-strict @@ -15,8 +15,10 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) { include include - @{browsers_path} Px, - @{file_explorers_path} Px, + @{browsers_path} Px, + @{file_explorers_path} Px, + @{bin}/snap Px, + @{bin}/flatpak Px, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix, From 2af907d74384f8d15280587f42f157121a90212e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:18:15 +0200 Subject: [PATCH 707/798] feat(abs): add nvidia-drivers. --- apparmor.d/abstractions/nvidia-drivers | 30 +++++++++++++++++++ .../groups/children/child-modprobe-nvidia | 10 +------ 2 files changed, 31 insertions(+), 9 deletions(-) create mode 100644 apparmor.d/abstractions/nvidia-drivers diff --git a/apparmor.d/abstractions/nvidia-drivers b/apparmor.d/abstractions/nvidia-drivers new file mode 100644 index 000000000..0137e4222 --- /dev/null +++ b/apparmor.d/abstractions/nvidia-drivers @@ -0,0 +1,30 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow creating nvidia device files to be used by unprivileged user-space programs + + abi , + + capability mknod, + + # To read dynamically allocated MAJOR for nvidia-uvm + @{PROC}/devices r, + + # Nvidia proprietary modset driver + /dev/nvidia-modeset w, + + # Nvidia's Unified Memory driver + /dev/nvidia-uvm w, + /dev/nvidia-uvm-tools w, + + # Nvidia graphics devices + /dev/nvidia@{int} rw, + + # Global control device for driver-wide operations. + /dev/nvidiactl rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia index 8e991cee7..b16bfb007 100644 --- a/apparmor.d/groups/children/child-modprobe-nvidia +++ b/apparmor.d/groups/children/child-modprobe-nvidia @@ -19,11 +19,10 @@ include @{exec_path} = @{bin}/nvidia-modprobe profile child-modprobe-nvidia flags=(attach_disconnected) { include - include + include capability chown, capability fsetid, - capability mknod, capability sys_admin, capability syslog, @@ -34,20 +33,13 @@ profile child-modprobe-nvidia flags=(attach_disconnected) { @{sys}/bus/pci/devices/ r, @{sys}/devices/@{pci}/config r, - @{PROC}/devices r, @{PROC}/driver/nvidia/capabilities/mig/config r, @{PROC}/driver/nvidia/capabilities/mig/monitor r, @{PROC}/driver/nvidia/params r, - @{PROC}/modules r, owner /dev/char/@{dynamic}:@{int} w, # For dynamic assignment range 234 to 254, 384 to 511 owner /dev/char/195:@{u8} w, # Nvidia graphics devices - /dev/nvidia-modeset w, - /dev/nvidia-uvm w, - /dev/nvidia-uvm-tools w, - /dev/nvidia@{int} rw, - /dev/nvidiactl rw, owner /dev/nvidia-caps/ w, owner /dev/nvidia-caps/nvidia-cap@{int} w, From 00d236660371239bf1a7d3fa34c0b0594223b1f0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 16:20:22 +0200 Subject: [PATCH 708/798] feat(profile): rename gjs-console to gjs in peer label. --- apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver | 4 ++-- apparmor.d/groups/freedesktop/xdg-screensaver | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/tunables/multiarch.d/profiles | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index 27c456637..b7ae6b200 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -9,12 +9,12 @@ dbus send bus=session path=/{,org/gnome/}ScreenSaver interface=org.gnome.ScreenSaver member={GetActive,GetActiveTime,Lock,SetActive} - peer=(name=@{busname}, label=gjs-console), + peer=(name=@{busname}, label=gjs), dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} - peer=(name=@{busname}, label=gjs-console), + peer=(name=@{busname}, label=gjs), include if exists diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver index dd7d17118..351292a8b 100644 --- a/apparmor.d/groups/freedesktop/xdg-screensaver +++ b/apparmor.d/groups/freedesktop/xdg-screensaver @@ -47,7 +47,7 @@ profile xdg-screensaver @{exec_path} flags=(complain) { include #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs include if exists } diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index a1090a15a..62987c1cf 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -105,7 +105,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus talk bus=session name=org.gnome.* label=gnome-* #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=* #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus - #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console + #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-* #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index d4fefb0b0..e26319f2c 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -72,7 +72,7 @@ # Fit to an action that can be handled by multiple profiles depending on the software installed and the distribution # Notification -@{pp_notification}={plasmashell,gjs-console} +@{pp_notification}={plasmashell,gjs} @{pp_app_indicator}={plasmashell,gnome-shell} @{pp_dbusmenu}={plasmashell,nautilus} From ef79363a072ba784c6388b13b40253ce0742f0e0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 17:42:21 +0200 Subject: [PATCH 709/798] feat(abs): add udev c226 to the dri abs. --- apparmor.d/abstractions/dri | 2 ++ apparmor.d/groups/freedesktop/plymouthd | 1 - apparmor.d/groups/freedesktop/xorg | 1 - apparmor.d/groups/gnome/gnome-shell | 1 - apparmor.d/groups/hyprland/hyprland | 1 - apparmor.d/groups/kde/kwin_wayland | 1 - apparmor.d/groups/systemd/systemd-logind | 2 +- apparmor.d/groups/ubuntu/subiquity-console-conf | 2 +- apparmor.d/groups/virt/virtnodedevd | 2 +- apparmor.d/profiles-g-l/labwc | 1 - apparmor.d/profiles-m-r/nvtop | 1 - apparmor.d/profiles-s-z/switcheroo-control | 2 +- 12 files changed, 6 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 128da00d0..3146b8a3c 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -17,6 +17,8 @@ /etc/drirc r, + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} + @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/device r, diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd index 0a2390661..c740a1d6a 100644 --- a/apparmor.d/groups/freedesktop/plymouthd +++ b/apparmor.d/groups/freedesktop/plymouthd @@ -48,7 +48,6 @@ profile plymouthd @{exec_path} { @{run}/plymouth/{,**} rw, @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* @{run}/udev/data/c29:@{int} r, # For /dev/fb[0-9]* @{sys}/bus/ r, diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg index bfec4405c..021cd96b0 100644 --- a/apparmor.d/groups/freedesktop/xorg +++ b/apparmor.d/groups/freedesktop/xorg @@ -109,7 +109,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/bus/pci/devices/ r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 62987c1cf..dd650a9ca 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -325,7 +325,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/udev/data/n@{int} r, # For network interfaces @{sys}/**/uevent r, diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland index 164253f1d..20c7cc514 100644 --- a/apparmor.d/groups/hyprland/hyprland +++ b/apparmor.d/groups/hyprland/hyprland @@ -54,7 +54,6 @@ profile hyprland @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+usb:* r, # Identifies all USB devices @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{sys}/bus/ r, @{sys}/class/input/ r, diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index 6a0ef608b..ab33ba2bf 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -140,7 +140,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{PROC}/@{pid}/task/@{tid}/comm rw, diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind index e2612ff16..e5f927ba6 100644 --- a/apparmor.d/groups/systemd/systemd-logind +++ b/apparmor.d/groups/systemd/systemd-logind @@ -86,7 +86,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,mediate_deleted) @{run}/udev/data/c81:@{int} r, # For video4linux @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{att}/@{run}/systemd/notify w, diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf index 8f673e261..755cd220d 100644 --- a/apparmor.d/groups/ubuntu/subiquity-console-conf +++ b/apparmor.d/groups/ubuntu/subiquity-console-conf @@ -72,7 +72,7 @@ profile subiquity-console-conf @{exec_path} { @{run}/udev/data/c89:@{int} r, # For I2C bus interface @{run}/udev/data/c108:@{int} r, # For /dev/ppp @{run}/udev/data/c116:@{int} r, # For ALSA - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, # For network interfaces diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd index fb593068e..4034018f8 100644 --- a/apparmor.d/groups/virt/virtnodedevd +++ b/apparmor.d/groups/virt/virtnodedevd @@ -69,7 +69,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c116:@{int} r, # For ALSA @{run}/udev/data/c202:@{int} r, # CPU model-specific registers @{run}/udev/data/c203:@{int} r, # CPU CPUID information - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card[0-9]* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{run}/udev/data/n@{int} r, # For network interfaces diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc index ab624f099..351ffc116 100644 --- a/apparmor.d/profiles-g-l/labwc +++ b/apparmor.d/profiles-g-l/labwc @@ -46,7 +46,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+serio:* r, # for touchpad? @{run}/udev/data/+sound:card@{int} r, # for sound card @{run}/udev/data/c13:@{int} r, # for /dev/input/* - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* @{run}/systemd/sessions/* r, @{run}/systemd/seats/seat@{int} r, diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop index fc51b5b9e..96634e7bc 100644 --- a/apparmor.d/profiles-m-r/nvtop +++ b/apparmor.d/profiles-m-r/nvtop @@ -27,7 +27,6 @@ profile nvtop @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # For /dev/dri/card* @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/bus/ r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index eecb98b28..fd7473365 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -24,7 +24,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/+drm:card@{int}-* r, # for screen outputs @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) - @{run}/udev/data/c226:@{int} r, # for /dev/dri/card* + @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} @{sys}/bus/ r, @{sys}/class/ r, From 2c9d21e510def603f00b75920aea01a83cc5bb97 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 17:53:24 +0200 Subject: [PATCH 710/798] feat(abs): add the nss abs. --- apparmor.d/abstractions/common/chromium | 8 ++------ apparmor.d/abstractions/nss | 20 ++++++++++++++++++++ apparmor.d/profiles-m-r/mkcert | 1 + 3 files changed, 23 insertions(+), 6 deletions(-) create mode 100644 apparmor.d/abstractions/nss diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium index 23f4544a3..00dd5a460 100644 --- a/apparmor.d/abstractions/common/chromium +++ b/apparmor.d/abstractions/common/chromium @@ -15,6 +15,8 @@ abi , + include + userns, # Required for dropping into PID namespace. Keep in mind that until the @@ -28,12 +30,6 @@ capability sys_chroot, capability sys_ptrace, - owner @{HOME}/.pki/ rw, - owner @{HOME}/.pki/nssdb/ rw, - owner @{HOME}/.pki/nssdb/pkcs11.txt rw, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, - owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, - owner @{user_share_dirs}/.@{domain}.@{rand6} rw, owner @{tmp}/.@{domain}.@{rand6} rw, diff --git a/apparmor.d/abstractions/nss b/apparmor.d/abstractions/nss new file mode 100644 index 000000000..3ff04292f --- /dev/null +++ b/apparmor.d/abstractions/nss @@ -0,0 +1,20 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Network Security Services (NSS) + +# It only allows access to the system-provided configuration files, not the ones +# that are applications specific. + + abi , + + owner @{HOME}/.pki/ rw, + owner @{HOME}/.pki/nssdb/ rw, + owner @{HOME}/.pki/nssdb/pkcs11.txt rw, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk, + owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert index 3ae643e1d..bedbbab02 100644 --- a/apparmor.d/profiles-m-r/mkcert +++ b/apparmor.d/profiles-m-r/mkcert @@ -12,6 +12,7 @@ profile mkcert @{exec_path} { include include include + include include network netlink raw, From eb9725f8e275636399dcb8f14cc9c74560b3a653 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:00:59 +0200 Subject: [PATCH 711/798] feat(abs): update camera & media-control abs --- apparmor.d/abstractions/camera | 7 ++++--- apparmor.d/abstractions/media-control | 2 ++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/camera b/apparmor.d/abstractions/camera index 0f5cff363..21cc11418 100644 --- a/apparmor.d/abstractions/camera +++ b/apparmor.d/abstractions/camera @@ -6,6 +6,9 @@ abi , + @{run}/udev/data/+usb:* r, # Identifies all USB devices + @{run}/udev/data/c81:@{int} r, # For video4linux + # Allow detection of cameras. Leaks plugged in USB device info @{sys}/bus/usb/devices/ r, @{sys}/devices/@{pci}/usb@{int}/**/busnum r, @@ -17,12 +20,10 @@ @{sys}/devices/@{pci}/usb@{int}/**/speed r, @{sys}/class/video4linux/ r, - @{sys}/devices/**/video4linux/** r, @{sys}/devices/**/video4linux/video@{int}/ r, @{sys}/devices/**/video4linux/video@{int}/uevent r, - @{run}/udev/data/+usb:* r, # Identifies all USB devices - @{run}/udev/data/c81:@{int} r, # For video4linux + /dev/ r, # VideoCore cameras (shared device with VideoCore/EGL) /dev/vchiq rw, diff --git a/apparmor.d/abstractions/media-control b/apparmor.d/abstractions/media-control index 1cdcf66f2..b4fbc0f34 100644 --- a/apparmor.d/abstractions/media-control +++ b/apparmor.d/abstractions/media-control @@ -8,6 +8,8 @@ abi , + @{sys}/bus/media/devices/ r, + # Control of media devices /dev/media@{int} rwk, From 308d27a5dd07754c37c0b873ceb2a53e73365c68 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:01:56 +0200 Subject: [PATCH 712/798] feat(abs): base: allow signal from pkill --- apparmor.d/abstractions/base-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index 63169d497..e65e45d62 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -33,9 +33,10 @@ signal receive peer=@{p_systemd}, signal receive peer=@{p_systemd_user}, - # Htop like programs can send any signal to any process + # Htop like programs can send any signals to any processes signal receive peer=btop, signal receive peer=htop, + signal receive peer=pkill, signal receive peer=top, signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor, From 365736863a883095cf48083898dcccc5ff0d87cd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:03:48 +0200 Subject: [PATCH 713/798] feat(abs): remove the not used user-data abs. prompt is not yet supported. --- apparmor.d/abstractions/user-data | 49 ------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 apparmor.d/abstractions/user-data diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data deleted file mode 100644 index 6406b3e84..000000000 --- a/apparmor.d/abstractions/user-data +++ /dev/null @@ -1,49 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - -# Gives access to non-hidden files in user's $HOME. -# Warning: experiemental, only for abi 4+, requires a prompting client. - - abi , - - # Allow accessing the GNOME crypto services prompt APIs as used by - # applications using libgcr (such as pinentry-gnome3) for secure pin - # entry to unlock GPG keys etc. See: - # https://developer.gnome.org/gcr/unstable/GcrPrompt.html - # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html - # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711 - dbus send bus=session path=/org/gnome/keyring/Prompter - interface=org.gnome.keyring.internal.Prompter - member={BeginPrompting,PerformPrompt,StopPrompting} - peer=(name="{@{busname}", label=pinentry-*), - dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} - interface=org.gnome.keyring.internal.Prompter.Callback - member={PromptReady,PromptDone} - peer=(name="{@{busname}", label=pinentry-*), - - # Allow read access to toplevel $HOME & mounts for the user. - prompt owner @{HOME}/ r, - prompt owner @{MOUNTS}/ r, - - # Allow read/write access to all files in @{HOME}, except snap application - # data in @{HOME}/snap and toplevel hidden directories in @{HOME}. - prompt owner @{HOME}/[^s.]** rwlk, - prompt owner @{HOME}/s[^n]** rwlk, - prompt owner @{HOME}/sn[^a]** rwlk, - prompt owner @{HOME}/sna[^p]** rwlk, - prompt owner @{HOME}/snap[^/]** rwlk, - prompt owner @{HOME}/{s,sn,sna}{,/} rwlk, - - # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs) - # for non-hidden files owned by the user. - prompt owner @{MOUNTS}/[^.]** rwlk, - - # Disallow writes to the well-known directory included in - # the user's PATH on several distributions - audit deny @{HOME}/bin/{,**} wl, - audit deny @{HOME}/bin wl, - - include if exists - -# vim:syntax=apparmor From fdf89f6fa9072f369bdcbca51a17b9c29077484f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:07:44 +0200 Subject: [PATCH 714/798] feat(abs): improve the u2f abs. --- apparmor.d/abstractions/devices-u2f | 5 +++++ apparmor.d/groups/ssh/ssh | 9 +-------- apparmor.d/groups/ssh/ssh-sk-helper | 10 ++-------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/apparmor.d/abstractions/devices-u2f b/apparmor.d/abstractions/devices-u2f index c707d66e0..e823d76e4 100644 --- a/apparmor.d/abstractions/devices-u2f +++ b/apparmor.d/abstractions/devices-u2f @@ -12,6 +12,11 @@ # Needed for dynamic assignment of U2F devices @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/ r, + @{sys}/bus/ r, + @{sys}/class/ r, + @{sys}/class/hidraw/ r, + @{sys}/class/hidraw/hidraw@{int} r, @{sys}/devices/**/i2c*/**/report_descriptor r, @{sys}/devices/**/usb@{int}/**/report_descriptor r, diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh index 0d6826490..dcaa416fe 100644 --- a/apparmor.d/groups/ssh/ssh +++ b/apparmor.d/groups/ssh/ssh @@ -11,6 +11,7 @@ include profile ssh @{exec_path} { include include + include include include include @@ -52,17 +53,9 @@ profile ssh @{exec_path} { owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand}, owner @{run}/user/@{uid}/keyring/ssh rw, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - owner @{PROC}/@{pid}/loginuid r, owner @{PROC}/@{pid}/fd/ r, - /dev/hidraw@{int} rwk, - include if exists } diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper index ff9de97c3..79f5d22da 100644 --- a/apparmor.d/groups/ssh/ssh-sk-helper +++ b/apparmor.d/groups/ssh/ssh-sk-helper @@ -1,5 +1,6 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 valoq +# Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , @@ -9,18 +10,11 @@ include @{exec_path} = @{lib}/{,ssh/}ssh-sk-helper profile ssh-sk-helper flags=(complain) { include + include include @{exec_path} mr, - @{sys}/ r, - @{sys}/bus/ r, - @{sys}/class/ r, - @{sys}/class/hidraw/ r, - @{sys}/class/hidraw/hidraw@{int} r, - - /dev/hidraw@{int} rwk, - include if exists } From 22873640a6ae3d16ab489c867ebc148890f0d7c7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:12:15 +0200 Subject: [PATCH 715/798] chore(abs): remove deduplicated rule. --- apparmor.d/abstractions/disks-read | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read index e33ec2c3f..ee97ff04d 100644 --- a/apparmor.d/abstractions/disks-read +++ b/apparmor.d/abstractions/disks-read @@ -17,7 +17,6 @@ @{sys}/devices/@{pci}/ata@{int}/** r, @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r, @{sys}/devices/@{pci}/block/{s,v}d[a-z]/** r, - @{sys}/devices/@{pci}/host@{int}/** r, @{sys}/devices/@{pci}/usb@{int}/** r, @{sys}/devices/@{pci}/virtio@{int}/** r, @{sys}/devices/**/host@{int}/** r, From 7e1261953336cb284984718624a9357735ec1c51 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:25:09 +0200 Subject: [PATCH 716/798] refractor(abs): add deskop base abstractions. --- apparmor.d/abstractions/desktop | 47 ++-------------------------- apparmor.d/abstractions/gnome-base | 22 +++++++++++++ apparmor.d/abstractions/gnome-strict | 15 ++------- apparmor.d/abstractions/kde-base | 43 +++++++++++++++++++++++++ apparmor.d/abstractions/kde-strict | 33 ++----------------- apparmor.d/abstractions/xfce | 15 ++++++--- apparmor.d/abstractions/xfce-base | 16 ++++++++++ 7 files changed, 100 insertions(+), 91 deletions(-) create mode 100644 apparmor.d/abstractions/gnome-base create mode 100644 apparmor.d/abstractions/kde-base create mode 100644 apparmor.d/abstractions/xfce-base diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop index c4abbd574..a087c4384 100644 --- a/apparmor.d/abstractions/desktop +++ b/apparmor.d/abstractions/desktop @@ -26,56 +26,15 @@ # if @{DE} == gnome - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, - - /etc/gnome/* r, - - / r, - - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + include if exists # else if @{DE} == kde - @{lib}/kde{,3,4}/*.so mr, - @{lib}/kde{,3,4}/plugins/*/ r, - @{lib}/kde{,3,4}/plugins/*/*.so mr, - - /usr/share/knotifications{5,6}/*.notifyrc r, - - /etc/xdg/baloofilerc r, - /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, - - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/@{profile_name}* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, + include # else if @{DE} == xfce - /usr/share/xfce{,4}/ r, - - owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, - owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + include # end diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base new file mode 100644 index 000000000..c18628323 --- /dev/null +++ b/apparmor.d/abstractions/gnome-base @@ -0,0 +1,22 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal gnome specific rules. + + abi , + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(label=gnome-shell), + + @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, + + / r, + + owner @{user_share_dirs}/gnome-shell/session.gvdb rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict index 227377f3a..195f3b0c5 100644 --- a/apparmor.d/abstractions/gnome-strict +++ b/apparmor.d/abstractions/gnome-strict @@ -4,6 +4,7 @@ abi , + # Common abstractions for any desktop environment include include include @@ -19,23 +20,13 @@ include include - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + # Gnome specific rules + include /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - @{system_share_dirs}/gvfs/remote-volume-monitors/{,*} r, - - /etc/gnome/* r, - - / r, - - owner @{user_share_dirs}/gnome-shell/session.gvdb rw, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-base b/apparmor.d/abstractions/kde-base new file mode 100644 index 000000000..2962bd299 --- /dev/null +++ b/apparmor.d/abstractions/kde-base @@ -0,0 +1,43 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2021-2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal kde specific rules. + + abi , + + @{lib}/kde{,3,4}/*.so mr, + @{lib}/kde{,3,4}/plugins/*/ r, + @{lib}/kde{,3,4}/plugins/*/*.so mr, + + /usr/share/knotifications{5,6}/*.notifyrc r, + /usr/share/kubuntu-default-settings/{,**} r, + + /etc/xdg/baloofilerc r, + /etc/xdg/kcminputrc r, + /etc/xdg/kdeglobals r, + /etc/xdg/kwinrc r, + + owner @{user_cache_dirs}/#@{int} rw, + owner @{user_cache_dirs}/icon-cache.kcache rw, + owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, + + owner @{user_config_dirs}/baloofilerc r, + owner @{user_config_dirs}/dolphinrc r, + owner @{user_config_dirs}/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/ r, + owner @{user_config_dirs}/kdedefaults/kcminputrc r, + owner @{user_config_dirs}/kdedefaults/kdeglobals r, + owner @{user_config_dirs}/kdedefaults/kwinrc r, + owner @{user_config_dirs}/kdeglobals r, + owner @{user_config_dirs}/kwinrc r, + owner @{user_config_dirs}/session/ rw, + owner @{user_config_dirs}/session/*_* rwlk, + owner @{user_config_dirs}/session/#@{int} rw, + owner @{user_config_dirs}/trashrc r, + + owner @{user_share_dirs}/#@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict index 79e97b23f..42f58fa7a 100644 --- a/apparmor.d/abstractions/kde-strict +++ b/apparmor.d/abstractions/kde-strict @@ -4,6 +4,7 @@ abi , + # Common abstractions for any desktop environment include include include @@ -19,40 +20,12 @@ include include - @{lib}/kde{,3,4}/*.so mr, - @{lib}/kde{,3,4}/plugins/*/ r, - @{lib}/kde{,3,4}/plugins/*/*.so mr, + # Kde specific rules + include /usr/share/desktop-base/{,**} r, /usr/share/hwdata/*.ids r, /usr/share/icu/@{int}.@{int}/*.dat r, - /usr/share/knotifications{5,6}/*.notifyrc r, - /usr/share/kubuntu-default-settings/{,**} r, #aa:only ubuntu - - /etc/xdg/baloofilerc r, - /etc/xdg/kcminputrc r, - /etc/xdg/kdeglobals r, - /etc/xdg/kwinrc r, - - owner @{user_cache_dirs}/#@{int} rw, - owner @{user_cache_dirs}/icon-cache.kcache rw, - owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}* rwlk, - - owner @{user_config_dirs}/baloofilerc r, - owner @{user_config_dirs}/dolphinrc r, - owner @{user_config_dirs}/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/ r, - owner @{user_config_dirs}/kdedefaults/kcminputrc r, - owner @{user_config_dirs}/kdedefaults/kdeglobals r, - owner @{user_config_dirs}/kdedefaults/kwinrc r, - owner @{user_config_dirs}/kdeglobals r, - owner @{user_config_dirs}/kwinrc r, - owner @{user_config_dirs}/session/ rw, - owner @{user_config_dirs}/session/*_* rwlk, - owner @{user_config_dirs}/session/#@{int} rw, - owner @{user_config_dirs}/trashrc r, - - owner @{user_share_dirs}/#@{int} rw, include if exists diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce index df13363fc..193af858b 100644 --- a/apparmor.d/abstractions/xfce +++ b/apparmor.d/abstractions/xfce @@ -4,19 +4,24 @@ abi , + # Common abstractions for any desktop environment include + include include - include + include include + include + include + include + include include + include include include include - /usr/share/xfce{,4}/ r, - - owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, - owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + # XFCE specific rules + include include if exists diff --git a/apparmor.d/abstractions/xfce-base b/apparmor.d/abstractions/xfce-base new file mode 100644 index 000000000..04233c84b --- /dev/null +++ b/apparmor.d/abstractions/xfce-base @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Minimal xfce specific rules. + + abi , + + /usr/share/xfce{,4}/ r, + + owner @{user_config_dirs}/xfce4/help{,ers}.rc rw, + owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw, + + include if exists + +# vim:syntax=apparmor From 2b9318c32e4784f4a0c34af9dddac840b1b70bf0 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:26:41 +0200 Subject: [PATCH 717/798] chore(abs): cleanup vulkan-strict --- apparmor.d/abstractions/vulkan-strict | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict index d4dd2fae6..1ad04157b 100644 --- a/apparmor.d/abstractions/vulkan-strict +++ b/apparmor.d/abstractions/vulkan-strict @@ -28,7 +28,9 @@ @{sys}/class/ r, @{sys}/class/drm/ r, @{sys}/devices/@{pci}/drm/ r, - @{sys}/devices/@{pci}/drm/card@{int}/gt_{min,cur,max}_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_cur_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_max_freq_mhz r, + @{sys}/devices/@{pci}/drm/card@{int}/gt_min_freq_mhz r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/ r, @{sys}/devices/@{pci}/drm/card@{int}/metrics/@{uuid}/id r, From 582428c06efc886bf835b9d15880676b08b55e47 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:34:45 +0200 Subject: [PATCH 718/798] feat(profiles): various minor improvements. --- apparmor.d/abstractions/glibc | 2 +- apparmor.d/groups/bluetooth/blueman | 2 +- apparmor.d/groups/bluetooth/obexd | 2 +- apparmor.d/groups/gnome/gjs | 13 ++++++++++--- apparmor.d/groups/gnome/ptyxis-agent | 2 +- apparmor.d/groups/network/mullvad-daemon | 1 + apparmor.d/groups/network/nm-openvpn-service | 3 ++- apparmor.d/groups/procps/htop | 3 ++- apparmor.d/groups/ubuntu/apport | 13 +++++++------ apparmor.d/groups/virt/dockerd | 1 + apparmor.d/groups/xfce/xfce-clipman | 7 ++++--- apparmor.d/groups/xfce/xfce-session | 4 ++-- apparmor.d/profiles-a-f/dracut-install | 2 ++ apparmor.d/profiles-m-r/rfkill | 6 +++--- 14 files changed, 38 insertions(+), 23 deletions(-) diff --git a/apparmor.d/abstractions/glibc b/apparmor.d/abstractions/glibc index 8536470bd..09f7277d5 100644 --- a/apparmor.d/abstractions/glibc +++ b/apparmor.d/abstractions/glibc @@ -27,7 +27,7 @@ owner @{PROC}/@{pid}/status r, # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps, - # but in a format that is simpler to manage, because it doesn't require to + # but in a format that is easier to manage, because it doesn't require to # parse the text data inside a file, but just reading the contents of # a directory. owner @{PROC}/@{pid}/map_files/ r, diff --git a/apparmor.d/groups/bluetooth/blueman b/apparmor.d/groups/bluetooth/blueman index 08a553c1d..59c76e33a 100644 --- a/apparmor.d/groups/bluetooth/blueman +++ b/apparmor.d/groups/bluetooth/blueman @@ -25,7 +25,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) { network netlink raw, network bluetooth raw, - ptrace (read) peer=gjs-console, + ptrace read peer=gjs, #aa:dbus own bus=session name=org.blueman.Applet #aa:dbus own bus=session name=org.blueman.Manager diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd index 3ea17a4e5..ee56ba6e8 100644 --- a/apparmor.d/groups/bluetooth/obexd +++ b/apparmor.d/groups/bluetooth/obexd @@ -23,7 +23,7 @@ profile obexd @{exec_path} { dbus receive bus=system path=/org/bluez/obex/@{uuid} interface=org.bluez.Profile1 member=Release - peer=(name=:*, label="@{p_bluetoothd}"), + peer=(name=@{busname}, label="@{p_bluetoothd}"), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 388c90b14..3585fe2d9 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -89,14 +89,14 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{gdm_cache_dirs}/gstreamer-1.0/registry.@{arch}.bin r, + owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, owner @{gdm_config_dirs}/dconf/user r, owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, - owner @{user_cache_dirs}/gstreamer-1.0/ rw, - owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/ rw, + owner @{user_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, owner @{user_share_dirs}/gnome-shell/extensions/{,**} r, owner @{user_share_dirs}/nautilus/scripts/ r, @@ -115,8 +115,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include include include + include include include @@ -126,6 +128,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/gstreamer-1.0/gst-plugin-scanner mr, + owner @{desktop_cache_dirs}/nvidia/GLCache/ rw, + owner @{desktop_cache_dirs}/nvidia/GLCache/** rwk, + + @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + include if exists } diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index 6418193a6..dafb0505b 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -35,7 +35,7 @@ profile ptyxis-agent @{exec_path} { /dev/ptmx rw, - profile shell { + profile shell flags=(attach_disconnected) { include include diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon index d5c93fc5c..7506313ba 100644 --- a/apparmor.d/groups/network/mullvad-daemon +++ b/apparmor.d/groups/network/mullvad-daemon @@ -65,6 +65,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/system.slice/mullvad-early-boot-blocking.service/cpu.max r, @{PROC}/@{pid}/cgroup r, + @{PROC}/@{pid}/mountinfo r, @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw, @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service index 943386f61..a3db0c896 100644 --- a/apparmor.d/groups/network/nm-openvpn-service +++ b/apparmor.d/groups/network/nm-openvpn-service @@ -7,8 +7,9 @@ abi , include @{exec_path} = @{lib}/{,NetworkManager/}nm-openvpn-service -profile nm-openvpn-service @{exec_path} { +profile nm-openvpn-service @{exec_path} flags=(attach_disconnected) { include + include include capability kill, diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index ef14d9ca9..b02b0f692 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/htop -profile htop @{exec_path} { +profile htop @{exec_path} flags=(attach_disconnected) { include include include @@ -91,6 +91,7 @@ profile htop @{exec_path} { @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, @{PROC}/pressure/memory r, + @{PROC}/spl/kstat/zfs/arcstats r, @{PROC}/sys/kernel/osrelease r, @{PROC}/sys/kernel/pid_max r, @{PROC}/sys/kernel/sched_autogroup_enabled r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 211dda9cc..40b3f14d6 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, @{bin}/{,e,f}grep rix, - @{bin}/dpkg rPx -> &child-dpkg, - @{bin}/dpkg-divert rPx -> &child-dpkg-divert, + @{bin}/dpkg rPx -> apport//&child-dpkg, + @{bin}/dpkg-divert rPx -> apport//&child-dpkg-divert, @{bin}/gdbus rix, @{bin}/md5sum rix, @@ -66,10 +66,11 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{run}/apport.lock rwk, @{run}/log/journal/ r, - @{PROC}/@{pid}/cgroup r, - @{PROC}/@{pid}/environ r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/stat r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/environ r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/status r, @{PROC}/sys/fs/suid_dumpable w, @{PROC}/sys/kernel/core_pattern w, @{PROC}/sys/kernel/core_pipe_limit w, diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd index 0a214ccd1..d90dbe8fe 100644 --- a/apparmor.d/groups/virt/dockerd +++ b/apparmor.d/groups/virt/dockerd @@ -109,6 +109,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) { @{sys}/fs/cgroup/cgroup.controllers r, @{sys}/fs/cgroup/cpuset.cpus.effective r, @{sys}/fs/cgroup/cpuset.mems.effective r, + @{sys}/fs/cgroup/system.slice/docker.service/cpu.max r, @{sys}/kernel/security/apparmor/profiles r, @{sys}/module/apparmor/parameters/enabled r, diff --git a/apparmor.d/groups/xfce/xfce-clipman b/apparmor.d/groups/xfce/xfce-clipman index 270f7266f..45d2f4231 100644 --- a/apparmor.d/groups/xfce/xfce-clipman +++ b/apparmor.d/groups/xfce/xfce-clipman @@ -16,10 +16,11 @@ profile xfce-clipman @{exec_path} { @{exec_path} mr, - /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r, + @{bin}/xfce4-clipman-history rix, - owner @{user_cache_dirs}/xfce4/clipman/ r, - owner @{user_cache_dirs}/xfce4/clipman/* rw, + /etc/xdg/autostart/xfce4-clipman*.desktop r, + + owner @{user_cache_dirs}/xfce4/clipman/{,**} rw, owner @{user_config_dirs}/autostart/ r, owner @{user_config_dirs}/autostart/xfce4-clipman-plugin-autostart.desktop rw, diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session index be0f5c73d..bdb4b8d36 100644 --- a/apparmor.d/groups/xfce/xfce-session +++ b/apparmor.d/groups/xfce/xfce-session @@ -9,10 +9,10 @@ include @{exec_path} = @{bin}/xfce4-session profile xfce-session @{exec_path} flags=(attach_disconnected) { include - include + include include + include include - include include include include diff --git a/apparmor.d/profiles-a-f/dracut-install b/apparmor.d/profiles-a-f/dracut-install index e99760a73..5137cde8c 100644 --- a/apparmor.d/profiles-a-f/dracut-install +++ b/apparmor.d/profiles-a-f/dracut-install @@ -17,6 +17,8 @@ profile dracut-install @{exec_path} { /etc/modprobe.d/{,**} r, + / r, + @{sys}/devices/platform/{,**/} r, @{sys}/devices/platform/**/modalias r, @{sys}/module/compression r, diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill index c65298b27..9c5946f22 100644 --- a/apparmor.d/profiles-m-r/rfkill +++ b/apparmor.d/profiles-m-r/rfkill @@ -13,10 +13,10 @@ profile rfkill @{exec_path} { @{exec_path} mr, - /dev/rfkill rw, + @{sys}/devices/**/rfkill/rfkill@{int}/name r, + @{sys}/devices/**/rfkill/rfkill@{int}/type r, - @{sys}/devices/@{pci}/rfkill@{int}/{name,type} r, - @{sys}/devices/platform/**/rfkill/rfkill@{int}/{name,type} r, + /dev/rfkill rw, include if exists } From 71527e512c5726ce1107802fa505f674ba861949 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:44:33 +0200 Subject: [PATCH 719/798] fix(abs): x11: tmp file too strict. fix #872 --- apparmor.d/abstractions/X-strict | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict index a92058206..316f1e3bb 100644 --- a/apparmor.d/abstractions/X-strict +++ b/apparmor.d/abstractions/X-strict @@ -22,7 +22,7 @@ /tmp/.ICE-unix/@{int} rw, /tmp/.X@{int}-lock rw, - /tmp/.X11-unix/X@{int} rw, + /tmp/.X11-unix/X@{int}{,_} rw, owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int}, owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw, # Xwayland From b1ac57e6fc6edac4550ed247ecd299d5b7529633 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:46:57 +0200 Subject: [PATCH 720/798] feat(profile): udisk: add support for squashfs. --- apparmor.d/groups/filesystem/udisksd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/filesystem/udisksd b/apparmor.d/groups/filesystem/udisksd index 91d4a8569..37fe5b4b3 100644 --- a/apparmor.d/groups/filesystem/udisksd +++ b/apparmor.d/groups/filesystem/udisksd @@ -35,8 +35,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) { mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/dm-[0-9]* -> @{MOUNTS}/*/, # Allow mounting of loop devices (ISO files) - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, - mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]* -> @{MOUNTS}/*/, + mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3,squashfs} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/, # Allow mounting of cdrom mount fstype={btrfs,ext*,vfat,exfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/, From 65b73d7e5d3228dbd583f506d8a583679f77583b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:47:48 +0200 Subject: [PATCH 721/798] feat(profile): update flatpak. --- apparmor.d/groups/flatpak/flatpak | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index 0b33cb6dc..b8ededbf0 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -9,14 +9,17 @@ include @{exec_path} = @{bin}/flatpak profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) { include + include include include include include include - include + include + include include include + include userns, @@ -25,6 +28,12 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain capability net_admin, capability sys_ptrace, + # Manage the sandbox + capability setgid, + capability setuid, + capability sys_admin, + capability sys_chroot, + network inet dgram, network inet6 dgram, network inet stream, @@ -33,7 +42,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/, - ptrace (read) peer=flatpak-app, + ptrace read peer=flatpak-app, + ptrace read peer=flatpak.*, + ptrace read peer=bwrap.*, signal send peer=flatpak-app, @@ -66,6 +77,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain @{bin}/gpgsm rCx -> gpg, @{lib}/revokefs-fuse rix, + # For flatpack enter, the shell is not confined on purpose. + @{bin}/@{shells} rUx, + @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, @{lib}/polkit-agent-helper-[0-9] rPx, @@ -74,6 +88,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain /etc/flatpak/{,**} r, /etc/pulse/client.conf r, + / r, @{att}/ r, /var/lib/flatpak/{,**} rwlk, From ab3622344030214f7d6d2296d297d6aba1d8f008 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 18:50:56 +0200 Subject: [PATCH 722/798] refractor(abs): remove deprecated org.freedesktop.Avahi --- .../abstractions/bus/org.freedesktop.Avahi | 46 ------------------- 1 file changed, 46 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.Avahi diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi deleted file mode 100644 index 4ddf95af3..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi +++ /dev/null @@ -1,46 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}" - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.Peer - member=Ping - peer=(name=org.freedesktop.Avahi), - - dbus send bus=system path=/ - interface=org.freedesktop.Avahi.Server - member={GetAPIVersion,GetState,Service*New} - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int} - interface=org.freedesktop.Avahi.ServiceBrowser - member={ItemNew,ItemRemove,AllForNow,CacheExhausted} - peer=(name="@{busname}", label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/ - interface=org.freedesktop.Avahi.Server - member=StateChanged - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus receive bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Found - peer=(name=@{busname}, label="@{p_avahi_daemon}"), - - dbus send bus=system path=/Client@{int}/ServiceResolver@{int} - interface=org.freedesktop.Avahi.ServiceResolver - member=Free - peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"), - - include if exists - -# vim:syntax=apparmor From c9756eacb6955a11ffe18d754820c33bd874bbcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:09:15 +0200 Subject: [PATCH 723/798] feat(profile): add missing some avahi access. --- apparmor.d/groups/cups/cups-browsed | 1 + apparmor.d/groups/cups/cupsd | 1 + apparmor.d/groups/gvfs/gvfsd-dnssd | 1 + 3 files changed, 3 insertions(+) diff --git a/apparmor.d/groups/cups/cups-browsed b/apparmor.d/groups/cups/cups-browsed index ca1dc9630..b4c0dc644 100644 --- a/apparmor.d/groups/cups/cups-browsed +++ b/apparmor.d/groups/cups/cups-browsed @@ -14,6 +14,7 @@ profile cups-browsed @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/cups/cupsd b/apparmor.d/groups/cups/cupsd index ec0bbfd67..145e43076 100644 --- a/apparmor.d/groups/cups/cupsd +++ b/apparmor.d/groups/cups/cupsd @@ -12,6 +12,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index aad9de3a0..a87c5bbc1 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -17,6 +17,7 @@ profile gvfsd-dnssd @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd From ea171aba10929cba845f50902acd284dd621627e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:27:45 +0200 Subject: [PATCH 724/798] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gdm | 3 ++- apparmor.d/groups/gnome/gdm-session-worker | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 ++ .../groups/gnome/gnome-photos-thumbnailer | 4 ++-- apparmor.d/groups/gnome/gnome-shell | 17 +++++++++-------- apparmor.d/groups/gnome/gnome-terminal-server | 2 ++ apparmor.d/groups/gnome/gnome-text-editor | 2 +- apparmor.d/groups/gnome/goa-identity-service | 4 ++-- apparmor.d/groups/gnome/gsd-media-keys | 11 +---------- .../groups/gnome/org.gnome.NautilusPreviewer | 2 ++ apparmor.d/groups/gnome/ptyxis-agent | 7 ++++++- apparmor.d/groups/gvfs/gvfsd-localtest | 8 ++++++++ dists/flags/main.flags | 10 +++++----- 13 files changed, 43 insertions(+), 31 deletions(-) diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index 3f958cb7e..d202d5199 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,8 +71,9 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, + @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, - owner @{run}/gdm{,3}.pid rw, + @{run}/gdm{,3}/gdm.pid rw, owner @{run}/gdm{,3}/dbus/ rw, owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker index 3bab1b134..ca83c2fa2 100644 --- a/apparmor.d/groups/gnome/gdm-session-worker +++ b/apparmor.d/groups/gnome/gdm-session-worker @@ -37,7 +37,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) { signal send set=hup peer=dbus-accessibility, signal send set=hup peer=dbus-session, signal send set=hup peer=dconf-service, - signal send set=hup peer=gjs-console, + signal send set=hup peer=gjs, signal send set=hup peer=gnome-*, signal send set=hup peer=gsd-*, signal send set=hup peer=ibus-*, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index 9f78fb4fd..e2de80f8f 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -41,7 +41,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd #aa:dbus talk bus=session name=org.bluez.obex label=obexd #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store + #aa:dbus talk bus=session name=org.gnome.Identity label=goa-identity-service #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell + #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*" #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer index 31d9b7987..a954502a3 100644 --- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer +++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer @@ -17,9 +17,9 @@ profile gnome-photos-thumbnailer @{exec_path} { owner @{user_pictures_dirs}/{,**} r, owner @{user_cache_dirs}/babl/{,**} r, - owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-@{version}/{,**} r, owner @{user_cache_dirs}/gnome-photos/thumbnails/{,**} rw, - owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/gegl-@{version}/{,**} r, owner /dev/shm/DzlCounters-@{int} rw, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index dd650a9ca..428c314e2 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -131,7 +131,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus receive bus=session path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=JobRemoved - peer=(name=:*, label="@{p_systemd_user}"), + peer=(name=@{busname}, label="@{p_systemd_user}"), dbus send bus=session path=/MenuBar interface=com.canonical.dbusmenu @@ -141,12 +141,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session path=/org/mpris/MediaPlayer2 interface=org.freedesktop.DBus.Properties member={Get,GetAll} - peer=(name=:*), + peer=(name=@{busname}), dbus send bus=session interface=org.freedesktop.DBus.Introspectable @@ -314,14 +314,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{run}/udev/tags/seat/ r, - @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad - @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) - @{run}/udev/data/+dmi:id r, # for motherboard info @{run}/udev/data/+acpi:* r, # Exposes ACPI objects (power buttons, batteries, thermal) + @{run}/udev/data/+dmi:id r, # for motherboard info + @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs + @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) + @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) + @{run}/udev/data/+input:input@{int} r, # for mouse, keyboard, touchpad @{run}/udev/data/+pci:* r, # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.) + @{run}/udev/data/+platform:* r, # Identifies onboard devices (laptop/board model, power controllers, thermal sensors) @{run}/udev/data/+sound:card@{int} r, # for sound card - @{run}/udev/data/+i2c:* r, # For Inter-Integrated Circuit, low-speed peripherals (sensors, EEPROMs, etc.) - @{run}/udev/data/+hid:* r, # For Human Interface Device (mice, controllers, drawing tablets, scanners) @{run}/udev/data/c10:@{int} r, # for non-serial mice, misc features @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server index fe380dadd..1a14549f7 100644 --- a/apparmor.d/groups/gnome/gnome-terminal-server +++ b/apparmor.d/groups/gnome/gnome-terminal-server @@ -35,6 +35,8 @@ profile gnome-terminal-server @{exec_path} { @{exec_path} mr, + @{bin}/byobu PUx, + @{bin}/env ix, @{lib}/gnome-terminal-preferences ix, # The shell is not confined on purpose. diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor index 8aa950e2c..457660856 100644 --- a/apparmor.d/groups/gnome/gnome-text-editor +++ b/apparmor.d/groups/gnome/gnome-text-editor @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gnome-text-editor -profile gnome-text-editor @{exec_path} { +profile gnome-text-editor @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service index 4509a6159..3efc1ac44 100644 --- a/apparmor.d/groups/gnome/goa-identity-service +++ b/apparmor.d/groups/gnome/goa-identity-service @@ -18,12 +18,12 @@ profile goa-identity-service @{exec_path} { dbus send bus=session path=/org/gnome/OnlineAccounts interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name=:*, label=goa-daemon), + peer=(name=@{busname}, label=goa-daemon), dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect - peer=(name=:*, label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b299ab7ff..5446af78d 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -30,6 +30,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys + #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell @@ -43,16 +44,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { member=ListNames peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/gnome/SettingsDaemon/Power - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gsd-power), - - dbus receive bus=session path=/org/gnome/SettingsDaemon/Power - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=@{busname}, label=gsd-power), - @{exec_path} mr, @{open_path} rPx -> child-open, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index e1bde2238..6a48af3f5 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -53,6 +53,8 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/task/@{tid}/comm w, owner @{PROC}/@{pid}/task/@{tid}/stat r, + /dev/ r, + include if exists } diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent index dafb0505b..154b65bf2 100644 --- a/apparmor.d/groups/gnome/ptyxis-agent +++ b/apparmor.d/groups/gnome/ptyxis-agent @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/ptyxis-agent -profile ptyxis-agent @{exec_path} { +profile ptyxis-agent @{exec_path} flags=(attach_disconnected) { include include include @@ -22,6 +22,11 @@ profile ptyxis-agent @{exec_path} { unix type=stream peer=(label=ptyxis), + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, @{bin}/podman Px, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index d1af3c60c..bdd3feb46 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -11,9 +11,17 @@ include profile gvfsd-localtest @{exec_path} { include include + include include include + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{exec_path} mr, include if exists diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 94eb1c07b..6431eb7ea 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -212,7 +212,7 @@ landscape-sysinfo.wrapper complain language-validate attach_disconnected,complain last complain lastlog complain -libreoffice complain +libreoffice attach_disconnected,complain libvirt-dbus complain libvirtd attach_disconnected,complain lightdm attach_disconnected,complain @@ -220,7 +220,7 @@ lightdm-session complain linux-check-removal complain linux-update-symlinks complain locale-gen complain -localectl complain +localectl attach_disconnected,complain localsearch complain localsearch-control complain localsearch-writeback complain @@ -269,8 +269,8 @@ plymouth-set-default-theme attach_disconnected,complain plymouthd complain polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted pollinate complain -ptyxis complain -ptyxis-agent complain +ptyxis attach_disconnected,complain +ptyxis-agent attach_disconnected,complain pycompile complain qdbus complain remmina complain @@ -291,7 +291,7 @@ snap-seccomp attach_disconnected,complain snap-update-ns complain snapd complain snapd-apparmor complain -snapshot complain +snapshot attach_disconnected,complain speech-dispatcher complain sshd-auth complain ssservice complain From 0a206eb49df5c5700ab7c4c0d9e1704a0ca8272f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 19:29:49 +0200 Subject: [PATCH 725/798] feat(profile): prevent ps from ptrace. --- apparmor.d/groups/procps/ps | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index 7663cbf5d..ab6f3486c 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -14,9 +14,6 @@ profile ps @{exec_path} flags=(attach_disconnected) { include capability dac_read_search, - capability sys_ptrace, - - ptrace (read), @{exec_path} mr, @@ -52,6 +49,14 @@ profile ps @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, + # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc + # trigger a 'ptrace trace' denial, they aren't actually tracing other + # processes. Unfortunately, the kernel overloads trace such that the LSMs are + # unable to distinguish between tracing other processes and other accesses. + deny capability sys_ptrace, + deny ptrace trace, + deny ptrace read, + include if exists } From 714f535a540805956c253e42241a7ecf97bef149 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 12:25:52 +0200 Subject: [PATCH 726/798] Update sddm-greeter: add mediate_deleted profile sddm-greeter flags=(mediate_deleted) { owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8} , # Failed name lookup - deleted entry owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/qqpc_opengl.BalADW -> /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8}, owner link /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/qqpc_opengl.cgulsP -> /var/lib/sddm/.cache/sddm-greeter-qt6/qtpipelinecache-@{arch}-little_endian-lp64/#@{int8}, --- apparmor.d/groups/kde/sddm-greeter | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 56c142787..4fa1d0a3f 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/sddm-greeter{,-qt6} -profile sddm-greeter @{exec_path} flags=(attach_disconnected) { +profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -48,8 +48,11 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected) { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - /var/lib/AccountsService/icons/* r, - /var/lib/dbus/machine-id r, + + /var/lib/AccountsService/icons/* r, + /var/lib/dbus/machine-id r, + owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8} rw, + owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/qqpc_opengl.@{rand6} l -> /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8}, @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, From 364c863cd0301c687d9c2c7a50853fe76f4987bf Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 12:38:00 +0200 Subject: [PATCH 727/798] Update main.flags: adding mediate_deleted to sddm-greeter --- dists/flags/main.flags | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 6431eb7ea..0ca180951 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -278,7 +278,7 @@ run-parts complain runuser complain sdcv complain sddm attach_disconnected,mediate_deleted,complain -sddm-greeter attach_disconnected,complain +sddm-greeter attach_disconnected,mediate_deleted,complain secure-time-sync attach_disconnected,complain sftp-server complain sing-box complain From 57fd6a939a6094bb4cdb905b455fa4f68905960a Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Sun, 21 Sep 2025 17:50:34 +0200 Subject: [PATCH 728/798] Update sddm-greeter --- apparmor.d/groups/kde/sddm-greeter | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index 4fa1d0a3f..f382cc76d 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -49,11 +49,9 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - /var/lib/AccountsService/icons/* r, - /var/lib/dbus/machine-id r, - owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8} rw, - owner /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/qqpc_opengl.@{rand6} l -> /var/lib/sddm/.cache/sddm-greeter/qtshadercache-x86_64-little_endian-lp64/#@{int8}, - + /var/lib/AccountsService/icons/* r, + /var/lib/dbus/machine-id r, + @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, owner @{SDDM_HOME}/#@{int} mrw, From 8174a6d2ec8041796f1c0a5377830a478146414c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sun, 21 Sep 2025 20:12:35 +0200 Subject: [PATCH 729/798] fix(profile): linter issue. --- apparmor.d/groups/kde/sddm-greeter | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter index f382cc76d..49496ec15 100644 --- a/apparmor.d/groups/kde/sddm-greeter +++ b/apparmor.d/groups/kde/sddm-greeter @@ -48,10 +48,10 @@ profile sddm-greeter @{exec_path} flags=(attach_disconnected,mediate_deleted) { /etc/sddm.conf r, /etc/sddm.conf.d/{,*} r, /etc/xdg/plasmarc r, - + /var/lib/AccountsService/icons/* r, /var/lib/dbus/machine-id r, - + @{SDDM_HOME}/state.conf r, owner @{SDDM_HOME}/** rw, owner @{SDDM_HOME}/#@{int} mrw, From 71b81ff27258e9af911bd05e38e762d64acf9245 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 02:43:27 +0200 Subject: [PATCH 730/798] fix zpool --- apparmor.d/profiles-s-z/zpool | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 89a3e1b29..4c1c30c7c 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,8 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) hdzpool -> @{MOUNTS}/, - mount fstype=zfs options=(rw noatime) sszpool -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) * -> @{MOUNTS}/, @{exec_path} mr, From 500db221917e4e3991e4e95ddda61ab0263362c3 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:50:02 +0200 Subject: [PATCH 731/798] Update lscpu: adding attach_disconnected See https://github.com/roddhjav/apparmor.d/issues/874 --- apparmor.d/groups/utils/lscpu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/utils/lscpu b/apparmor.d/groups/utils/lscpu index caa2b5628..ae87ad10f 100644 --- a/apparmor.d/groups/utils/lscpu +++ b/apparmor.d/groups/utils/lscpu @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/lscpu -profile lscpu @{exec_path} { +profile lscpu @{exec_path} flags=(attach_disconnected) { include include From acca23f1a9aa29d4583da0d04054de58dcc9e772 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:51:29 +0200 Subject: [PATCH 732/798] Update main.flags: adding lscpu --- dists/flags/main.flags | 1 + 1 file changed, 1 insertion(+) diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 0ca180951..3254f3c01 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -227,6 +227,7 @@ localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain +lscpu attach_disconnected lvm attach_disconnected,complain lvmconfig complain lvmdump complain From c256243ac8391aeb42baff53be839ff269986fa9 Mon Sep 17 00:00:00 2001 From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com> Date: Mon, 22 Sep 2025 12:59:50 +0200 Subject: [PATCH 733/798] Update flatpak: adding gschemas abs `ALLOWED flatpak open /usr/share/glib-2.0/schemas/gschemas.compiled comm=flatpak requested_mask=r denied_mask=r` --- apparmor.d/groups/flatpak/flatpak | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index b8ededbf0..da93bf30d 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -16,6 +16,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain include include include + include include include include From bbc75147e235c56d8e2dd4e36e0d6554a44b9de8 Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 18:04:40 +0200 Subject: [PATCH 734/798] fix zpool again --- apparmor.d/profiles-s-z/zpool | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index 4c1c30c7c..f8ae5d91a 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,7 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) * -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) ** -> @{MOUNTS}/, @{exec_path} mr, From 18cd23b6bbdcd5ac8e454a80b301e0ee95a5260b Mon Sep 17 00:00:00 2001 From: Stoppedpuma <58333920+Stoppedpuma@users.noreply.github.com> Date: Mon, 22 Sep 2025 18:47:56 +0200 Subject: [PATCH 735/798] zpool review fix --- apparmor.d/profiles-s-z/zpool | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool index f8ae5d91a..1e8c843c0 100644 --- a/apparmor.d/profiles-s-z/zpool +++ b/apparmor.d/profiles-s-z/zpool @@ -13,7 +13,7 @@ profile zpool @{exec_path} { capability sys_admin, - mount fstype=zfs options=(rw noatime) ** -> @{MOUNTS}/, + mount fstype=zfs options=(rw noatime) -> @{MOUNTS}/, @{exec_path} mr, From 1eb38912fff124dbb1f407a40ac717bc87c835e4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:45:36 +0200 Subject: [PATCH 736/798] fix(profile): grub-probe add attach_disconnected flag. --- apparmor.d/groups/grub/grub-probe | 2 +- dists/flags/main.flags | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe index c767d2f02..877fdbd0a 100644 --- a/apparmor.d/groups/grub/grub-probe +++ b/apparmor.d/groups/grub/grub-probe @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{sbin}/grub-probe -profile grub-probe @{exec_path} { +profile grub-probe @{exec_path} flags=(attach_disconnected) { include include include diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 3254f3c01..34b95af65 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -149,7 +149,7 @@ grub-mkstandalone complain grub-mount complain grub-multi-install complain grub-ntldr-img complain -grub-probe complain +grub-probe attach_disconnected,complain grub-reboot complain grub-render-label complain grub-script-check complain From cddbd9ca3f36426397d9e21678dd0d667d84cea4 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:47:06 +0200 Subject: [PATCH 737/798] fix(profile): bluetoothd dbus definition. --- apparmor.d/groups/bluetooth/bluetoothd | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd index 12c8e2e80..ff9b8586e 100644 --- a/apparmor.d/groups/bluetooth/bluetoothd +++ b/apparmor.d/groups/bluetooth/bluetoothd @@ -24,17 +24,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) { network alg seqpacket, network netlink raw, - #aa:dbus own bus=system name=org.bluez - - dbus send bus=system path=/{,MediaEndpoint} - interface=org.freedesktop.DBus.ObjectManager - member=GetManagedObjects - peer=(name=@{busname}), - - dbus send bus=system path=/ - interface=org.freedesktop.DBus.ObjectManager - member={InterfacesRemoved,InterfacesAdded} - peer=(name=org.freedesktop.DBus), + #aa:dbus own bus=system name=org.bluez path=/{,**} @{exec_path} mr, From 43b621a1616abece8e39e8dc01dcb2f2767623dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 21:58:04 +0200 Subject: [PATCH 738/798] feat(profile): apparmor_parser: more generic path for apparmor profiles from opt app Usually shipped for usner unconfined profile We cannot deny them otherwise the parser will fail and the app won't be allowed to run. --- apparmor.d/groups/apparmor/apparmor_parser | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/apparmor/apparmor_parser b/apparmor.d/groups/apparmor/apparmor_parser index 4e3216d72..f65ac2ed6 100644 --- a/apparmor.d/groups/apparmor/apparmor_parser +++ b/apparmor.d/groups/apparmor/apparmor_parser @@ -21,7 +21,8 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/snapd/apparmor.d/{,**} r, @{lib_dirs}/snapd/apparmor/{,**} r, - /opt/Mullvad*/resources/apparmor_mullvad r, + /opt/*/resources/apparmor_* r, + /opt/*/resources/apparmor-profile r, /usr/share/apparmor-features/{,**} r, /usr/share/apparmor/{,**} r, From 5dbff7127b3c7741f9b295825a9026a17e189306 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:00:30 +0200 Subject: [PATCH 739/798] feat(profile): improve some kmod path. --- apparmor.d/groups/apt/dpkg-scripts | 4 ++++ apparmor.d/profiles-m-r/initramfs-hooks | 1 + apparmor.d/profiles-m-r/mkinitramfs | 10 ++++++---- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index 2434c9db9..f49304709 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -106,6 +106,10 @@ profile dpkg-scripts @{exec_path} { include include + @{lib}/modules/*/modules.* w, + + @{sys}/module/compression r, + include if exists } diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks index 89a57310f..c3c2c9f4d 100644 --- a/apparmor.d/profiles-m-r/initramfs-hooks +++ b/apparmor.d/profiles-m-r/initramfs-hooks @@ -63,6 +63,7 @@ profile initramfs-hooks @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**, owner /var/tmp/mkinitramfs-@{rand6} rw, owner /var/tmp/mkinitramfs-*_@{rand6} rw, + owner /var/tmp/mkinitramfs-EFW_@{rand10}/{,**} rwl, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw, owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index d94e5aa44..800013c9a 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -167,16 +167,18 @@ profile mkinitramfs @{exec_path} { include owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, - owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, + owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, + + owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, - owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw, + owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r, @{sys}/module/compression r, From 2a6f51e83486ef8966557b6b17ae9067d488c31a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:03:24 +0200 Subject: [PATCH 740/798] feat(profile): improve kernel profile. --- apparmor.d/profiles-g-l/kernel | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/profiles-g-l/kernel b/apparmor.d/profiles-g-l/kernel index c46b5556e..ea444f7f1 100644 --- a/apparmor.d/profiles-g-l/kernel +++ b/apparmor.d/profiles-g-l/kernel @@ -57,6 +57,8 @@ profile kernel @{exec_path} { /etc/apt/apt.conf.d/ r, /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw, + /var/lib/kdump/* w, + @{run}/reboot-required w, @{run}/reboot-required.pkgs rw, From 8009afb39ebb9701d4d3058698c8935024695d84 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 22:40:09 +0200 Subject: [PATCH 741/798] fix(profile): add some missing uevent. --- apparmor.d/groups/freedesktop/boltd | 2 +- apparmor.d/groups/freedesktop/colord | 2 +- apparmor.d/groups/gnome/org.gnome.NautilusPreviewer | 1 + apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor | 1 + apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor | 2 ++ apparmor.d/groups/virt/libvirtd | 1 + apparmor.d/profiles-a-f/fprintd | 2 +- apparmor.d/profiles-m-r/rngd | 1 + apparmor.d/profiles-s-z/switcheroo-control | 2 +- 9 files changed, 10 insertions(+), 4 deletions(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index 5b72f8427..d7888698d 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -33,7 +33,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/thunderbolt/devices/ r, @{sys}/bus/wmi/devices/ r, @{sys}/class/ r, - @{sys}/devices/@{pci}/@{uuid}/uevent r, + @{sys}/devices/@{pci}/uevent r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/domain@{int}/ r, @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r, diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index c069b7afd..54c0d147e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -55,9 +55,9 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/bus/scsi/devices/ r, @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/{vendor,model,type} r, @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer index 6a48af3f5..63b12165c 100644 --- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer +++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer @@ -40,6 +40,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/@{pci_bus}/uevent r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r, diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor index ece97e688..592f60809 100644 --- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor @@ -28,6 +28,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} { /etc/fstab r, @{sys}/class/scsi_generic/ r, + @{sys}/devices/**/uevent r, owner @{PROC}/@{pid}/mountinfo r, owner @{PROC}/@{pid}/mounts r, diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor index fd3b38012..a69937199 100644 --- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor @@ -24,6 +24,8 @@ profile gvfs-mtp-volume-monitor @{exec_path} { @{exec_path} mr, + @{sys}/devices/**/uevent r, + include if exists } diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd index 378449352..aae554b92 100644 --- a/apparmor.d/groups/virt/libvirtd +++ b/apparmor.d/groups/virt/libvirtd @@ -212,6 +212,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/mm/hugepages/{,**} r, @{sys}/kernel/security/apparmor/profiles r, + @{sys}/module/*/uevent r, @{sys}/module/kvm_*/parameters/* r, @{sys}/module/vhost/parameters/max_mem_regions r, diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd index 8a5f9c01a..924fe4bc6 100644 --- a/apparmor.d/profiles-a-f/fprintd +++ b/apparmor.d/profiles-a-f/fprintd @@ -33,7 +33,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 @{sys}/class/hidraw/ r, - @{sys}/devices/**/hidraw/hidraw@{int}/uevent r, + @{sys}/devices/**/uevent r, include if exists } diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd index 2e548d40c..0a704f0e7 100644 --- a/apparmor.d/profiles-m-r/rngd +++ b/apparmor.d/profiles-m-r/rngd @@ -27,6 +27,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, /var/lib/dbus/machine-id r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/misc/hw_random/rng_available r, @{PROC}/sys/kernel/random/poolsize r, diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control index fd7473365..dff61fb5d 100644 --- a/apparmor.d/profiles-s-z/switcheroo-control +++ b/apparmor.d/profiles-s-z/switcheroo-control @@ -29,8 +29,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) { @{sys}/bus/ r, @{sys}/class/ r, @{sys}/class/drm/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/boot_vga r, - @{sys}/devices/@{pci}/uevent r, @{sys}/devices/virtual/**/uevent r, include if exists From df41b5029a0666830d847aac476cb4980b1fda59 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 23:25:10 +0200 Subject: [PATCH 742/798] fix(profile): add some missing uevent. --- apparmor.d/groups/freedesktop/wireplumber | 1 + apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 2 ++ apparmor.d/groups/gnome/gjs | 2 ++ apparmor.d/profiles-g-l/gimp | 2 +- apparmor.d/profiles-s-z/simple-scan | 1 + dists/flags/main.flags | 5 +++-- 6 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index 2df34a4f4..c4d4c9c17 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -71,6 +71,7 @@ profile wireplumber @{exec_path} { @{sys}/devices/**/device:*/{,**/}path r, @{sys}/devices/**/sound/**/pcm_class r, @{sys}/devices/**/sound/**/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, @{sys}/devices/virtual/dmi/id/bios_vendor r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index 30b415204..c42d939f5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -84,6 +84,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { @{run}/mount/utab r, + @{sys}/devices/**/uevent r, + owner @{PROC}/@{pid}/ r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index 3585fe2d9..a25cb8d38 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -133,6 +133,8 @@ profile gjs @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c@{dynamic}:@{int} r, # For dynamic assignment range 234 to 254, 384 to 511 + @{sys}/devices/**/uevent r, + include if exists } diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index ad324e153..57c6a72e0 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{bin}/gimp{,-*} -profile gimp @{exec_path} { +profile gimp @{exec_path} flags=(attach_disconnected) { include include include diff --git a/apparmor.d/profiles-s-z/simple-scan b/apparmor.d/profiles-s-z/simple-scan index 64ee9fb11..6eb46a22b 100644 --- a/apparmor.d/profiles-s-z/simple-scan +++ b/apparmor.d/profiles-s-z/simple-scan @@ -34,6 +34,7 @@ profile simple-scan @{exec_path} flags=(attach_disconnected) { owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r, @{sys}/bus/scsi/devices/ r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/board_name r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/board_version r, diff --git a/dists/flags/main.flags b/dists/flags/main.flags index 34b95af65..dbed09959 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -227,7 +227,9 @@ localsearch-writeback complain login attach_disconnected,complain loginctl complain low-memory-monitor attach_disconnected,complain -lscpu attach_disconnected +lsfd attach_disconnected,complain +lslocks attach_disconnected,complain +lsns attach_disconnected,complain lvm attach_disconnected,complain lvmconfig complain lvmdump complain @@ -255,7 +257,6 @@ nvidia-persistenced complain ollama attach_disconnected,complain os-prober attach_disconnected,complain pam_kwallet_init complain -papers complain passimd attach_disconnected,complain pkla-admin-identities complain pkla-check-authorization complain From c1846fe7fc82c74ad20a257cacca6d4552c4611b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Mon, 22 Sep 2025 23:30:39 +0200 Subject: [PATCH 743/798] refractor(abs): common/bwrap -> bwrap This abstraction used to be considered as layer 2. It is now however a layer 0 abstraction. As such it needs to be moved. --- apparmor.d/abstractions/{common => }/bwrap | 2 +- apparmor.d/groups/browsers/epiphany | 2 +- apparmor.d/groups/flatpak/flatpak-app | 2 +- .../groups/freedesktop/xdg-desktop-portal-validate-icon | 2 +- apparmor.d/groups/gnome/gnome-control-center | 2 +- apparmor.d/groups/gnome/gnome-control-center-goa-helper | 2 +- apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 2 +- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/groups/steam/steam | 4 ++-- apparmor.d/groups/steam/steam-game-proton | 2 +- apparmor.d/profiles-a-f/foliate | 2 +- apparmor.d/profiles-a-f/fractal | 2 +- apparmor.d/profiles-m-r/metadata-cleaner | 2 +- apparmor.d/profiles-s-z/totem | 2 +- apparmor.d/profiles-s-z/wechat-universal | 2 +- apparmor.d/profiles-s-z/wemeet | 2 +- 16 files changed, 17 insertions(+), 17 deletions(-) rename apparmor.d/abstractions/{common => }/bwrap (97%) diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/bwrap similarity index 97% rename from apparmor.d/abstractions/common/bwrap rename to apparmor.d/abstractions/bwrap index 2d3ab179f..47a16085a 100644 --- a/apparmor.d/abstractions/common/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -61,6 +61,6 @@ owner @{att}/@{PROC}/@{pid}/setgroups rw, owner @{att}/@{PROC}/@{pid}/uid_map rw, - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 45a32868e..81610322b 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -13,7 +13,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include + include include include include diff --git a/apparmor.d/groups/flatpak/flatpak-app b/apparmor.d/groups/flatpak/flatpak-app index e6be7ef4f..7fcd7d8a8 100644 --- a/apparmor.d/groups/flatpak/flatpak-app +++ b/apparmor.d/groups/flatpak/flatpak-app @@ -26,7 +26,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) { include include include - include + include capability dac_override, capability dac_read_search, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon index 2c6c37538..e73cb054c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-validate-icon @@ -9,7 +9,7 @@ include @{exec_path} = @{lib}/xdg-desktop-portal-validate-icon profile xdg-desktop-portal-validate-icon @{exec_path} flags=(attach_disconnected) { include - include + include include capability dac_override, diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center index e2de80f8f..d146f576d 100644 --- a/apparmor.d/groups/gnome/gnome-control-center +++ b/apparmor.d/groups/gnome/gnome-control-center @@ -204,7 +204,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper index 8b813d260..687ac4d9e 100644 --- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper +++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper @@ -64,7 +64,7 @@ profile gnome-control-center-goa-helper @{exec_path} { profile bwrap flags=(attach_disconnected,complain) { include - include + include @{bin}/bwrap mr, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index 436d82443..b0bb1cb46 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -8,7 +8,7 @@ include profile gnome-desktop-thumbnailers flags=(attach_disconnected) { include - include + include include include diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index ea55ee902..4714a4cdb 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -63,7 +63,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include unix type=stream peer=(label=loupe), diff --git a/apparmor.d/groups/steam/steam b/apparmor.d/groups/steam/steam index e3fcb1931..36b725c54 100644 --- a/apparmor.d/groups/steam/steam +++ b/apparmor.d/groups/steam/steam @@ -252,7 +252,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile web flags=(attach_disconnected,mediate_deleted,complain) { include include - include + include include include include @@ -378,7 +378,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) { profile check flags=(attach_disconnected,mediate_deleted,complain) { include - include + include include capability dac_override, diff --git a/apparmor.d/groups/steam/steam-game-proton b/apparmor.d/groups/steam/steam-game-proton index 1b094c2a3..1ace879b9 100644 --- a/apparmor.d/groups/steam/steam-game-proton +++ b/apparmor.d/groups/steam/steam-game-proton @@ -16,7 +16,7 @@ include @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate index a07976ce9..e36f7f8da 100644 --- a/apparmor.d/profiles-a-f/foliate +++ b/apparmor.d/profiles-a-f/foliate @@ -9,7 +9,7 @@ include @{exec_path} = @{bin}/foliate profile foliate @{exec_path} flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index a7222a664..7b771246a 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -46,7 +46,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include signal receive set=kill peer=fractal, diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner index 808427d85..b9e2ba452 100644 --- a/apparmor.d/profiles-m-r/metadata-cleaner +++ b/apparmor.d/profiles-m-r/metadata-cleaner @@ -42,7 +42,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include include signal receive set=(kill) peer=metadata-cleaner, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index d1e429d45..9d55b7cd2 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -61,7 +61,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { profile bwrap flags=(attach_disconnected) { include - include + include include include include diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal index 94da6c60e..72e2d0add 100644 --- a/apparmor.d/profiles-s-z/wechat-universal +++ b/apparmor.d/profiles-s-z/wechat-universal @@ -16,7 +16,7 @@ include profile wechat-universal @{exec_path} flags=(attach_disconnected) { include include - include + include include include diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet index 0b83e44c8..e943228bd 100644 --- a/apparmor.d/profiles-s-z/wemeet +++ b/apparmor.d/profiles-s-z/wemeet @@ -14,7 +14,7 @@ include profile wemeet @{exec_path} flags=(attach_disconnected) { include include - include + include include include include From b8071c0fe9add9ba866d4cc1cf766b9db17cec78 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 00:15:14 +0200 Subject: [PATCH 744/798] feat(profile): Improve restriction of bwrap when used with glycin. Bwrap needs privileges to create a sandbox. If the sandbox runs in the same profile as bwrap, then it runs with a lot of access. Most of these accesses are either dropped early by bwrap or not available from within the sandbox. It is still a good practice to ensure that bwrap and the sandboxed app run in different profile (separation, defence in depth...). However, due to the use of the no-new-pris flag by bwrap, this requires stacking bwrap & the app profile together. It is not a security issue (on the contrary). But it may be complex to manage. --- apparmor.d/groups/gnome/loupe | 14 ++++++++++---- apparmor.d/profiles-a-f/fractal | 18 ++++++++++++++---- 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 4714a4cdb..d82de2adf 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -70,13 +70,19 @@ profile loupe @{exec_path} flags=(attach_disconnected) { signal receive set=kill peer=loupe, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, + @{lib}/glycin-loaders/*/glycin-* Px -> loupe//bwrap//&loupe//glycin, - owner @{PROC}/@{pid}/fd/ r, + include if exists + } - deny @{user_share_dirs}/gvfs-metadata/* r, + profile glycin flags=(attach_disconnected) { + include - include if exists + unix type=stream peer=(label=loupe), + + @{lib}/glycin-loaders/*/glycin-* mr, + + include if exists } include if exists diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 7b771246a..60e6e1467 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -51,15 +51,25 @@ profile fractal @{exec_path} flags=(attach_disconnected) { signal receive set=kill peer=fractal, @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* rix, + @{lib}/glycin-loaders/*/glycin-* Px -> fractal//bwrap//&fractal//glycin, + + /usr/share/gtksourceview-@{d}/{,**} r, owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - owner @{PROC}/@{pid}/fd/ r, + include if exists + } + + profile glycin flags=(attach_disconnected) { + include - deny @{user_share_dirs}/gvfs-metadata/* r, + @{lib}/glycin-loaders/*/glycin-* mr, - include if exists + @{att}/usr/share/gtksourceview-@{d}/{,**} r, + + owner @{att}/@{run}/user/@{uid}/fractal/.tmp@{rand6} r, + + include if exists } include if exists From 9ea457418065da3e89f624e84efa1f20630fac9a Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 19:53:32 +0200 Subject: [PATCH 745/798] feat(abs): add the gvfs-backend abstraction. --- apparmor.d/abstractions/gvfs-backend | 28 +++++++++++++++++++++++++ apparmor.d/groups/gvfs/gvfsd-admin | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afc | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-afp-browse | 11 +--------- apparmor.d/groups/gvfs/gvfsd-archive | 11 +--------- apparmor.d/groups/gvfs/gvfsd-burn | 11 +--------- apparmor.d/groups/gvfs/gvfsd-cdda | 11 +--------- apparmor.d/groups/gvfs/gvfsd-computer | 10 +-------- apparmor.d/groups/gvfs/gvfsd-dav | 11 +--------- apparmor.d/groups/gvfs/gvfsd-dnssd | 10 +-------- apparmor.d/groups/gvfs/gvfsd-ftp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-fuse | 11 +--------- apparmor.d/groups/gvfs/gvfsd-google | 11 +--------- apparmor.d/groups/gvfs/gvfsd-gphoto2 | 11 +--------- apparmor.d/groups/gvfs/gvfsd-http | 12 ++--------- apparmor.d/groups/gvfs/gvfsd-localtest | 11 +--------- apparmor.d/groups/gvfs/gvfsd-metadata | 10 +-------- apparmor.d/groups/gvfs/gvfsd-mtp | 11 +--------- apparmor.d/groups/gvfs/gvfsd-network | 10 +-------- apparmor.d/groups/gvfs/gvfsd-nfs | 11 +--------- apparmor.d/groups/gvfs/gvfsd-recent | 9 -------- apparmor.d/groups/gvfs/gvfsd-sftp | 10 +-------- apparmor.d/groups/gvfs/gvfsd-smb | 11 +--------- apparmor.d/groups/gvfs/gvfsd-smb-browse | 10 +-------- apparmor.d/groups/gvfs/gvfsd-trash | 10 +-------- apparmor.d/groups/gvfs/gvfsd-wsdd | 13 +++--------- 27 files changed, 56 insertions(+), 252 deletions(-) create mode 100644 apparmor.d/abstractions/gvfs-backend diff --git a/apparmor.d/abstractions/gvfs-backend b/apparmor.d/abstractions/gvfs-backend new file mode 100644 index 000000000..fb925118b --- /dev/null +++ b/apparmor.d/abstractions/gvfs-backend @@ -0,0 +1,28 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow to act as a gvfs backend app + + abi , + + include + include + include + + #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd + + # Server's side of session/org.gtk.vfs.MountOperation + dbus send bus=session path=/org/gtk/gvfs/mountop/@{int} + interface=org.gtk.vfs.MountOperation + member={AskPassword,AskQuestion} + peer=(name=@{busname}), + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin index 5a1fd1c82..e10c5da5c 100644 --- a/apparmor.d/groups/gvfs/gvfsd-admin +++ b/apparmor.d/groups/gvfs/gvfsd-admin @@ -11,9 +11,7 @@ include profile gvfsd-admin @{exec_path} { include include - include - include - include + include include include @@ -23,13 +21,6 @@ profile gvfsd-admin @{exec_path} { capability fowner, capability setuid, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, #aa:lint ignore=too-wide diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc index da231f469..18d5d491f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afc +++ b/apparmor.d/groups/gvfs/gvfsd-afc @@ -11,16 +11,7 @@ include profile gvfsd-afc @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp index db6fe5a48..b844778a4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp +++ b/apparmor.d/groups/gvfs/gvfsd-afp @@ -11,16 +11,7 @@ include profile gvfsd-afp @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse index a39e25785..929b50317 100644 --- a/apparmor.d/groups/gvfs/gvfsd-afp-browse +++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse @@ -11,16 +11,7 @@ include profile gvfsd-afp-browse @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive index 68b1e7765..5d72f2aaa 100644 --- a/apparmor.d/groups/gvfs/gvfsd-archive +++ b/apparmor.d/groups/gvfs/gvfsd-archive @@ -11,19 +11,10 @@ include profile gvfsd-archive @{exec_path} { include include - include - include - include + include include include - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/**.{tar,tar.gz,zip} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn index 09062241a..25c6baf9f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-burn +++ b/apparmor.d/groups/gvfs/gvfsd-burn @@ -11,16 +11,7 @@ include profile gvfsd-burn @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda index 356f8dcd3..63050efdd 100644 --- a/apparmor.d/groups/gvfs/gvfsd-cdda +++ b/apparmor.d/groups/gvfs/gvfsd-cdda @@ -11,16 +11,7 @@ include profile gvfsd-cdda @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer index 667b448c4..5df7f9866 100644 --- a/apparmor.d/groups/gvfs/gvfsd-computer +++ b/apparmor.d/groups/gvfs/gvfsd-computer @@ -11,18 +11,10 @@ include profile gvfsd-computer @{exec_path} { include include - include - include - include + include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav index b335724cb..85344d0d4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dav +++ b/apparmor.d/groups/gvfs/gvfsd-dav @@ -11,9 +11,7 @@ include profile gvfsd-dav @{exec_path} { include include - include - include - include + include include include include @@ -28,13 +26,6 @@ profile gvfsd-dav @{exec_path} { network inet6 dgram, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{run}/user/@{uid}/gvfsd/ rw, diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd index a87c5bbc1..39795a4a9 100644 --- a/apparmor.d/groups/gvfs/gvfsd-dnssd +++ b/apparmor.d/groups/gvfs/gvfsd-dnssd @@ -12,20 +12,12 @@ profile gvfsd-dnssd @{exec_path} { include include include - include - include - include + include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp index 3b36fc4f1..77afc6e75 100644 --- a/apparmor.d/groups/gvfs/gvfsd-ftp +++ b/apparmor.d/groups/gvfs/gvfsd-ftp @@ -11,9 +11,7 @@ include profile gvfsd-ftp @{exec_path} { include include - include - include - include + include include include include @@ -24,13 +22,6 @@ profile gvfsd-ftp @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse index f67068f49..809a2a281 100644 --- a/apparmor.d/groups/gvfs/gvfsd-fuse +++ b/apparmor.d/groups/gvfs/gvfsd-fuse @@ -11,9 +11,7 @@ include profile gvfsd-fuse @{exec_path} { include include - include - include - include + include include capability sys_admin, @@ -22,13 +20,6 @@ profile gvfsd-fuse @{exec_path} { unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount), - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, @{bin}/fusermount{,3} rCx -> fusermount, diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google index 819e84c39..1709457dc 100644 --- a/apparmor.d/groups/gvfs/gvfsd-google +++ b/apparmor.d/groups/gvfs/gvfsd-google @@ -11,16 +11,7 @@ include profile gvfsd-google @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2 index 0544000c0..e82299f27 100644 --- a/apparmor.d/groups/gvfs/gvfsd-gphoto2 +++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2 @@ -11,16 +11,7 @@ include profile gvfsd-gphoto2 @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 2678bde40..94667e71f 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,11 +11,9 @@ include profile gvfsd-http @{exec_path} { include include - include - include - include + include include - # include + include include include include @@ -30,12 +28,6 @@ profile gvfsd-http @{exec_path} { unix type=stream peer=(label=gnome-extension-gsconnect), #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_http - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest index bdd3feb46..840be2012 100644 --- a/apparmor.d/groups/gvfs/gvfsd-localtest +++ b/apparmor.d/groups/gvfs/gvfsd-localtest @@ -11,16 +11,7 @@ include profile gvfsd-localtest @{exec_path} { include include - include - include - include - - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), + include @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata index 8565856d9..64c0d7962 100644 --- a/apparmor.d/groups/gvfs/gvfsd-metadata +++ b/apparmor.d/groups/gvfs/gvfsd-metadata @@ -11,9 +11,7 @@ include profile gvfsd-metadata @{exec_path} { include include - include - include - include + include include network netlink raw, @@ -21,12 +19,6 @@ profile gvfsd-metadata @{exec_path} { signal (receive) set=(usr1) peer=pacman, #aa:dbus own bus=session name=org.gtk.vfs.Metadata path=/org/gtk/vfs/{m,M}etadata - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp index 8d5ad78c5..4b810f222 100644 --- a/apparmor.d/groups/gvfs/gvfsd-mtp +++ b/apparmor.d/groups/gvfs/gvfsd-mtp @@ -11,9 +11,7 @@ include profile gvfsd-mtp @{exec_path} { include include - include - include - include + include include include include @@ -23,13 +21,6 @@ profile gvfsd-mtp @{exec_path} { network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, owner @{HOME}/ r, diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network index 7874686bc..5b2d386df 100644 --- a/apparmor.d/groups/gvfs/gvfsd-network +++ b/apparmor.d/groups/gvfs/gvfsd-network @@ -11,19 +11,11 @@ include profile gvfsd-network @{exec_path} { include include - include - include - include + include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs index aae859d73..6fd0d740a 100644 --- a/apparmor.d/groups/gvfs/gvfsd-nfs +++ b/apparmor.d/groups/gvfs/gvfsd-nfs @@ -11,22 +11,13 @@ include profile gvfsd-nfs @{exec_path} { include include - include - include - include + include include network inet stream, network inet6 stream, network netlink raw, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, include if exists diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index ca59d75cd..a7855beed 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -11,21 +11,12 @@ include profile gvfsd-recent @{exec_path} { include include - include - include - include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp index 862ef88aa..8c91c2913 100644 --- a/apparmor.d/groups/gvfs/gvfsd-sftp +++ b/apparmor.d/groups/gvfs/gvfsd-sftp @@ -11,21 +11,13 @@ include profile gvfsd-sftp @{exec_path} { include include - include - include - include + include include include include include #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb index 9d99a43af..906bef2c8 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb +++ b/apparmor.d/groups/gvfs/gvfsd-smb @@ -11,9 +11,7 @@ include profile gvfsd-smb @{exec_path} { include include - include - include - include + include include include @@ -23,13 +21,6 @@ profile gvfsd-smb @{exec_path} { network inet dgram, network inet6 dgram, - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), - @{exec_path} mr, /etc/samba/smb.conf r, diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse index 66099563e..8002ec677 100644 --- a/apparmor.d/groups/gvfs/gvfsd-smb-browse +++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse @@ -11,9 +11,7 @@ include profile gvfsd-smb-browse @{exec_path} { include include - include - include - include + include include include include @@ -25,12 +23,6 @@ profile gvfsd-smb-browse @{exec_path} { network inet6 dgram, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash index 070c41a84..5ff83af32 100644 --- a/apparmor.d/groups/gvfs/gvfsd-trash +++ b/apparmor.d/groups/gvfs/gvfsd-trash @@ -11,9 +11,7 @@ include profile gvfsd-trash @{exec_path} { include include - include - include - include + include include include include @@ -23,12 +21,6 @@ profile gvfsd-trash @{exec_path} { network inet6 stream, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int} - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index bc672de04..9012682c4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -11,21 +11,14 @@ profile gvfsd-wsdd @{exec_path} { include include include - include - include - include + include include + include - network inet dgram, + network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd - #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker label=gvfsd - - dbus receive bus=session - interface=org.freedesktop.DBus.Introspectable - member=Introspect - peer=(name=@{busname}, label=gnome-shell), @{exec_path} mr, From e9594d77e1d60fb67615ec5c06ee005295566f9b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 21:57:14 +0200 Subject: [PATCH 746/798] feat(profile): add gnome-session-service. It is a replacement of the old gnome-session-binary. --- apparmor.d/groups/gnome/gnome-session-service | 83 +++++++++++++++++++ dists/flags/main.flags | 1 + 2 files changed, 84 insertions(+) create mode 100644 apparmor.d/groups/gnome/gnome-session-service diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service new file mode 100644 index 000000000..aca7afb28 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -0,0 +1,83 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-service +profile gnome-session-service @{exec_path} flags=(attach_disconnected) { + include + include + include + include + include + include + include + include + + #aa:dbus own bus=session name=org.gnome.SessionManager + #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}" + + dbus receive bus=session + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + + @{exec_path} mr, + + @{bin}/session-migration rPx, + + @{lib}/gio-launch-desktop rCx -> open, + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, + + /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + /usr/share/gdm/greeter/applications/{,**} r, + /usr/share/gdm/greeter/autostart/{,*.desktop} r, + /usr/share/gnome-session/hardware-compatibility r, + /usr/share/gnome-session/sessions/*.session r, + /usr/share/gnome/autostart/{,*.desktop} r, + + @{etc_ro}/xdg/autostart/{,*.desktop} r, + + @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, + + owner @{run}/user/@{uid}/systemd/notify w, + + @{PROC}/1/cgroup r, + owner @{PROC}/@{pid}/cgroup r, + + profile open { + include + + @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr, + @{lib}/gio-launch-desktop mr, + + @{sh_path} rPx -> gnome-session-service//shell, + @{lib}/** PUx, + @{bin}/** PUx, + /opt/*/** PUx, + /usr/share/*/** PUx, + /usr/local/bin/** PUx, + /usr/games/** PUx, + + include if exists + } + + profile shell { + include + + @{sh_path} mr, + + @{bin}/im-launch Px, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/dists/flags/main.flags b/dists/flags/main.flags index dbed09959..d5f3355b1 100644 --- a/dists/flags/main.flags +++ b/dists/flags/main.flags @@ -128,6 +128,7 @@ gnome-extension-gsconnect complain gnome-extension-manager complain gnome-initial-setup complain gnome-remote-desktop-daemon complain +gnome-session-service attach_disconnected,complain grub-bios-setup complain grub-editenv complain grub-file complain From 9baf879a3dda5bf5a04be2e7c83865ada215fc28 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:17:46 +0200 Subject: [PATCH 747/798] feat(abs): add desktop user dconf path to the dconf abs. --- apparmor.d/abstractions/audio-client | 1 + apparmor.d/abstractions/dconf.d/complete | 6 ++++++ apparmor.d/groups/bus/dbus-accessibility | 5 ----- apparmor.d/groups/bus/ibus-dconf | 4 ---- apparmor.d/groups/bus/ibus-extension-gtk3 | 3 --- apparmor.d/groups/freedesktop/pulseaudio | 1 - apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 --- apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 5 ----- apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk | 4 ---- apparmor.d/groups/gnome/gdm-session | 2 +- apparmor.d/groups/gnome/gjs | 4 ---- apparmor.d/groups/gnome/gnome-initial-setup | 3 --- apparmor.d/groups/gnome/gnome-session-binary | 3 --- apparmor.d/groups/gnome/gnome-session-service | 2 -- apparmor.d/groups/gnome/gnome-shell | 4 ---- apparmor.d/groups/gnome/gsd-a11y-settings | 3 --- apparmor.d/groups/gnome/gsd-color | 5 ----- apparmor.d/groups/gnome/gsd-datetime | 5 ----- apparmor.d/groups/gnome/gsd-housekeeping | 5 ----- apparmor.d/groups/gnome/gsd-keyboard | 5 ----- apparmor.d/groups/gnome/gsd-media-keys | 5 ----- apparmor.d/groups/gnome/gsd-power | 6 ------ apparmor.d/groups/gnome/gsd-sharing | 6 ------ apparmor.d/groups/gnome/gsd-smartcard | 5 ----- apparmor.d/groups/gnome/gsd-sound | 5 ----- apparmor.d/groups/gnome/gsd-wacom | 5 ----- apparmor.d/groups/gnome/gsd-xsettings | 5 ----- apparmor.d/groups/gnome/mutter-x11-frames | 5 ----- apparmor.d/groups/gnome/tracker-extract | 3 --- apparmor.d/groups/gnome/tracker-miner | 3 --- apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor | 2 -- apparmor.d/groups/ubuntu/check-new-release-gtk | 2 -- apparmor.d/profiles-g-l/gsettings | 4 ---- 33 files changed, 8 insertions(+), 121 deletions(-) diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client index 1ebdf4c76..f11aa5d7d 100644 --- a/apparmor.d/abstractions/audio-client +++ b/apparmor.d/abstractions/audio-client @@ -31,6 +31,7 @@ owner @{desktop_config_dirs}/pulse/client.conf r, owner @{desktop_config_dirs}/pulse/client.conf.d/{,*.conf} r, owner @{desktop_config_dirs}/pulse/cookie rwk, + owner @{desktop_config_dirs}/seat@{int}/config/pulse/cookie rk, owner @{HOME}/.alsoftrc r, owner @{HOME}/.asoundrc r, diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 1796c7ca0..744fcda7b 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -3,6 +3,12 @@ # SPDX-License-Identifier: GPL-2.0-only /usr/share/dconf/profile/gdm r, + /usr/share/gdm/greeter-dconf-defaults r, + + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, + + owner @{desktop_config_dirs}/dconf/user r, + owner @{desktop_config_dirs}/seat@{int}/config/dconf/user r, owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index c9b9a1538..16128bfec 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -51,16 +51,11 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { @{lib}/at-spi2{,-core}/at-spi2-registryd rPx, /usr/share/dbus-1/accessibility-services/{,**} r, - /usr/share/dconf/profile/gdm r, /usr/share/defaults/at-spi2/{,**} r, - /usr/share/gdm/greeter-dconf-defaults r, /etc/machine-id r, /var/lib/dbus/machine-id r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, - owner @{desktop_config_dirs}/dconf/user r, - owner @{HOME}/.Xauthority r, owner @{tmp}/xauth_@{rand6} r, diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf index bac225ebc..3a5839f71 100644 --- a/apparmor.d/groups/bus/ibus-dconf +++ b/apparmor.d/groups/bus/ibus-dconf @@ -25,9 +25,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/gdm/greeter-dconf-defaults r, - /usr/share/dconf/profile/gdm r, - /etc/dconf/db/ibus r, /etc/dconf/profile/ibus r, @@ -38,7 +35,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) { owner @{desktop_config_dirs}/dconf/user rw, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index 2fa49e50f..be81cec27 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -38,11 +38,8 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, /usr/share/ibus/{,**} r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/ibus/bus/ r, owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio index 206958062..9edd71a66 100644 --- a/apparmor.d/groups/freedesktop/pulseaudio +++ b/apparmor.d/groups/freedesktop/pulseaudio @@ -71,7 +71,6 @@ profile pulseaudio @{exec_path} { owner @{desktop_cache_dirs}/gstreamer-1.0/ rw, owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_config_dirs}/pulse/{,**} rw, owner @{desktop_config_dirs}/pulse/cookie k, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index ec2cc86be..5bed44b08 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -75,14 +75,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{att}/.flatpak-info r, owner /att/**/ r, - /usr/share/dconf/profile/gdm r, /usr/share/xdg-desktop-portal/** r, - /usr/share/gdm/greeter-dconf-defaults r, /etc/sysconfig/proxy r, @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/user-dirs.dirs r, # The portal can receive any user file as it is a file chooser for UI app. diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index c42d939f5..cd557c705 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -58,16 +58,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { @{bin}/* r, /opt/** r, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/thumbnailers/{,**} r, - owner @{desktop_cache_dirs}/dconf/user r, owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{desktop_config_dirs}/dconf/user r, owner @{desktop_share_dirs}/applications/{,**} r, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, owner @{HOME}/* r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b7906c5e2..b101a5db0 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -41,16 +41,12 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/gdm/greeter-dconf-defaults r, - / r, owner /att/**/ r, owner /var/lib/xkb/server-@{int}.xkm rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, - owner @{gdm_config_dirs}/dconf/user r, - owner /var/lib/gdm3/greeter-dconf-defaults r, owner @{tmp}/runtime-*/xauth_@{rand6} r, diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session index 5d2e3e21e..1a2d96a08 100644 --- a/apparmor.d/groups/gnome/gdm-session +++ b/apparmor.d/groups/gnome/gdm-session @@ -47,7 +47,7 @@ profile gdm-session @{exec_path} { owner @{gdm_cache_dirs}/gdm/ rw, owner @{gdm_cache_dirs}/gdm/Xauthority rw, owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, + owner @{DESKTOP_HOME}/greeter-dconf-defaults r, @{run}/gdm{3,}/custom.conf r, owner @{run}/user/@{uid}/gdm/ w, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index a25cb8d38..f2fa6acc4 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -83,15 +83,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-shell/{,**} r, /usr/share/xkeyboard-config-2/{,**} r, /usr/share/thumbnailers/{,**} r, owner @{gdm_cache_dirs}/gstreamer-@{int}.@{int}/registry.@{arch}.bin{,.tmp@{rand6}} rw, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{HOME}/ r, diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 7439e0fb6..1e8bc3623 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -45,7 +45,6 @@ profile gnome-initial-setup @{exec_path} { @{lib}/gnome-initial-setup-goa-helper rix, @{lib}/@{multiarch}/ld-linux-*.so* rix, - /usr/share/dconf/profile/gdm r, /usr/share/gnome-initial-setup/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -57,8 +56,6 @@ profile gnome-initial-setup @{exec_path} { /var/log/installer/telemetry r, #aa:only ubuntu - owner @{GDM_HOME}/greeter-dconf-defaults r, - #aa:only ubuntu owner @{user_cache_dirs}/ubuntu-report/ rw, owner @{user_cache_dirs}/ubuntu-report/* rw, diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index 5359a70df..e61404754 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -52,8 +52,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, @@ -70,7 +68,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { owner @{gdm_config_dirs}/gnome-session/ rw, owner @{gdm_config_dirs}/gnome-session/saved-session/ rw, owner @{gdm_config_dirs}/user-dirs.dirs r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_share_dirs}/applications/{,**} r, owner @{user_config_dirs}/autostart/{,*.desktop} r, diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index aca7afb28..7dec5c597 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -32,8 +32,6 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{lib}/gio-launch-desktop rCx -> open, @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/gdm/greeter/autostart/{,*.desktop} r, /usr/share/gnome-session/hardware-compatibility r, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 428c314e2..5e023e737 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -188,10 +188,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { /usr/share/**/icons/{,**} r, /usr/share/backgrounds/{,**} r, /usr/share/byobu/desktop/byobu* r, - /usr/share/dconf/profile/gdm r, /usr/share/desktop-directories/{,*.directory} r, /usr/share/gdm/BuiltInSessions/{,*.desktop} r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gdm/greeter/applications/{,**} r, /usr/share/libgweather/Locations.xml r, /usr/share/libinput*/{,**} r, @@ -216,7 +214,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{att}/ r, owner @{att}/.flatpak-info r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, owner @{gdm_cache_dirs}/fontconfig/{,*} rwl, @@ -226,7 +223,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/libgweather/ r, owner @{gdm_cache_dirs}/nvidia/GLCache/ rw, owner @{gdm_cache_dirs}/nvidia/GLCache/** rwk, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_config_dirs}/ibus/ rw, owner @{gdm_config_dirs}/ibus/bus/ rw, owner @{gdm_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index 22aaba164..d093036d4 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -26,9 +26,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - @{gdm_config_dirs}/dconf/user r, @{GDM_HOME}/greeter-dconf-defaults r, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 1a52321b1..50d4bebc6 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -34,13 +34,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/timezone r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/icc/ rw, owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index 0364f3f2b..f2ada6c02 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -33,13 +33,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/gnome-settings-daemon/datetime/backward r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{user_cache_dirs}/geocode-glib/* r, @{run}/systemd/sessions/@{int} r, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 497462a03..87e8b8065 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -33,11 +33,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { /etc/fstab r, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ w, owner @{user_share_dirs}/applications/ rw, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index be27a873e..180023940 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -27,12 +27,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_config_dirs}/.gsd-keyboard.settings-ported* rw, - owner @{gdm_config_dirs}/dconf/user r, owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw, owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5446af78d..9dba59b86 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -48,13 +48,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/sounds/freedesktop/stereo/*.oga r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{run}/udev/data/+sound:card@{int} r, # For sound card diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index d3ac6b456..c90de7135 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -56,12 +56,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{run}/udev/data/+backlight:* r, # For display backlights on laptops, monitors, and other screens. @{run}/udev/data/+drm:card@{int}-* r, # For screen outputs @{run}/udev/data/+leds:* r, # Identifies all LEDs (keyboard, mouse, etc.) diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index 9d432ae13..b49d2e274 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -38,12 +38,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, - @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 5143b9984..6f04854b3 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -29,17 +29,12 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/tpm2-tss/* rk, /var/tmp/ r, /tmp/ r, owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index ff2d30766..6c9bb24ae 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -28,11 +28,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/sounds/ rw, owner @{user_share_dirs}/sounds/ rw, diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 3d4f2cb05..225eca4be 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -23,13 +23,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, /usr/share/libwacom/{,*} r, - owner @{gdm_config_dirs}/dconf/user r, - owner @{GDM_HOME}/greeter-dconf-defaults r, - include if exists } diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index 20151eec0..b5a96584d 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -62,16 +62,11 @@ profile gsd-xsettings @{exec_path} { @{bin}/xrdb rPx, @{lib}/{,ibus/}ibus-x11 rPx, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - /etc/X11/Xsession.options r, @{etc_ro}/xdg/Xwayland-session.d/ r, @{etc_ro}/xdg/Xwayland-session.d/* rix, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, - owner @{gdm_config_dirs}/dconf/user r, @{run}/systemd/sessions/* r, @{run}/systemd/users/@{uid} r, diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames index d5c83a31b..289509055 100644 --- a/apparmor.d/groups/gnome/mutter-x11-frames +++ b/apparmor.d/groups/gnome/mutter-x11-frames @@ -22,13 +22,8 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}//fontconfig/ rw, owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl, - owner @{gdm_config_dirs}/dconf/user r, @{sys}/devices/@{pci}/boot_vga r, diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract index e200ecb42..ee2afcefc 100644 --- a/apparmor.d/groups/gnome/tracker-extract +++ b/apparmor.d/groups/gnome/tracker-extract @@ -33,7 +33,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/*.desktop r, /usr/share/ladspa/rdf/{,**} r, /usr/share/osinfo/{,**} r, @@ -44,13 +43,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) { /etc/blkid.conf r, /etc/fstab r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/ rw, owner @{gdm_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw, owner @{gdm_cache_dirs}/gstreamer-1.0/ rw, owner @{gdm_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/tracker3/{,**} rw, - owner @{gdm_config_dirs}/dconf/user r, # Allow to search user files owner @{HOME}/{,**} r, diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner index 85b7b0d53..e6fdee6c2 100644 --- a/apparmor.d/groups/gnome/tracker-miner +++ b/apparmor.d/groups/gnome/tracker-miner @@ -45,7 +45,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { @{lib}/tracker-extract-3 rix, - /usr/share/dconf/profile/gdm r, /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r, /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r, /usr/share/ladspa/rdf/{,**} r, @@ -59,10 +58,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) { /etc/timezone r, owner @{GDM_HOME}/ r, - owner @{GDM_HOME}/greeter-dconf-defaults r, owner @{gdm_cache_dirs}/gstreamer-*/registry.*.bin r, owner @{gdm_cache_dirs}/tracker3/{,tracker3/}files/{,**} rwk, - owner @{gdm_config_dirs}/dconf/user r, owner @{gdm_share_dirs}/applications/ r, # Allow to search user files diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor index 80f7f86a9..1bca3cf89 100644 --- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor +++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor @@ -54,8 +54,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) { owner @{MOUNTS}/autorun.inf r, - owner @{desktop_config_dirs}/dconf/user r, - @{run}/mount/utab r, @{PROC}/ r, diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk index 2b7b2b4ee..588d63f08 100644 --- a/apparmor.d/groups/ubuntu/check-new-release-gtk +++ b/apparmor.d/groups/ubuntu/check-new-release-gtk @@ -35,7 +35,6 @@ profile check-new-release-gtk @{exec_path} { /usr/share/distro-info/{,**} r, /usr/share/ubuntu-release-upgrader/{,**} r, /usr/share/update-manager/{,**} r, - /usr/share/dconf/profile/gdm r, /etc/update-manager/{,**} r, @@ -43,7 +42,6 @@ profile check-new-release-gtk @{exec_path} { /var/cache/apt/ rw, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_cache_dirs}/update-manager-core/ rwk, owner @{desktop_cache_dirs}/update-manager-core/meta-release-lts rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index 9b8eca8ee..cc8dfa447 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -16,12 +16,8 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - /usr/share/dconf/profile/gdm r, - /usr/share/gdm/greeter-dconf-defaults r, - owner @{desktop_cache_dirs}/dconf/user rw, owner @{desktop_config_dirs}/dconf/user rw, - owner @{DESKTOP_HOME}/greeter-dconf-defaults r, # file_inherit deny network netlink raw, From 66aab34070eb497de7d9e8c1f8b0d0d4e81084fe Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:30:23 +0200 Subject: [PATCH 748/798] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gdm | 1 + apparmor.d/groups/gnome/gjs | 9 +++++++++ apparmor.d/groups/gnome/gnome-session | 1 + .../groups/gnome/gnome-session-init-worker | 18 ++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/gnome-software | 3 ++- apparmor.d/tunables/multiarch.d/profiles | 1 + 7 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/groups/gnome/gnome-session-init-worker diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm index d202d5199..765a2f587 100644 --- a/apparmor.d/groups/gnome/gdm +++ b/apparmor.d/groups/gnome/gdm @@ -71,6 +71,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) { @{GDM_HOME}/ rw, @{GDM_HOME}/** rw, + @{run}/gdm/home/ rw, @{run}/gdm{,3}.pid rw, @{run}/gdm{,3}/ rw, @{run}/gdm{,3}/gdm.pid rw, diff --git a/apparmor.d/groups/gnome/gjs b/apparmor.d/groups/gnome/gjs index f2fa6acc4..48dee288a 100644 --- a/apparmor.d/groups/gnome/gjs +++ b/apparmor.d/groups/gnome/gjs @@ -31,6 +31,7 @@ profile gjs @{exec_path} flags=(attach_disconnected) { # Only needed by org.gnome.Shell.Extensions include + include include # Only needed by gnome-extension-ding @@ -111,7 +112,10 @@ profile gjs @{exec_path} flags=(attach_disconnected) { profile gstreamer { include + include + include include + include include include include @@ -120,6 +124,11 @@ profile gjs @{exec_path} flags=(attach_disconnected) { network (bind create getattr setopt getopt) netlink raw, + dbus receive bus=session path=/ + interface=org.freedesktop.DBus.Introspectable + member=Introspect + peer=(name=@{busname}, label=gnome-shell), + @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner mr, @{lib}/gstreamer-1.0/gst-plugin-scanner mr, diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session index 257e91c0a..afcc16b19 100644 --- a/apparmor.d/groups/gnome/gnome-session +++ b/apparmor.d/groups/gnome/gnome-session @@ -51,6 +51,7 @@ profile gnome-session @{exec_path} { @{bin}/flatpak rCx -> flatpak, @{bin}/gsettings rPx, @{lib}/gnome-session-binary rPx, + @{lib}/gnome-session-init-worker rPx, /usr/share/im-config/{,**} r, /usr/share/libdebuginfod-common/debuginfod.sh r, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker new file mode 100644 index 000000000..787bbda17 --- /dev/null +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{lib}/gnome-session-init-worker +profile gnome-session-init-worker @{exec_path} { + include + + @{exec_path} mr, + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 5e023e737..082425446 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -299,6 +299,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 0b1602fbb..71719b170 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -106,9 +106,10 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/ rw, owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{tmp}/#@{int} rw, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, - owner @{tmp}/#@{int} rw, owner @{run}/user/@{uid}/.dbus-proxy/ rw, owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw, diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles index e26319f2c..13409e6fc 100644 --- a/apparmor.d/tunables/multiarch.d/profiles +++ b/apparmor.d/tunables/multiarch.d/profiles @@ -36,6 +36,7 @@ @{p_fwupd}=fwupd @{p_fwupdmgr}=fwupdmgr @{p_geoclue}=geoclue +@{p_gnome_session}={gnome-session-binary,gnome-session-service} @{p_gnome_shell}=gnome-shell @{p_gsd_media_keys}=gsd-media-keys @{p_irqbalance}=irqbalance From 655750d96f0a8a07ad8a7fed6f68af8638e9c364 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 22:43:01 +0200 Subject: [PATCH 749/798] feat(abs): improve the bwrap abs. --- apparmor.d/abstractions/bwrap | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 47a16085a..35382e1fb 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -3,10 +3,16 @@ # SPDX-License-Identifier: GPL-2.0-only # NEEDS-VARIABLE: att -# A minimal set of rules for sandboxed programs using bwrap. +# Bubblewrap creates isolated environments for applications. It requires the +# sys_admin capability to enter a new PID namespace. Until this capability is +# dropped, the process can potentially escape confinement. For this reason, we +# typically transition to another application profile, even if it requires +# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) +# flag. The resulting profile should take the form: //& +# # A profile using this abstraction still needs to set: # - the flag: attach_disconnected -# - bwrap execution: '@{bin}/bwrap rix,' +# - bwrap execution: '@{bin}/bwrap ix,' or memory mapping '@{bin}/bwrap mr,' abi , @@ -44,6 +50,7 @@ owner /tmp/newroot/ w, owner /tmp/oldroot/ w, + owner / r, @{att}/ r, @{att}/@{run}/.userns r, From 560ae989212e12c687fb4ba70c013e6592bf65b8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 23:46:23 +0200 Subject: [PATCH 750/798] feat: initial global support for lycin-loaders. See https://github.com/roddhjav/apparmor.d/issues/881 for more details. --- apparmor.d/abstractions/app/bwrap-glycin | 38 ++++++++++++++++++++ apparmor.d/groups/browsers/firefox | 5 +++ apparmor.d/groups/children/glycin | 44 ++++++++++++++++++++++++ apparmor.d/groups/gnome/gnome-shell | 1 + apparmor.d/groups/gnome/loupe | 31 +++-------------- apparmor.d/profiles-a-f/fractal | 36 ++++--------------- apparmor.d/profiles-s-z/terminator | 2 ++ apparmor.d/profiles-s-z/thunderbird | 5 +++ 8 files changed, 105 insertions(+), 57 deletions(-) create mode 100644 apparmor.d/abstractions/app/bwrap-glycin create mode 100644 apparmor.d/groups/children/glycin diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin new file mode 100644 index 000000000..48e3fcde9 --- /dev/null +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -0,0 +1,38 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Base set of rules for glycin-loaders sandboxed with bwrap. +# - It is safe to use when used like in the glycin profile. +# - It is **not** safe to use when used by a profile stacking glycin + +# See https://github.com/roddhjav/apparmor.d/issues/881 for more details. + + abi , + + include + include + + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), + + signal send set=kill peer=*//&glycin, + + ptrace read peer=*//&glycin, + + @{bin}/bwrap mr, + + @{bin}/true ix, + + /usr/share/glycin-loaders/{,**} r, + + /usr/share/gtksourceview-2.0/{,**} r, + /usr/share/gtksourceview-3.0/{,**} r, + /usr/share/gtksourceview-4/{,**} r, + /usr/share/gtksourceview-5/{,**} r, + + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 3f83775d9..2b0c11dfa 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,6 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -33,6 +34,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + # glycin-loaders sandboxed profile stack + @{bin}/bwrap Px -> firefox//&glycin, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//app, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, @{lib}/mozilla/plugins/ r, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin new file mode 100644 index 000000000..ce04e1c10 --- /dev/null +++ b/apparmor.d/groups/children/glycin @@ -0,0 +1,44 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. +# for this use case. + +abi , + +include + +profile glycin flags=(attach_disconnected,complain) { + include + include + + signal receive set=kill, + + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> glycin//&glycin//app, + + # Safe deny of inherited files from parent process. + deny owner @{user_cache_dirs}/** r, + deny owner /tmp/*/** w, + deny @{sys}/devices/system/memory/* r, + deny /dev/dri/* rw, + + profile app flags=(attach_disconnected,complain) { + include + + @{lib}/glycin-loaders/@{d}+/glycin-* mr, + + @{att}/usr/share/glycin-loaders/{,**} r, + + @{att}/usr/share/gtksourceview-2.0/{,**} r, + @{att}/usr/share/gtksourceview-3.0/{,**} r, + @{att}/usr/share/gtksourceview-4/{,**} r, + @{att}/usr/share/gtksourceview-5/{,**} r, + + include if exists + } + + include if exists +} + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 082425446..1945fd103 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -161,6 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, + @{bin}/bwrap rPx -> glycin, @{bin}/flatpak rPx, @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index d82de2adf..5fac34448 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,9 +21,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=loupe//bwrap), + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), - signal send set=kill peer=loupe//bwrap, + signal send set=kill peer=glycin, #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application @@ -36,7 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bwrap rCx -> bwrap, + @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, /usr/share/glycin-loaders/{,**} r, @@ -61,30 +62,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { deny @{user_share_dirs}/gvfs-metadata/* r, - profile bwrap flags=(attach_disconnected) { - include - include - - unix type=stream peer=(label=loupe), - - signal receive set=kill peer=loupe, - - @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* Px -> loupe//bwrap//&loupe//glycin, - - include if exists - } - - profile glycin flags=(attach_disconnected) { - include - - unix type=stream peer=(label=loupe), - - @{lib}/glycin-loaders/*/glycin-* mr, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 60e6e1467..3093254d5 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -22,12 +22,16 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=fractal//bwrap, + signal send set=kill peer=glycin, + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//app), + + #aa:dbus own bus=session name=org.gnome.Fractal @{exec_path} mr, + @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - @{bin}/bwrap rCx -> bwrap, /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, @@ -44,34 +48,6 @@ profile fractal @{exec_path} flags=(attach_disconnected) { /dev/ r, - profile bwrap flags=(attach_disconnected) { - include - include - - signal receive set=kill peer=fractal, - - @{bin}/bwrap mr, - @{lib}/glycin-loaders/*/glycin-* Px -> fractal//bwrap//&fractal//glycin, - - /usr/share/gtksourceview-@{d}/{,**} r, - - owner @{run}/user/@{uid}/fractal/.tmp@{rand6} r, - - include if exists - } - - profile glycin flags=(attach_disconnected) { - include - - @{lib}/glycin-loaders/*/glycin-* mr, - - @{att}/usr/share/gtksourceview-@{d}/{,**} r, - - owner @{att}/@{run}/user/@{uid}/fractal/.tmp@{rand6} r, - - include if exists - } - include if exists } diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index e8a2533b9..729c5b4da 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -36,6 +36,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{python_path} rix, + @{bin}/bwrap rPx -> glycin, + # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index da163c2ae..4bf8a86da 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,6 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -26,6 +27,10 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + # glycin-loaders sandboxed profile stack + @{bin}/bwrap Px -> thunderbird//&glycin, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//app, + @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From a178d10853351e4b7cb16128e653be5cb6f5ae6d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Tue, 23 Sep 2025 23:48:54 +0200 Subject: [PATCH 751/798] chore: fix linter issue --- apparmor.d/abstractions/bwrap | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/bwrap b/apparmor.d/abstractions/bwrap index 35382e1fb..5db3ed392 100644 --- a/apparmor.d/abstractions/bwrap +++ b/apparmor.d/abstractions/bwrap @@ -3,11 +3,11 @@ # SPDX-License-Identifier: GPL-2.0-only # NEEDS-VARIABLE: att -# Bubblewrap creates isolated environments for applications. It requires the +# Bubblewrap creates isolated environments for applications. It requires the # sys_admin capability to enter a new PID namespace. Until this capability is # dropped, the process can potentially escape confinement. For this reason, we -# typically transition to another application profile, even if it requires -# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) +# typically transition to another application profile, even if it requires +# managing a stacked set of profiles since bwrap sets the no_new_privs (nnp) # flag. The resulting profile should take the form: //& # # A profile using this abstraction still needs to set: From 33594a0c2030bf0345f63a9dc3740da29153c2c2 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 00:17:07 +0200 Subject: [PATCH 752/798] feat(abs): add initial version of network-manager-observe. --- apparmor.d/abstractions/network-manager-observe | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 apparmor.d/abstractions/network-manager-observe diff --git a/apparmor.d/abstractions/network-manager-observe b/apparmor.d/abstractions/network-manager-observe new file mode 100644 index 000000000..21a50b0bb --- /dev/null +++ b/apparmor.d/abstractions/network-manager-observe @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2019 Canonical Ltd +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allows observing NetworkManager settings. It grants access to listing +# MAC addresses, previous networks, etc but not secrets. + + abi , + + include + + include if exists + +# vim:syntax=apparmor From c5572a29052a713b7d2f01149d4e3814c0f00a03 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 00:50:56 +0200 Subject: [PATCH 753/798] feat(abs): add glycin tmp file to gtk and gtk-strict. --- apparmor.d/abstractions/gtk-strict | 2 ++ apparmor.d/abstractions/gtk.d/complete | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 0bf0ab41c..cee18e59f 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -69,6 +69,8 @@ owner @{user_config_dirs}/gtk-4.0/settings.ini r, owner @{user_config_dirs}/gtk-4.0/window_decorations.css r, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 0b69d8ee1..6649bafa4 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -18,4 +18,6 @@ owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/window_decorations.css r, + owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, + # vim:syntax=apparmor From 878626653cd623f636f2fd89923d4ab22b3f65e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Wed, 24 Sep 2025 21:55:39 +0200 Subject: [PATCH 754/798] feat(profile): rename glycin//app to glycin//loaders and minor fixes. See #881 --- apparmor.d/abstractions/app/bwrap-glycin | 4 +++- apparmor.d/groups/browsers/firefox | 2 +- apparmor.d/groups/children/glycin | 12 +++++++----- apparmor.d/groups/gnome/loupe | 2 +- apparmor.d/profiles-a-f/fractal | 3 ++- apparmor.d/profiles-s-z/thunderbird | 2 +- 6 files changed, 15 insertions(+), 10 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index 48e3fcde9..a3a5ceee6 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -14,11 +14,13 @@ include unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=*//&glycin, + signal send set=kill peer=glycin//&*, ptrace read peer=*//&glycin, + ptrace read peer=glycin//&*, @{bin}/bwrap mr, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 2b0c11dfa..b1a6b53a5 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -36,7 +36,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> firefox//&glycin, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index ce04e1c10..b00913e1a 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -15,16 +15,18 @@ profile glycin flags=(attach_disconnected,complain) { signal receive set=kill, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, # Safe deny of inherited files from parent process. - deny owner @{user_cache_dirs}/** r, + deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, - deny @{sys}/devices/system/memory/* r, + deny @{sys}/devices/system/** r, + deny /dev/shm/** rw, deny /dev/dri/* rw, - profile app flags=(attach_disconnected,complain) { + profile loaders flags=(attach_disconnected,complain) { include + include @{lib}/glycin-loaders/@{d}+/glycin-* mr, @@ -35,7 +37,7 @@ profile glycin flags=(attach_disconnected,complain) { @{att}/usr/share/gtksourceview-4/{,**} r, @{att}/usr/share/gtksourceview-5/{,**} r, - include if exists + include if exists } include if exists diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index 5fac34448..b40640b5c 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -22,7 +22,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), signal send set=kill peer=glycin, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index 3093254d5..d50bc48cd 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -23,8 +23,9 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network netlink raw, signal send set=kill peer=glycin, + unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//app), + unix type=stream peer=(label=glycin//loaders), #aa:dbus own bus=session name=org.gnome.Fractal diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 4bf8a86da..0934e6986 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -29,7 +29,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> thunderbird//&glycin, - @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//app, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr, @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr, From c9f1471a63cb74add77db46e56c2b3d94df106cd Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 25 Sep 2025 19:23:18 +0200 Subject: [PATCH 755/798] Update texstudio Add bibtex --- apparmor.d/profiles-s-z/texstudio | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/profiles-s-z/texstudio b/apparmor.d/profiles-s-z/texstudio index 52e9e53e6..2f96d32b8 100644 --- a/apparmor.d/profiles-s-z/texstudio +++ b/apparmor.d/profiles-s-z/texstudio @@ -18,6 +18,7 @@ profile texstudio @{exec_path} { @{exec_path} mr, + @{bin}/bibtex ix, @{bin}/pdflatex ix, @{bin}/pdftex ix, @{bin}/kpsewhich ix, From ba52165bc429bfc599d37eccf115f34a17e80688 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:45:42 +0200 Subject: [PATCH 756/798] feat(abs): add glycin-loaders to gtk abs. --- apparmor.d/abstractions/gtk-strict | 2 ++ apparmor.d/abstractions/gtk.d/complete | 2 ++ 2 files changed, 4 insertions(+) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index cee18e59f..ed016bb24 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -18,6 +18,8 @@ /usr/share/gtksourceview-4/{,**} r, /usr/share/gtksourceview-5/{,**} r, + /usr/share/glycin-loaders/{,**} r, + /usr/share/gtk-2.0/ r, /usr/share/gtk-2.0/gtkrc r, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 6649bafa4..9900b088e 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -8,6 +8,8 @@ @{lib}/{,@{multiarch}/}gtk*/** mr, + /usr/share/glycin-loaders/{,**} r, + /etc/gtk-{3,4}.0/settings.ini r, owner @{user_config_dirs}/gtk-{3,4}.0/ rw, From cbe7aabeece6e97073d3de26072a154f014dc184 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:57:02 +0200 Subject: [PATCH 757/798] feat(abs): update gdm config & state path. --- apparmor.d/abstractions/dconf.d/complete | 4 +++- apparmor.d/abstractions/user-dirs | 2 ++ apparmor.d/tunables/multiarch.d/system-users | 4 ++-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete index 744fcda7b..668faa06e 100644 --- a/apparmor.d/abstractions/dconf.d/complete +++ b/apparmor.d/abstractions/dconf.d/complete @@ -8,7 +8,9 @@ owner @{DESKTOP_HOME}/greeter-dconf-defaults r, owner @{desktop_config_dirs}/dconf/user r, - owner @{desktop_config_dirs}/seat@{int}/config/dconf/user r, + + owner @{user_cache_dirs}/dconf/ r, + owner @{user_cache_dirs}/dconf/user r, owner @{user_config_dirs}/glib-2.0/settings/keyfile r, # When GSETTINGS_BACKEND=keyfile diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs index 189f8eb38..c1b6c85a6 100644 --- a/apparmor.d/abstractions/user-dirs +++ b/apparmor.d/abstractions/user-dirs @@ -7,6 +7,8 @@ /etc/xdg/user-dirs.conf r, /etc/xdg/user-dirs.defaults r, + owner @{desktop_config_dirs}/user-dirs.dirs r, + owner @{user_config_dirs}/user-dirs.dirs r, include if exists diff --git a/apparmor.d/tunables/multiarch.d/system-users b/apparmor.d/tunables/multiarch.d/system-users index 07450efff..94f5a59f5 100644 --- a/apparmor.d/tunables/multiarch.d/system-users +++ b/apparmor.d/tunables/multiarch.d/system-users @@ -7,10 +7,10 @@ # Full path of the GDM configuration directories @{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/ @{gdm_cache_dirs}=@{GDM_HOME}/.cache/ -@{gdm_config_dirs}=@{GDM_HOME}/.config/ +@{gdm_config_dirs}=@{GDM_HOME}/.config/ @{GDM_HOME}/seat@{int}/config/ @{gdm_local_dirs}=@{GDM_HOME}/.local/ @{gdm_share_dirs}=@{GDM_HOME}/.local/share/ -@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ +@{gdm_state_dirs}=@{GDM_HOME}/.local/state/ @{GDM_HOME}/seat@{int}/state/ # Full path of the SDDM configuration directories @{SDDM_HOME}=/var/lib/sddm/ From d4347fb88c2c65d41a033409f85d90b255fa85c1 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:57:53 +0200 Subject: [PATCH 758/798] feat(abs): use etc_ro in desktop-files. --- apparmor.d/abstractions/desktop-files | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/desktop-files b/apparmor.d/abstractions/desktop-files index 9c0a8b941..b56abdbe7 100644 --- a/apparmor.d/abstractions/desktop-files +++ b/apparmor.d/abstractions/desktop-files @@ -10,10 +10,10 @@ @{system_share_dirs}/gnome/applications/{,**} r, @{system_share_dirs}/xfce4/applications/{,**} r, - /etc/gnome/defaults.list r, - /etc/xfce4/defaults.list r, - /etc/xdg/menus/ r, - /etc/xdg/menus/applications-merged/{,**} r, + @{etc_ro}/gnome/defaults.list r, + @{etc_ro}/xdg/menus/ r, + @{etc_ro}/xdg/menus/applications-merged/{,**} r, + @{etc_ro}/xfce4/defaults.list r, /var/lib/snapd/desktop/applications/{,**} r, From 838330cac74c0f5584dbaad80e5e829bb0d69615 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 20:59:38 +0200 Subject: [PATCH 759/798] feat(abs): update cuda lib location. --- apparmor.d/abstractions/nvidia-strict | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict index 7d975ad8c..2923e51d6 100644 --- a/apparmor.d/abstractions/nvidia-strict +++ b/apparmor.d/abstractions/nvidia-strict @@ -6,7 +6,8 @@ @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia, - /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr, + /opt/cuda/targets/@{arch}-linux/lib/*.so mr, + /opt/cuda/targets/@{arch}-linux/lib/*.so.* mr, /usr/share/nvidia/nvidia-application-profiles-* r, From 81ef8423879ed988f4386091d3618a74f3221e24 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:00:13 +0200 Subject: [PATCH 760/798] feat(abs): add boot_vga to dri. --- apparmor.d/abstractions/dri | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri index 3146b8a3c..1232e8530 100644 --- a/apparmor.d/abstractions/dri +++ b/apparmor.d/abstractions/dri @@ -19,6 +19,7 @@ @{run}/udev/data/c226:@{int} r, # For DRI card /dev/dri/card@{int} + @{sys}/devices/@{pci}/boot_vga r, @{sys}/devices/@{pci}/class r, @{sys}/devices/@{pci}/config r, @{sys}/devices/@{pci}/device r, From 2eb17639e9874ee8c2cfef1b82d3d582359b370c Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:02:03 +0200 Subject: [PATCH 761/798] feat(abs): add cache dir to dconf. --- apparmor.d/abstractions/dconf-write | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write index 72a943527..88f94e576 100644 --- a/apparmor.d/abstractions/dconf-write +++ b/apparmor.d/abstractions/dconf-write @@ -10,6 +10,9 @@ include include + owner @{user_cache_dirs}/dconf/ w, + owner @{user_cache_dirs}/dconf/user w, + owner @{user_config_dirs}/glib-2.0/settings/keyfile w, # When GSETTINGS_BACKEND=keyfile owner @{run}/user/@{uid}/dconf/ w, From ac1d6bdb99c26b8ec65cb00686f3d9040d523abf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:03:29 +0200 Subject: [PATCH 762/798] feat(abs): update core dbus own path --- apparmor.d/abstractions/bus/accessibility/own | 4 ++-- apparmor.d/abstractions/bus/session/own | 4 ++-- apparmor.d/abstractions/bus/system/own | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/bus/accessibility/own b/apparmor.d/abstractions/bus/accessibility/own index d1eab1ce7..7cb1a4dbb 100644 --- a/apparmor.d/abstractions/bus/accessibility/own +++ b/apparmor.d/abstractions/bus/accessibility/own @@ -10,12 +10,12 @@ abi , - dbus send bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), - dbus send bus=accessibility path=/org/freedesktop/DBus + dbus send bus=accessibility path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"), diff --git a/apparmor.d/abstractions/bus/session/own b/apparmor.d/abstractions/bus/session/own index d975ebb48..18bc607a8 100644 --- a/apparmor.d/abstractions/bus/session/own +++ b/apparmor.d/abstractions/bus/session/own @@ -10,12 +10,12 @@ abi , - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), - dbus send bus=session path=/org/freedesktop/DBus + dbus send bus=session path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), diff --git a/apparmor.d/abstractions/bus/system/own b/apparmor.d/abstractions/bus/system/own index 2b1130b32..17d216859 100644 --- a/apparmor.d/abstractions/bus/system/own +++ b/apparmor.d/abstractions/bus/system/own @@ -10,12 +10,12 @@ abi , - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={RequestName,ReleaseName} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), - dbus send bus=system path=/org/freedesktop/DBus + dbus send bus=system path=/{,org/freedesktop/DBus} interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), From cf0da21109050a210920e1704b6124ef419eb099 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:06:12 +0200 Subject: [PATCH 763/798] feat(abs): update bus interfaces. --- .../bus/session/org.freedesktop.Notifications | 4 +-- .../bus/session/org.freedesktop.Secret | 6 +--- .../bus/session/org.gnome.ArchiveManager1 | 2 +- .../bus/session/org.gnome.ScreenSaver | 5 +++ .../bus/session/org.gnome.SessionManager | 36 +++++++++---------- .../bus/session/org.gtk.vfs.Daemon | 7 +++- .../bus/session/org.gtk.vfs.MountTracker | 9 ++--- .../bus/system/org.freedesktop.locale1 | 5 +++ 8 files changed, 43 insertions(+), 31 deletions(-) diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications index b51c4bdcb..4ebccd690 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Notifications @@ -9,12 +9,12 @@ dbus send bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member={GetCapabilities,GetServerInformation,Notify,CloseNotification} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + peer=(label="@{pp_notification}"), dbus receive bus=session path=/org/freedesktop/Notifications interface=org.freedesktop.Notifications member={ActionInvoked,NotificationClosed,NotificationReplied} - peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"), + peer=(label="@{pp_notification}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret index 8ded1b6d7..1b6c0cd11 100644 --- a/apparmor.d/abstractions/bus/session/org.freedesktop.Secret +++ b/apparmor.d/abstractions/bus/session/org.freedesktop.Secret @@ -21,7 +21,7 @@ abi , - #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon + #aa:dbus common bus=session name=org.freedesktop.Secret path=/org/freedesktop/secrets{,/**} label=gnome-keyring-daemon dbus send bus=session path=/org/freedesktop/secrets{,/**} interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} @@ -31,10 +31,6 @@ interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session} peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon), - dbus send bus=session path=/org/freedesktop/secrets - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name=@{busname}, label=gnome-keyring-daemon), dbus send bus=session path=/org/freedesktop/secrets interface=org.freedesktop.Secret.Service member=ReadAlias diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 index f69667e08..21424ceef 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 +++ b/apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1 @@ -9,7 +9,7 @@ dbus send bus=session path=/org/gnome/ArchiveManager1 interface=org.gnome.ArchiveManager1 member=GetSupportedTypes - peer=(name="@{busname}", label="@{p_file_roller}"), + peer=(name=@{busname}, label="@{p_file_roller}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver index b7ae6b200..0a65e8562 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver +++ b/apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver @@ -11,6 +11,11 @@ member={GetActive,GetActiveTime,Lock,SetActive} peer=(name=@{busname}, label=gjs), + dbus send bus=session path=/org/gnome/ScreenSaver + interface=org.gnome.ScreenSaver + member=GetActive + peer=(name=org.gnome.ScreenSaver, label=gjs), + dbus receive bus=session path=/org/gnome/ScreenSaver interface=org.gnome.ScreenSaver member={ActiveChanged,WakeUpScreen} diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 4c641776b..7067b5fff 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -4,42 +4,42 @@ abi , - #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}" + #aa:dbus common bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member={RegisterClient,IsSessionRunning} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager + dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={Inhibit,Uninhibit} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + member={ClientAdded,ClientRemoved} + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager + dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={Setenv,IsSessionRunning} - peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"), + member=SessionRunning + peer=(name=@{busname}, label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager - member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + member={InhibitorAdded,InhibitorRemoved} + peer=(name=@{busname}, label="@{p_gnome_session}"), + + dbus receive bus=session path=/org/gnome/SessionManager/Presence + interface=org.gnome.SessionManager.Presence + member=StatusChanged + peer=(name=@{busname}, label="@{p_gnome_session}"), - dbus send bus=session path=/org/gnome/SessionManager/Client@{int} + dbus send bus=session path=/org/gnome/SessionManager/Client8 interface=org.gnome.SessionManager.ClientPrivate member=EndSessionResponse - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), dbus receive bus=session path=/org/gnome/SessionManager/Client@{int} interface=org.gnome.SessionManager.ClientPrivate member={CancelEndSession,QueryEndSession,EndSession,Stop} - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), - - dbus receive bus=session path=/org/gnome/SessionManager/Presence - interface=org.gnome.SessionManager.Presence - member=StatusChanged - peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"), + peer=(name=@{busname}, label="@{p_gnome_session}"), include if exists diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon index edf954ac5..6187b53ef 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon @@ -8,9 +8,14 @@ dbus send bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon - member={GetConnection,ListMonitorImplementations,ListMountableInfo} + member=ListMonitorImplementations peer=(name=@{busname}, label=gvfsd), + dbus send bus=session path=/org/gtk/vfs/Daemon + interface=org.gtk.vfs.Daemon + member=GetConnection + peer=(name=@{busname}, label="gvfsd{,-*}"), + dbus receive bus=session path=/org/gtk/vfs/Daemon interface=org.gtk.vfs.Daemon member=GetConnection diff --git a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker index 107c3dc13..8090039c7 100644 --- a/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker +++ b/apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker @@ -2,24 +2,25 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only -# The mount tracking interface. +# The mount tracking interface. Allows to lookup mounts by ID and list mountable +# info. Allow to receive mount/umount signals from the mount tracker (gvfsd). abi , dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=LookupMount - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMounts2 - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus send bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker member=ListMountableInfo - peer=(name="@{busname}", label=gvfsd), + peer=(name=@{busname}, label=gvfsd), dbus receive bus=session path=/org/gtk/vfs/mounttracker interface=org.gtk.vfs.MountTracker diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 index e2377a14b..ea972d2de 100644 --- a/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.locale1 @@ -9,6 +9,11 @@ member=GetAll peer=(name=org.freedesktop.locale1), + dbus send bus=system path=/org/freedesktop/locale1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-localed), + include if exists # vim:syntax=apparmor From 91e621e65c44c91c038eeacfe17646315a004643 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:15:38 +0200 Subject: [PATCH 764/798] feat(abs): add the session-manager abstraction. --- .../bus/session/org.gnome.SessionManager | 4 ++++ apparmor.d/abstractions/session-manager | 15 +++++++++++++++ apparmor.d/groups/bus/at-spi2-registryd | 4 ++-- apparmor.d/groups/bus/dbus-accessibility | 2 +- .../groups/freedesktop/xdg-desktop-portal-gtk | 2 +- apparmor.d/groups/gnome/gnome-keyring-daemon | 4 ++-- apparmor.d/groups/gnome/gsd-a11y-settings | 2 +- apparmor.d/groups/gnome/gsd-color | 4 ++-- apparmor.d/groups/gnome/gsd-datetime | 2 +- apparmor.d/groups/gnome/gsd-housekeeping | 2 +- apparmor.d/groups/gnome/gsd-keyboard | 4 ++-- apparmor.d/groups/gnome/gsd-media-keys | 2 +- apparmor.d/groups/gnome/gsd-power | 2 +- apparmor.d/groups/gnome/gsd-print-notifications | 2 +- apparmor.d/groups/gnome/gsd-printer | 3 +-- apparmor.d/groups/gnome/gsd-rfkill | 4 ++-- apparmor.d/groups/gnome/gsd-screensaver-proxy | 4 ++-- apparmor.d/groups/gnome/gsd-sharing | 2 +- apparmor.d/groups/gnome/gsd-smartcard | 2 +- apparmor.d/groups/gnome/gsd-sound | 4 ++-- apparmor.d/groups/gnome/gsd-usb-protection | 2 +- apparmor.d/groups/gnome/gsd-wacom | 4 ++-- apparmor.d/groups/gnome/gsd-xsettings | 2 +- apparmor.d/groups/ubuntu/apport | 2 +- apparmor.d/profiles-s-z/superproductivity | 1 + 25 files changed, 50 insertions(+), 31 deletions(-) create mode 100644 apparmor.d/abstractions/session-manager diff --git a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager index 7067b5fff..6859b2cc1 100644 --- a/apparmor.d/abstractions/bus/session/org.gnome.SessionManager +++ b/apparmor.d/abstractions/bus/session/org.gnome.SessionManager @@ -2,6 +2,10 @@ # Copyright (C) 2025 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow registering a client with the session manager. This is needed for +# applications that want to be notified of session events, such as shutdown +# or logout, and to be able to inhibit those actions. + abi , #aa:dbus common bus=session name=org.gnome.SessionManager label="@{p_gnome_session}" diff --git a/apparmor.d/abstractions/session-manager b/apparmor.d/abstractions/session-manager new file mode 100644 index 000000000..2c7b63180 --- /dev/null +++ b/apparmor.d/abstractions/session-manager @@ -0,0 +1,15 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow registering a client with the session manager. This is needed for +# applications that want to be notified of session events, such as shutdown +# or logout, and to be able to inhibit those actions. + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd index fec6d7897..85720531f 100644 --- a/apparmor.d/groups/bus/at-spi2-registryd +++ b/apparmor.d/groups/bus/at-spi2-registryd @@ -10,10 +10,10 @@ include @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) { include - include include include - include + include + include include signal receive set=term peer=gdm, diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 16128bfec..2a08e528c 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -12,11 +12,11 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { include include include - include include include include include + include network inet dgram, network inet stream, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk index b101a5db0..440d3ade8 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk @@ -14,7 +14,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -24,6 +23,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index e39ef0dc0..0dfac52bf 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -10,12 +10,12 @@ include @{exec_path} = @{bin}/gnome-keyring-daemon profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { include - include include include include include - include + include + include capability ipc_lock, diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings index d093036d4..675183770 100644 --- a/apparmor.d/groups/gnome/gsd-a11y-settings +++ b/apparmor.d/groups/gnome/gsd-a11y-settings @@ -10,10 +10,10 @@ include profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) { include include - include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color index 50d4bebc6..f2504a895 100644 --- a/apparmor.d/groups/gnome/gsd-color +++ b/apparmor.d/groups/gnome/gsd-color @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/gsd-color profile gsd-color @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include include include include include + include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime index f2ada6c02..dd538de05 100644 --- a/apparmor.d/groups/gnome/gsd-datetime +++ b/apparmor.d/groups/gnome/gsd-datetime @@ -10,11 +10,11 @@ include profile gsd-datetime @{exec_path} flags=(attach_disconnected) { include include - include include include include include + include network inet dgram, network inet6 dgram, diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping index 87e8b8065..06beec332 100644 --- a/apparmor.d/groups/gnome/gsd-housekeeping +++ b/apparmor.d/groups/gnome/gsd-housekeeping @@ -11,12 +11,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard index 180023940..0b0c671bf 100644 --- a/apparmor.d/groups/gnome/gsd-keyboard +++ b/apparmor.d/groups/gnome/gsd-keyboard @@ -9,15 +9,15 @@ include @{exec_path} = @{lib}/gsd-keyboard profile gsd-keyboard @{exec_path} flags=(attach_disconnected) { include - include include include include - include + include include include include include + include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 9dba59b86..b0e31a4ad 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -15,13 +15,13 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index c90de7135..4a5d1d264 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -19,7 +19,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include @@ -27,6 +26,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include + include include network inet stream, diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications index 22ec520cb..cc9a534d3 100644 --- a/apparmor.d/groups/gnome/gsd-print-notifications +++ b/apparmor.d/groups/gnome/gsd-print-notifications @@ -11,13 +11,13 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) { include include include - include include include include include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer index a768c8d1e..16b326da6 100644 --- a/apparmor.d/groups/gnome/gsd-printer +++ b/apparmor.d/groups/gnome/gsd-printer @@ -11,10 +11,9 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) { include include include - include - include include include + include signal (receive) set=(term, hup) peer=gdm*, signal (receive) set=(hup) peer=gsd-print-notifications, diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill index 7283c5c00..d77f4a3cb 100644 --- a/apparmor.d/groups/gnome/gsd-rfkill +++ b/apparmor.d/groups/gnome/gsd-rfkill @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-rfkill profile gsd-rfkill @{exec_path} flags=(attach_disconnected) { include - include include include include include include - include + include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy index ac2f9229d..b0be4f8a1 100644 --- a/apparmor.d/groups/gnome/gsd-screensaver-proxy +++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy @@ -9,9 +9,9 @@ include @{exec_path} = @{lib}/gsd-screensaver-proxy profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) { include - include include - include + include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing index b49d2e274..2c5d55fbf 100644 --- a/apparmor.d/groups/gnome/gsd-sharing +++ b/apparmor.d/groups/gnome/gsd-sharing @@ -12,10 +12,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) { include include include - include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard index 6f04854b3..f5ad21e12 100644 --- a/apparmor.d/groups/gnome/gsd-smartcard +++ b/apparmor.d/groups/gnome/gsd-smartcard @@ -10,13 +10,13 @@ include profile gsd-smartcard @{exec_path} flags=(attach_disconnected) { include include - include include include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound index 6c9bb24ae..d1a3ed497 100644 --- a/apparmor.d/groups/gnome/gsd-sound +++ b/apparmor.d/groups/gnome/gsd-sound @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-sound profile gsd-sound @{exec_path} flags=(attach_disconnected) { include - include include include - include include + include include include + include signal receive set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection index bcdb353a8..2fbbad9b1 100644 --- a/apparmor.d/groups/gnome/gsd-usb-protection +++ b/apparmor.d/groups/gnome/gsd-usb-protection @@ -12,10 +12,10 @@ profile gsd-usb-protection @{exec_path} { include include include - include include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom index 225eca4be..e36ff1362 100644 --- a/apparmor.d/groups/gnome/gsd-wacom +++ b/apparmor.d/groups/gnome/gsd-wacom @@ -9,13 +9,13 @@ include @{exec_path} = @{lib}/gsd-wacom profile gsd-wacom @{exec_path} flags=(attach_disconnected) { include - include include - include + include include include include include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings index b5a96584d..824cea266 100644 --- a/apparmor.d/groups/gnome/gsd-xsettings +++ b/apparmor.d/groups/gnome/gsd-xsettings @@ -13,7 +13,6 @@ profile gsd-xsettings @{exec_path} { include include include - include include include include @@ -21,6 +20,7 @@ profile gsd-xsettings @{exec_path} { include include include + include network inet stream, network inet6 stream, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 40b3f14d6..35267de3c 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -11,9 +11,9 @@ profile apport @{exec_path} flags=(attach_disconnected) { include include include - include include include + include capability chown, capability dac_read_search, diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index f812fc570..76f85db35 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -25,6 +25,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include + include network inet stream, network inet6 stream, From df7d2e0f642e273b39c96d53f97c6e8d6079c1da Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:23:48 +0200 Subject: [PATCH 765/798] feat(profile): expand avahi access for ippfind. --- apparmor.d/groups/cups/ippfind | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/cups/ippfind b/apparmor.d/groups/cups/ippfind index fe4347237..8040dadff 100644 --- a/apparmor.d/groups/cups/ippfind +++ b/apparmor.d/groups/cups/ippfind @@ -11,6 +11,8 @@ profile ippfind @{exec_path} { include include include + include + include @{exec_path} mr, From 44349ffcddafa01daa0978d7a80f86e3234717e3 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:31:32 +0200 Subject: [PATCH 766/798] feat(abs): move org.gnome.Mutter.IdleMonitor to gnome-strict. --- .../bus/{ => session}/org.gnome.Mutter.IdleMonitor | 8 +++++--- apparmor.d/abstractions/gnome-base | 2 ++ apparmor.d/groups/gnome/gnome-session-binary | 1 - apparmor.d/groups/gnome/gnome-session-service | 1 - apparmor.d/groups/gnome/gsd-media-keys | 1 - apparmor.d/groups/gnome/gsd-power | 1 - apparmor.d/profiles-s-z/superproductivity | 2 -- apparmor.d/profiles-s-z/telegram-desktop | 1 - 8 files changed, 7 insertions(+), 10 deletions(-) rename apparmor.d/abstractions/bus/{ => session}/org.gnome.Mutter.IdleMonitor (79%) diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor similarity index 79% rename from apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor rename to apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor index d1ff350fc..c248c34ab 100644 --- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor +++ b/apparmor.d/abstractions/bus/session/org.gnome.Mutter.IdleMonitor @@ -2,6 +2,8 @@ # Copyright (C) 2023-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# Allow to get the current idle time + abi , #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell @@ -9,7 +11,7 @@ dbus send bus=session path=/org/gnome/Mutter/IdleMonitor interface=org.freedesktop.DBus.ObjectManager member=GetManagedObjects - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor @@ -19,8 +21,8 @@ dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core interface=org.gnome.Mutter.IdleMonitor member=WatchFired - peer=(name="@{busname}", label=gnome-shell), + peer=(name=@{busname}, label=gnome-shell), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/gnome-base b/apparmor.d/abstractions/gnome-base index c18628323..17a848de5 100644 --- a/apparmor.d/abstractions/gnome-base +++ b/apparmor.d/abstractions/gnome-base @@ -6,6 +6,8 @@ abi , + include + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary index e61404754..afc90128b 100644 --- a/apparmor.d/groups/gnome/gnome-session-binary +++ b/apparmor.d/groups/gnome/gnome-session-binary @@ -12,7 +12,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 7dec5c597..200c4ac2a 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -11,7 +11,6 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index b0e31a4ad..5002f3f39 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -14,7 +14,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power index 4a5d1d264..8594fe8d5 100644 --- a/apparmor.d/groups/gnome/gsd-power +++ b/apparmor.d/groups/gnome/gsd-power @@ -18,7 +18,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) { include include include - include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 76f85db35..4254518d1 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -19,8 +19,6 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include - include - include include include include diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop index c1544af72..79d2095f9 100644 --- a/apparmor.d/profiles-s-z/telegram-desktop +++ b/apparmor.d/profiles-s-z/telegram-desktop @@ -12,7 +12,6 @@ profile telegram-desktop @{exec_path} { include include include - include include include include From 465f6e70af03c438438e2641ff179611e4ddfd4d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:37:18 +0200 Subject: [PATCH 767/798] feat(abs): add ibus-strict. --- apparmor.d/abstractions/ibus-strict | 18 ++++++++++++++++++ apparmor.d/groups/bus/ibus-daemon | 2 +- apparmor.d/groups/bus/ibus-engine-simple | 2 +- apparmor.d/groups/bus/ibus-extension-gtk3 | 2 +- apparmor.d/groups/bus/ibus-memconf | 2 +- apparmor.d/groups/bus/ibus-portal | 2 +- apparmor.d/groups/gnome/gnome-shell | 2 +- apparmor.d/profiles-a-f/atril | 2 +- apparmor.d/profiles-a-f/engrampa | 2 +- apparmor.d/profiles-a-f/evince | 2 +- apparmor.d/profiles-m-r/qbittorrent | 2 +- apparmor.d/profiles-m-r/remmina | 2 +- apparmor.d/profiles-s-z/spotify | 1 + apparmor.d/profiles-s-z/superproductivity | 1 + apparmor.d/profiles-s-z/terminator | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 16 files changed, 33 insertions(+), 12 deletions(-) create mode 100644 apparmor.d/abstractions/ibus-strict diff --git a/apparmor.d/abstractions/ibus-strict b/apparmor.d/abstractions/ibus-strict new file mode 100644 index 000000000..949171b0b --- /dev/null +++ b/apparmor.d/abstractions/ibus-strict @@ -0,0 +1,18 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +# Allow communicating with ibus-daemon (this allows sniffing key events) + + abi , + + owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw, + + owner @{user_config_dirs}/ibus/ r, + owner @{user_config_dirs}/ibus/bus/ rw, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-@{int} rw, + owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-wayland-@{int} rw, + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon index b326138d6..163b9cc78 100644 --- a/apparmor.d/groups/bus/ibus-daemon +++ b/apparmor.d/groups/bus/ibus-daemon @@ -11,7 +11,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(usr1) peer=gnome-shell, diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple index 8bdc3c79c..c183dba48 100644 --- a/apparmor.d/groups/bus/ibus-engine-simple +++ b/apparmor.d/groups/bus/ibus-engine-simple @@ -12,7 +12,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) { include include include - include + include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3 index be81cec27..5553ec2ff 100644 --- a/apparmor.d/groups/bus/ibus-extension-gtk3 +++ b/apparmor.d/groups/bus/ibus-extension-gtk3 @@ -13,7 +13,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=term peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf index b1f1445b3..9cfa0e292 100644 --- a/apparmor.d/groups/bus/ibus-memconf +++ b/apparmor.d/groups/bus/ibus-memconf @@ -12,7 +12,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) { include include include - include + include include signal (receive) set=(term) peer=ibus-daemon, diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 6ea4891a7..8ade4a660 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -10,7 +10,7 @@ include profile ibus-portal @{exec_path} flags=(attach_disconnected) { include include - include + include signal (receive) set=(term, hup) peer=gdm*, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 1945fd103..43d61d73b 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -34,7 +34,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril index 55502dd3e..c31860cc6 100644 --- a/apparmor.d/profiles-a-f/atril +++ b/apparmor.d/profiles-a-f/atril @@ -14,7 +14,7 @@ profile atril @{exec_path} { include include include - include + include include include diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa index 3e650962f..3ced4fcc7 100644 --- a/apparmor.d/profiles-a-f/engrampa +++ b/apparmor.d/profiles-a-f/engrampa @@ -15,7 +15,7 @@ profile engrampa @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince index 10b5ad4af..12d757e1b 100644 --- a/apparmor.d/profiles-a-f/evince +++ b/apparmor.d/profiles-a-f/evince @@ -15,7 +15,7 @@ profile evince @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent index e0d430443..a1ac4c354 100644 --- a/apparmor.d/profiles-m-r/qbittorrent +++ b/apparmor.d/profiles-m-r/qbittorrent @@ -18,7 +18,7 @@ profile qbittorrent @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 80e58fd7c..0737effc6 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -19,7 +19,7 @@ profile remmina @{exec_path} { include include include - include + include include include include diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify index b04432e39..c3decdeeb 100644 --- a/apparmor.d/profiles-s-z/spotify +++ b/apparmor.d/profiles-s-z/spotify @@ -24,6 +24,7 @@ profile spotify @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 4254518d1..441842fd4 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -22,6 +22,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { include include include + include include include diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 729c5b4da..2f38799d5 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -14,6 +14,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index 05866296d..afcf3c249 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -21,7 +21,7 @@ profile vlc @{exec_path} { include include include - include + include include include include From dfd12febbae7fd0b214e48b0dfeb28d44c041197 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:40:37 +0200 Subject: [PATCH 768/798] feat(abs): add the localization abs. --- .../abstractions/bus/org.freedesktop.GeoClue2 | 30 ----------- .../bus/system/org.freedesktop.GeoClue2 | 16 ++++++ apparmor.d/abstractions/localization | 11 ++++ apparmor.d/groups/browsers/epiphany | 4 +- apparmor.d/groups/gnome/gnome-shell | 51 ++++++++++++++++--- 5 files changed, 73 insertions(+), 39 deletions(-) delete mode 100644 apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 create mode 100644 apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 create mode 100644 apparmor.d/abstractions/localization diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 deleted file mode 100644 index 9957c7b67..000000000 --- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 +++ /dev/null @@ -1,30 +0,0 @@ -# apparmor.d - Full set of apparmor profiles -# Copyright (C) 2023-2024 Alexandre Pujol -# SPDX-License-Identifier: GPL-2.0-only - - abi , - - #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" - dbus send bus=system path=/org/freedesktop/GeoClue2/Agent - interface=org.freedesktop.DBus.Properties - member=PropertiesChanged - peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"), - - dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), - - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.DBus.Properties - member=GetAll - peer=(name="@{busname}", label="@{p_geoclue}"), - - dbus send bus=system path=/org/freedesktop/GeoClue2/Manager - interface=org.freedesktop.GeoClue2.Manager - member=AddAgent - peer=(name="@{busname}", label="@{p_geoclue}"), - - include if exists - -# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 new file mode 100644 index 000000000..026194fbb --- /dev/null +++ b/apparmor.d/abstractions/bus/system/org.freedesktop.GeoClue2 @@ -0,0 +1,16 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2023-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}" + + dbus send bus=system path=/org/freedesktop/GeoClue2/Manager + interface=org.freedesktop.GeoClue2.Manager + member=AddAgent + peer=(name="@{busname}", label="@{p_geoclue}"), + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/abstractions/localization b/apparmor.d/abstractions/localization new file mode 100644 index 000000000..cdeb1ba1c --- /dev/null +++ b/apparmor.d/abstractions/localization @@ -0,0 +1,11 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + abi , + + include + + include if exists + +# vim:syntax=apparmor diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 81610322b..2787871db 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -11,11 +11,11 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { include include include - include - include include + include include include + include include include include diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index 43d61d73b..de94b49b1 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -2,6 +2,8 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# TODO: some gnome extension run from this profile. It would be better to have a way to separate them. + abi , include @@ -18,7 +20,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include - include include include include @@ -28,6 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -35,6 +37,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include + include include include include @@ -82,6 +85,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { #aa:dbus own bus=session name=org.kde.StatusNotifierItem path=/ #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher + # owning not strictly needed, but it simplifies things + #aa:dbus own bus=session name=org.mpris.MediaPlayer2 # Talk with gnome-shell @@ -133,11 +138,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member=JobRemoved peer=(name=@{busname}, label="@{p_systemd_user}"), - dbus send bus=session path=/MenuBar - interface=com.canonical.dbusmenu - member={AboutToShow,GetLayout,GetGroupProperties} - peer=(name=:*), - + # FIXME: I think gnome-shell is the owner of the notifications, it should then be + # fully allowed to send/receive to/from anyone. + # FIXME: same for dbusmenu; icon things dbus send bus=session path=/StatusNotifierItem interface=org.freedesktop.DBus.Properties member={Get,GetAll} @@ -148,6 +151,40 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { member={Get,GetAll} peer=(name=@{busname}), + dbus receive bus=session + interface=org.gtk.Menus + member=Changed + peer=(name=@{busname}), + dbus send bus=session + interface=org.gtk.Menus + member=Start + peer=(name=@{busname}), + + # Needed as a dbus server to administrate the mpris interface + include + dbus send bus=system path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={ListNames,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=system path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"), + dbus send bus=session path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={ListNames,RequestName,ReleaseName} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus send bus=session path=/{,org/freedesktop/DBus} + interface=org.freedesktop.DBus + member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + + dbus receive bus=system path=/org/freedesktop + interface=org.freedesktop.DBus.ObjectManager + member=InterfacesAdded + peer=(name=@{busname}, label=NetworkManager), + + dbus send bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect @@ -166,10 +203,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @{bin}/ibus-daemon rPx, + @{bin}/nvidia-smi rPx, # FIXME: for extension only @{bin}/sensors rPx, @{bin}/tecla rPx, @{bin}/Xwayland rPx, - @{bin}/nvidia-smi rPx, # FIXME; for extension only @{lib}/@{multiarch}/glib-2.0/glib-compile-schemas rPx, @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx, @{lib}/mutter-x11-frames rPx, From de8e9998ea2d6d75f45ff80b56f2dabc4e26c9c5 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:44:23 +0200 Subject: [PATCH 769/798] refractor(abs): fi.w1.wpa_supplicant1 -> system/fi.w1.wpa_supplicant1 --- .../bus/{ => system}/fi.w1.wpa_supplicant1 | 10 +++++----- apparmor.d/groups/freedesktop/geoclue | 2 +- apparmor.d/groups/network/NetworkManager | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) rename apparmor.d/abstractions/bus/{ => system}/fi.w1.wpa_supplicant1 (88%) diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 similarity index 88% rename from apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 rename to apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 7989ea4c5..0152774e1 100644 --- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -26,16 +26,16 @@ member=Cancel peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/org/freedesktop - interface=org.freedesktop.DBus.ObjectManager - member=InterfacesRemoved - peer=(name="@{busname}", label=wpa-supplicant), - dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int} interface=fi.w1.wpa_supplicant1.Interface member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged} peer=(name="@{busname}", label=wpa-supplicant), + dbus receive bus=system path=/fi/w1/wpa_supplicant1 + interface=fi.w1.wpa_supplicant1 + member=InterfaceRemoved + peer=(name=@{busname}, label=wpa-supplicant), + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 04eeba521..3360c4881 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -10,9 +10,9 @@ include profile geoclue @{exec_path} flags=(attach_disconnected) { include include - include include include + include include include include diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager index fca80465d..d593e0f4e 100644 --- a/apparmor.d/groups/network/NetworkManager +++ b/apparmor.d/groups/network/NetworkManager @@ -10,12 +10,12 @@ include profile NetworkManager @{exec_path} flags=(attach_disconnected) { include include - include - include include include include include + include + include include include From eea9921e9df553c5bd1d39af11f4ff134868ce10 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:50:05 +0200 Subject: [PATCH 770/798] feat(abs): add org.gtk.vfs.MountTracker to gtk. --- apparmor.d/abstractions/gtk.d/complete | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 9900b088e..2aff75be4 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -5,6 +5,7 @@ include include include + include @{lib}/{,@{multiarch}/}gtk*/** mr, From 268b7219d537753789e58e4101b100c923a147f9 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:53:20 +0200 Subject: [PATCH 771/798] feat(profile): update the dbus profiles. --- apparmor.d/groups/bus/dbus-accessibility | 2 +- apparmor.d/groups/bus/dbus-session | 10 ++++++---- apparmor.d/groups/bus/dbus-system | 7 ++++++- apparmor.d/groups/bus/ibus-portal | 5 +++++ 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility index 2a08e528c..270077860 100644 --- a/apparmor.d/groups/bus/dbus-accessibility +++ b/apparmor.d/groups/bus/dbus-accessibility @@ -30,7 +30,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) { unix type=stream addr=none peer=(label=xorg, addr=@/tmp/.X11-unix/X0), - #aa:dbus own bus=accessibility name=org.freedesktop.DBus + #aa:dbus own bus=accessibility name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} #aa:dbus own bus=session name=org.a11y.{B,b}us dbus receive bus=accessibility path=/org/freedesktop/DBus interface=org.freedesktop.DBus diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 1b3ac11c8..7fafdfdb7 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -25,10 +25,12 @@ profile dbus-session flags=(attach_disconnected) { unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none), - signal (receive) set=(term hup) peer=gdm{,-*}, - signal (send) set=(term hup kill) peer=dbus-accessibility, - signal (send) set=(term hup kill) peer=dconf-service, - signal (send) set=(term hup kill) peer=xdg-*, + signal (send receive) set=kill peer=dbus-session//&unconfined, + + signal receive set=(term hup) peer=gdm{,-*}, + signal send set=(term hup kill) peer=dbus-accessibility, + signal send set=(term hup kill) peer=dconf-service, + signal send set=(term hup kill) peer=xdg-*, #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} dbus receive bus=session diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system index 1b62a1086..a2ee182bf 100644 --- a/apparmor.d/groups/bus/dbus-system +++ b/apparmor.d/groups/bus/dbus-system @@ -33,7 +33,12 @@ profile dbus-system flags=(attach_disconnected) { ptrace read peer=@{p_systemd}, - #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus} + # Internal stack dbus-system//&unconfined + signal (send receive) set=kill peer=dbus-system//&unconfined, + unix type=stream peer=(label=unconfined), + + #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/{dBus,DBus,dbus}} + dbus receive bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials} diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal index 8ade4a660..d52253906 100644 --- a/apparmor.d/groups/bus/ibus-portal +++ b/apparmor.d/groups/bus/ibus-portal @@ -17,6 +17,11 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) { #aa:dbus own bus=session name=org.freedesktop.portal.IBus #aa:dbus own bus=session name=org.freedesktop.IBus + dbus receive bus=session path=/org/freedesktop/IBus + interface=org.freedesktop.DBus.Peer + member=Ping + peer=(name=@{busname}, label=ibus-daemon), + dbus receive bus=session interface=org.freedesktop.DBus.Introspectable member=Introspect From f431105e4117f99003cac57d313dd1f515e2e46f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:54:26 +0200 Subject: [PATCH 772/798] feat(profile): minor update on firefox. --- apparmor.d/groups/browsers/firefox | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index b1a6b53a5..8d420789b 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -57,14 +57,15 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{bin}/browserpass rPx, @{bin}/keepassxc-proxy rPx -> firefox//&keepassxc-proxy, @{lib}/browserpass/browserpass-native rPx, - /opt/1Password/1Password-BrowserSupport rPx, + /opt/1Password/1Password-BrowserSupport rPUx, /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp* rPx, owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r, owner @{user_config_dirs}/ibus/bus/ r, owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r, owner @{user_config_dirs}/kioslaverc r, - owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw, + owner @{user_config_dirs}/mimeapps.list w, + owner @{user_config_dirs}/mimeapps.list.@{rand6} rw, owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw, owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw, From 5dfef03c08f2df746e738bb48bd7c731712729dd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:55:57 +0200 Subject: [PATCH 773/798] feta(profile): update flatpak. --- apparmor.d/groups/flatpak/flatpak | 2 ++ apparmor.d/groups/flatpak/flatpak-session-helper | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak index da93bf30d..ef08a6b58 100644 --- a/apparmor.d/groups/flatpak/flatpak +++ b/apparmor.d/groups/flatpak/flatpak @@ -136,9 +136,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain owner @{run}/user/@{uid}/.flatpak-cache rw, owner @{run}/user/@{uid}/.flatpak/ rw, owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**, + owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r, owner @{run}/user/@{uid}/app/ w, owner @{run}/user/@{uid}/app/*/ w, owner @{run}/user/@{uid}/systemd/private rw, + owner @{run}/user/@{uid}/wayland-@{int} rw, @{sys}/module/nvidia/version r, diff --git a/apparmor.d/groups/flatpak/flatpak-session-helper b/apparmor.d/groups/flatpak/flatpak-session-helper index 8a8f5afb7..ed9526eb0 100644 --- a/apparmor.d/groups/flatpak/flatpak-session-helper +++ b/apparmor.d/groups/flatpak/flatpak-session-helper @@ -28,7 +28,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{shells_path} rUx -> user_unconfined, + @{shells_path} rUx, @{bin}/dbus-monitor rPUx, @{bin}/env rix, @{bin}/flatpak rPx, From c0d79b815f1a085585824783f721f881459c2adc Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:58:23 +0200 Subject: [PATCH 774/798] feat(profile): update freedesktop profiles. --- apparmor.d/groups/freedesktop/boltd | 22 ++++++++++----- apparmor.d/groups/freedesktop/colord | 8 ++++-- apparmor.d/groups/freedesktop/wireplumber | 10 +++++-- .../groups/freedesktop/xdg-desktop-portal | 27 +++++++++++-------- .../freedesktop/xdg-desktop-portal-gnome | 1 + .../groups/freedesktop/xdg-permission-store | 1 + 6 files changed, 47 insertions(+), 22 deletions(-) diff --git a/apparmor.d/groups/freedesktop/boltd b/apparmor.d/groups/freedesktop/boltd index d7888698d..60dddbedf 100644 --- a/apparmor.d/groups/freedesktop/boltd +++ b/apparmor.d/groups/freedesktop/boltd @@ -33,20 +33,28 @@ profile boltd @{exec_path} flags=(attach_disconnected) { @{sys}/bus/thunderbolt/devices/ r, @{sys}/bus/wmi/devices/ r, @{sys}/class/ r, - @{sys}/devices/@{pci}/uevent r, + @{sys}/devices/**/uevent r, @{sys}/devices/@{pci}/device r, @{sys}/devices/@{pci}/domain@{int}/ r, - @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r, @{sys}/devices/@{pci}/domain@{int}/**/ r, - @{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r, - @{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r, - @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r, - @{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r, + @{sys}/devices/@{pci}/domain@{int}/**/authorized r, + @{sys}/devices/@{pci}/domain@{int}/**/boot r, + @{sys}/devices/@{pci}/domain@{int}/**/device_name r, + @{sys}/devices/@{pci}/domain@{int}/**/generation r, + @{sys}/devices/@{pci}/domain@{int}/**/rx_lanes r, + @{sys}/devices/@{pci}/domain@{int}/**/rx_speed r, + @{sys}/devices/@{pci}/domain@{int}/**/tx_lanes r, + @{sys}/devices/@{pci}/domain@{int}/**/tx_speed r, + @{sys}/devices/@{pci}/domain@{int}/**/unique_id r, + @{sys}/devices/@{pci}/domain@{int}/**/vendor_name r, @{sys}/devices/@{pci}/domain@{int}/boot_acl rw, @{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r, + @{sys}/devices/@{pci}/domain@{int}/security r, @{sys}/devices/platform/**/uevent r, @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw, - @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r, + @{sys}/devices/virtual/dmi/id/product_name r, + @{sys}/devices/virtual/dmi/id/product_version r, + @{sys}/devices/virtual/dmi/id/sys_vendor r, include if exists } diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord index 54c0d147e..e527f462e 100644 --- a/apparmor.d/groups/freedesktop/colord +++ b/apparmor.d/groups/freedesktop/colord @@ -14,6 +14,7 @@ profile colord @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -56,8 +57,11 @@ profile colord @{exec_path} flags=(attach_disconnected) { @{sys}/class/drm/ r, @{sys}/class/video4linux/ r, @{sys}/devices/**/uevent r, - @{sys}/devices/@{pci}/{vendor,model,type} r, - @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r, + @{sys}/devices/@{pci}/drm/card@{int}/**/edid r, + @{sys}/devices/@{pci}/drm/card@{int}/**/enabled r, + @{sys}/devices/@{pci}/model r, + @{sys}/devices/@{pci}/type r, + @{sys}/devices/@{pci}/vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, @{sys}/devices/virtual/dmi/id/sys_vendor r, diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber index c4d4c9c17..720a294bd 100644 --- a/apparmor.d/groups/freedesktop/wireplumber +++ b/apparmor.d/groups/freedesktop/wireplumber @@ -26,6 +26,8 @@ profile wireplumber @{exec_path} { network bluetooth stream, network netlink raw, + ptrace read peer=gnome-extension-gsconnect, + #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int} #aa:dbus own bus=session name=org.pipewire.Telephony @@ -48,6 +50,8 @@ profile wireplumber @{exec_path} { /usr/share/spa-*/bluez@{int}/{,*} r, /usr/share/wireplumber/{,**} r, + / r, + owner @{desktop_local_dirs}/ w, owner @{desktop_state_dirs}/ w, owner @{desktop_state_dirs}/wireplumber/{,**} rw, @@ -79,10 +83,12 @@ profile wireplumber @{exec_path} { @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/sys_vendor r, + @{PROC}/@{pids}/cgroup r, + @{PROC}/@{pids}/cmdline r, + @{PROC}/@{pids}/status r, @{PROC}/1/cgroup r, @{PROC}/1/status r, - @{PROC}/@{pid}/cmdline r, - owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/stat r, owner @{PROC}/@{pid}/task/@{tid}/comm rw, /dev/udmabuf rw, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 5bed44b08..95f801a4a 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -20,8 +20,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include - include + include include include include @@ -36,25 +37,27 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { signal receive set=term peer=gdm, signal receive set=hup peer=gdm-session-worker, - #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}} - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.Realtime - member=MakeThread* - peer=(name=@{busname}), + unix type=stream peer=(label=snap.*), + + #aa:dbus own bus=session name=org.freedesktop.portal interface+=org.freedesktop.impl.portal + + # Receive registertration of from anyone dbus receive bus=session path=/org/freedesktop/portal/desktop interface=org.freedesktop.host.portal.Registry member=Register peer=(name=@{busname}), - dbus receive bus=session path=/org/freedesktop/portal/desktop - interface=org.freedesktop.portal.NetworkMonitor - member=GetStatus - peer=(name=@{busname}, label=snap.*), + + dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_125/gtk904232872 + interface=org.freedesktop.impl.portal.Session + member=Close + peer=(name=@{busname}, label=xdg-desktop-portal-gtk), #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor - #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.GlobalShortcuts path=/org/freedesktop/portal/desktop label=xdg-desktop-portal-gnome + #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Inhibit label=xdg-desktop-portal-gtk #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal dbus receive bus=session @@ -69,6 +72,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{bin}/kreadconfig{,5} rPx, @{lib}/xdg-desktop-portal-validate-icon rPx, + @{lib}/browserpass/browserpass-native rPx, @{open_path} mrPx -> child-open, / r, @@ -93,6 +97,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { owner @{run}/user/@{uid}/.flatpak/{,*/*} r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/bios_vendor r, @{sys}/devices/virtual/dmi/id/board_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome index cd557c705..5d05630c5 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome @@ -34,6 +34,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) { #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Settings.GlobalShortcutsProvider label=gnome-control-center-global-shortcuts-provider + #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label="gvfs-*-volume-monitor" diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store index 3b15d9688..0ce3ff166 100644 --- a/apparmor.d/groups/freedesktop/xdg-permission-store +++ b/apparmor.d/groups/freedesktop/xdg-permission-store @@ -48,6 +48,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) { owner @{user_share_dirs}/flatpak/db/documents rw, owner @{user_share_dirs}/flatpak/db/notifications rw, owner @{user_share_dirs}/flatpak/db/screencast r, + owner @{user_share_dirs}/flatpak/db/webextensions rw, include if exists } From 484a96d833f52992e4ff55bc39d493bbad6a73bf Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 21:58:53 +0200 Subject: [PATCH 775/798] feat(profile): add xdg-terminal-exec. --- .../groups/freedesktop/xdg-terminal-exec | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 apparmor.d/groups/freedesktop/xdg-terminal-exec diff --git a/apparmor.d/groups/freedesktop/xdg-terminal-exec b/apparmor.d/groups/freedesktop/xdg-terminal-exec new file mode 100644 index 000000000..b79985c9a --- /dev/null +++ b/apparmor.d/groups/freedesktop/xdg-terminal-exec @@ -0,0 +1,37 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2025 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + +abi , + +include + +@{exec_path} = @{bin}/xdg-terminal-exec +profile xdg-terminal-exec @{exec_path} flags=(attach_disconnected) { + include + include + include + + @{exec_path} mr, + + @{sh_path} rix, + @{bin}/{m,g,}awk ix, + @{bin}/find ix, + @{bin}/ls ix, + @{bin}/md5sum ix, + @{bin}/tr ix, + + @{bin}/gnome-terminal Px, + + /usr/share/xdg-terminal-exec/{,**} r, + + owner @{HOME}/ r, + + owner @{user_cache_dirs}/xdg-terminal-exec rw, + owner @{user_config_dirs}/*-xdg-terminals.list r, + owner @{user_config_dirs}/xdg-terminals.list r, + + include if exists +} + +# vim:syntax=apparmor From cf90d0a855f7be0448c8416b98dd63ebe95bd484 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:03:47 +0200 Subject: [PATCH 776/798] feat(profile): update gnome profiles. --- apparmor.d/groups/gnome/gnome-clocks | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks index 92886c887..6458d3c50 100644 --- a/apparmor.d/groups/gnome/gnome-clocks +++ b/apparmor.d/groups/gnome/gnome-clocks @@ -14,6 +14,7 @@ profile gnome-clocks @{exec_path} { include include include + include include network netlink raw, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index 2592eb77e..ed52d09f7 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -21,10 +21,11 @@ profile gnome-extension-gsconnect @{exec_path} { include include include - include include + include include include + include include include include @@ -37,7 +38,11 @@ profile gnome-extension-gsconnect @{exec_path} { network inet6 stream, network netlink raw, - #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+=org.gtk.{Actions,Menus} + unix type=stream addr=none peer=(label=gvfsd-*, addr=none), + + #aa:dbus own bus=session name=org.gnome.Shell.Extensions.GSConnect interface+={org.freedesktop.Application,org.gtk.{Actions,Application,Menus}} + + #aa:dbus own bus=session name=org.mpris.MediaPlayer2.GSConnect.* dbus eavesdrop bus=session, @@ -49,6 +54,7 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, + @{bin}/bwrap rPx -> glycin, @{bin}/dconf rPx, @{bin}/ssh-keygen rPx, @{bin}/xdg-screensaver rPx, From 7d7c78fb1bc8f36bf7fd83738ab78e8e012c8075 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:04:19 +0200 Subject: [PATCH 777/798] feat(profile): cleanup scdaemon --- apparmor.d/groups/gpg/scdaemon | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon index 729455f7f..6638f3fe4 100644 --- a/apparmor.d/groups/gpg/scdaemon +++ b/apparmor.d/groups/gpg/scdaemon @@ -35,9 +35,7 @@ profile scdaemon @{exec_path} { owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w, owner /var/tmp/zypp.*/zypp-trusted-*/S.scdaemon w, - @{PROC}/@{pid}/task/@{tid}/comm rw, - - @{sys}/devices/@{pci}/bConfigurationValue r, + owner @{PROC}/@{pid}/task/@{tid}/comm rw, include if exists } From 81081b219075557c7364803c8c24ff2fcf13fc43 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:06:49 +0200 Subject: [PATCH 778/798] feat(profile): add polkit rule in pkttyagent. --- apparmor.d/groups/polkit/pkttyagent | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apparmor.d/groups/polkit/pkttyagent b/apparmor.d/groups/polkit/pkttyagent index 436447aef..5882c6d40 100644 --- a/apparmor.d/groups/polkit/pkttyagent +++ b/apparmor.d/groups/polkit/pkttyagent @@ -21,6 +21,16 @@ profile pkttyagent @{exec_path} { ptrace read, signal (send, receive), + dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent + interface=org.freedesktop.PolicyKit1.AuthenticationAgent + member=BeginAuthentication + peer=(name=@{busname}, label="@{p_polkitd}"), + + dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority + interface=org.freedesktop.PolicyKit1.Authority + member=RegisterAuthenticationAgentWithOptions + peer=(name=@{busname}, label="@{p_polkitd}"), + @{exec_path} mr, @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx, From 2b6e7379e1d87d812eaed0b2ef712556a6fd3196 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:08:27 +0200 Subject: [PATCH 779/798] feat(profile): remove ptrac from htop, cleanup ps. --- apparmor.d/groups/procps/htop | 11 ++++++++--- apparmor.d/groups/procps/ps | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/apparmor.d/groups/procps/htop b/apparmor.d/groups/procps/htop index b02b0f692..e48d05583 100644 --- a/apparmor.d/groups/procps/htop +++ b/apparmor.d/groups/procps/htop @@ -16,15 +16,12 @@ profile htop @{exec_path} flags=(attach_disconnected) { capability dac_read_search, capability kill, capability sys_nice, - capability sys_ptrace, network netlink raw, signal send, signal receive set=hup peer=gnome-terminal-server, - ptrace read, - @{exec_path} mr, @{bin}/lsof rix, @@ -137,6 +134,14 @@ profile htop @{exec_path} flags=(attach_disconnected) { /dev/tty@{int} rw, + # While commands like 'ps', 'ip netns identify ', 'ip netns pids foo', etc + # trigger a 'ptrace trace' denial, they aren't actually tracing other + # processes. Unfortunately, the kernel overloads trace such that the LSMs are + # unable to distinguish between tracing other processes and other accesses. + deny capability sys_ptrace, + deny ptrace trace, + deny ptrace read, + include if exists } diff --git a/apparmor.d/groups/procps/ps b/apparmor.d/groups/procps/ps index ab6f3486c..42eb272ea 100644 --- a/apparmor.d/groups/procps/ps +++ b/apparmor.d/groups/procps/ps @@ -53,6 +53,8 @@ profile ps @{exec_path} flags=(attach_disconnected) { # trigger a 'ptrace trace' denial, they aren't actually tracing other # processes. Unfortunately, the kernel overloads trace such that the LSMs are # unable to distinguish between tracing other processes and other accesses. + deny capability perfmon, + deny capability sys_admin, deny capability sys_ptrace, deny ptrace trace, deny ptrace read, From e7a7cb41165c8b4b0ece7e7c7ff53be51dddb72b Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:09:00 +0200 Subject: [PATCH 780/798] feat(profile): glycin: deny more path. --- apparmor.d/groups/children/glycin | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index b00913e1a..4bde8a957 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -20,6 +20,7 @@ profile glycin flags=(attach_disconnected,complain) { # Safe deny of inherited files from parent process. deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, + deny /opt/*/** rw, deny @{sys}/devices/system/** r, deny /dev/shm/** rw, deny /dev/dri/* rw, From cb32e8829c7671da9b53777d7cfaadeb9af7242e Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:14:29 +0200 Subject: [PATCH 781/798] feat(profile): general update. --- apparmor.d/profiles-a-f/freetube | 1 + apparmor.d/profiles-g-l/gimp | 9 +++-- apparmor.d/profiles-g-l/gsettings | 1 + apparmor.d/profiles-g-l/haveged | 3 ++ apparmor.d/profiles-g-l/inxi | 2 ++ apparmor.d/profiles-g-l/libreoffice | 7 +++- apparmor.d/profiles-m-r/mdadm | 3 +- apparmor.d/profiles-m-r/mkinitramfs | 2 +- apparmor.d/profiles-m-r/mpris-proxy | 7 ++++ apparmor.d/profiles-m-r/ollama | 4 +-- apparmor.d/profiles-m-r/packagekitd | 12 +++++++ apparmor.d/profiles-m-r/qemu-ga | 5 +++ apparmor.d/profiles-m-r/remmina | 1 - apparmor.d/profiles-m-r/reprepro | 40 +++++------------------ apparmor.d/profiles-s-z/snapshot | 9 +++-- apparmor.d/profiles-s-z/superproductivity | 2 ++ apparmor.d/profiles-s-z/sysstat-sadc | 7 ++-- apparmor.d/profiles-s-z/totem | 4 ++- apparmor.d/profiles-s-z/ucf | 1 + apparmor.d/profiles-s-z/vlc | 2 +- 20 files changed, 71 insertions(+), 51 deletions(-) diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube index b820f249c..6ee51adbb 100644 --- a/apparmor.d/profiles-a-f/freetube +++ b/apparmor.d/profiles-a-f/freetube @@ -31,6 +31,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) { network netlink raw, #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2 + #aa:dbus talk bus=session name=org.freedesktop.PowerManagement label=kde-powerdevil @{exec_path} mrix, diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp index 57c6a72e0..04860c1de 100644 --- a/apparmor.d/profiles-g-l/gimp +++ b/apparmor.d/profiles-g-l/gimp @@ -22,6 +22,8 @@ profile gimp @{exec_path} flags=(attach_disconnected) { signal (send) set=(term, kill) peer=xsane-gimp, + #aa:dbus own bus=session name=org.gimp + #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -40,6 +42,7 @@ profile gimp @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open-help, @{lib}/gimp/@{version}/plug-ins/python-console/__pycache__/{,*} w, + @{lib}/@{multiarch}/gimp/@{version}/plug-ins/web-browser/web-browser ix, /usr/share/gimp/{,**} r, /usr/share/mypaint-data/{,**} r, @@ -58,15 +61,15 @@ profile gimp @{exec_path} flags=(attach_disconnected) { owner @{user_cache_dirs}//thumbnails/normal/gimp-thumb* rw, owner @{user_cache_dirs}/babl/{,**} rw, - owner @{user_cache_dirs}/gegl-*/{,**} r, - owner @{user_cache_dirs}/gegl-*/{,**} r, + owner @{user_cache_dirs}/gegl-@{version}/{,**} rw, + owner @{user_cache_dirs}/gegl-@{version}/{,**} rw, owner @{user_cache_dirs}/gimp/{,**} rw, owner @{user_cache_dirs}/GIMP/{,**} rw, owner @{user_config_dirs}/gimp/{,**} rw, owner @{user_config_dirs}/GIMP/{,**} rw, - owner @{user_share_dirs}/gegl-*/{,**} r, + owner @{user_share_dirs}/gegl-@{version}/{,**} r, owner @{user_share_dirs}/GIMP/{,**} rw, owner @{tmp}/gimp/{,**} rw, diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings index cc8dfa447..b60c2ff66 100644 --- a/apparmor.d/profiles-g-l/gsettings +++ b/apparmor.d/profiles-g-l/gsettings @@ -24,6 +24,7 @@ profile gsettings @{exec_path} flags=(attach_disconnected) { deny /etc/nsswitch.conf r, deny /etc/passwd r, deny /opt/*/** r, + deny owner /.cache/ w, deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw, diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged index 527629202..8b15b3153 100644 --- a/apparmor.d/profiles-g-l/haveged +++ b/apparmor.d/profiles-g-l/haveged @@ -17,6 +17,9 @@ profile haveged @{exec_path} { @{exec_path} mr, + /dev/shm/sem.@{rand6} rw, + /dev/shm/sem.haveged_sem rwl -> /dev/shm/sem.@{rand6}, + @{sys}/devices/system/cpu/cpu@{int}/cache/ r, @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r, diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi index e80875ca2..2d6a67d4a 100644 --- a/apparmor.d/profiles-g-l/inxi +++ b/apparmor.d/profiles-g-l/inxi @@ -13,6 +13,8 @@ profile inxi @{exec_path} { include include + capability dac_read_search, + network inet dgram, network inet6 dgram, network inet stream, diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice index 7e4feed45..0975d2fdc 100644 --- a/apparmor.d/profiles-g-l/libreoffice +++ b/apparmor.d/profiles-g-l/libreoffice @@ -8,7 +8,7 @@ include @{exec_path} = @{bin}/libreoffice @{bin}/soffice @{exec_path} += @{lib}/libreoffice/program/soffice -profile libreoffice @{exec_path} { +profile libreoffice @{exec_path} flags=(attach_disconnected) { include include include @@ -39,6 +39,11 @@ profile libreoffice @{exec_path} { #aa:dbus own bus=session name=org.libreoffice interface+=org.gtk.Actions + dbus send bus=system path=/org/freedesktop/hostname1 + interface=org.freedesktop.DBus.Properties + member=GetAll + peer=(name=@{busname}, label=systemd-hostnamed), + @{exec_path} mr, @{sh_path} rix, diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm index b0397eb8d..f53e1b11f 100644 --- a/apparmor.d/profiles-m-r/mdadm +++ b/apparmor.d/profiles-m-r/mdadm @@ -44,9 +44,10 @@ profile mdadm @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/fd/ r, @{PROC}/cmdline r, + @{PROC}/devices r, @{PROC}/kcore r, - @{PROC}/partitions r, @{PROC}/mdstat rw, + @{PROC}/partitions r, /dev/**/ r, /dev/.tmp.md.* rw, diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs index 800013c9a..5d38271df 100644 --- a/apparmor.d/profiles-m-r/mkinitramfs +++ b/apparmor.d/profiles-m-r/mkinitramfs @@ -172,7 +172,7 @@ profile mkinitramfs @{exec_path} { owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw, owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/updates/{,**} r, - owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, + /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/@{lib}/modules/{,**} r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r, owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r, diff --git a/apparmor.d/profiles-m-r/mpris-proxy b/apparmor.d/profiles-m-r/mpris-proxy index 3a5dfffb6..0bb994c04 100644 --- a/apparmor.d/profiles-m-r/mpris-proxy +++ b/apparmor.d/profiles-m-r/mpris-proxy @@ -14,6 +14,13 @@ profile mpris-proxy @{exec_path} { include #aa:dbus own bus=session name=org.mpris.MediaPlayer2 + #aa:dbus own bus=system name=org.mpris.MediaPlayer2.Player path=/{,**} + + dbus send bus=session path=/org/freedesktop/DBus + interface=org.freedesktop.DBus + member=ListNames + peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"), + dbus receive bus=session path=/ interface=org.freedesktop.DBus.Introspectable member=Introspect diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama index 73447e33e..165e3d3ad 100644 --- a/apparmor.d/profiles-m-r/ollama +++ b/apparmor.d/profiles-m-r/ollama @@ -44,9 +44,7 @@ profile ollama @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/mem_info_vram_used r, @{sys}/devices/@{pci}/numa_node r, @{sys}/devices/system/node/node@{int}/cpumap r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r, - @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r, + @{PROC}/devices r, @{PROC}/sys/net/core/somaxconn r, diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd index e5b54c34e..5bf1f3115 100644 --- a/apparmor.d/profiles-m-r/packagekitd +++ b/apparmor.d/profiles-m-r/packagekitd @@ -51,6 +51,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/echo rix, @{bin}/gdbus rix, @{bin}/gzip rix, + @{bin}/id rix, @{sbin}/ldconfig rix, @{bin}/repo2solv rix, @{bin}/tar rix, @@ -61,6 +62,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { @{bin}/arch-audit rPx, #aa:only arch @{bin}/dpkg rPx -> child-dpkg, #aa:only apt @{bin}/fc-cache rPx, + @{bin}/systemctl rCx -> systemctl, @{bin}/glib-compile-schemas rPx, @{bin}/install-info rPx, @{bin}/ischroot rPx, @@ -113,6 +115,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mounts r, + /dev/ptmx r, /dev/tty rw, profile gpg { @@ -150,6 +153,15 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) { include if exists } + profile systemctl { + include + include + + capability net_admin, + + include if exists + } + include if exists } diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga index f8fd84d3f..ae8dae855 100644 --- a/apparmor.d/profiles-m-r/qemu-ga +++ b/apparmor.d/profiles-m-r/qemu-ga @@ -10,6 +10,10 @@ include profile qemu-ga @{exec_path} { include + network bind netlink raw, + network inet stream, + network inet6 stream, + @{exec_path} mr, @{bin}/systemctl Cx -> systemctl, @@ -22,6 +26,7 @@ profile qemu-ga @{exec_path} { @{sys}/devices/system/node/ r, @{sys}/devices/system/node/node@{int}/meminfo r, + @{PROC}/@{pid}/net/dev r, @{PROC}/sys/vm/max_map_count r, /dev/vport@{int}p@{int} rw, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index 0737effc6..e8ed68727 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -42,7 +42,6 @@ profile remmina @{exec_path} { @{open_path} rPx -> child-open-browsers, /usr/share/remmina/{,**} r, - /usr/share/themes/{,**} r, /etc/fstab r, /etc/ssh/ssh_config r, diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro index 866b7cbfa..16336f804 100644 --- a/apparmor.d/profiles-m-r/reprepro +++ b/apparmor.d/profiles-m-r/reprepro @@ -7,11 +7,10 @@ abi , include -@{REPO_DIR} = @{MOUNTS}/debuilder/repo - @{exec_path} = @{bin}/reprepro profile reprepro @{exec_path} { include + include @{exec_path} mr, @@ -19,42 +18,21 @@ profile reprepro @{exec_path} { @{bin}/gpg{,2} rCx -> gpg, @{bin}/gpgsm rCx -> gpg, - owner @{PROC}/@{pid}/fd/ r, - - # The repository dir - owner @{REPO_DIR}/debian/ r, - owner @{REPO_DIR}/debian/conf/{distributions,options} r, - - owner @{REPO_DIR}/debian/db/lockfile rw, - owner @{REPO_DIR}/debian/db/version{,.new} rw, - owner @{REPO_DIR}/debian/db/packages.db rw, - owner @{REPO_DIR}/debian/db/references.db rw, - owner @{REPO_DIR}/debian/db/release.caches.db rw, - owner @{REPO_DIR}/debian/db/contents.cache.db rw, - owner @{REPO_DIR}/debian/db/checksums.db rw, - - owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz} w, - owner @{REPO_DIR}/debian/dists/*/*/binary-*/Packages{,.gz}.new rw, - owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz} w, - owner @{REPO_DIR}/debian/dists/*/*/source/Sources{,.gz}.new rw, - owner @{REPO_DIR}/debian/dists/*/{In,}Release{,.new} rw, - owner @{REPO_DIR}/debian/dists/*/Release.gpg{,.new} rw, - - owner @{REPO_DIR}/debian/**/ w, - owner @{REPO_DIR}/debian/pool/*/*/*/*.tar.* rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.dsc rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.deb rw, - owner @{REPO_DIR}/debian/pool/*/*/*/*.git rw, - - # Dirs containing .deb files - owner @{REPO_DIR}/*.deb r, /var/cache/apt/archives/*.deb r, + owner @{user_projects_dirs}/** r, + owner @{user_build_dirs}/** r, + + owner @{user_pkg_dirs}/ rw, + owner @{user_pkg_dirs}/** rwlk, + # For package building owner @{user_build_dirs}/pbuilder/result/*.{dsc,changes} r, owner @{user_build_dirs}/pbuilder/result/*.deb r, owner @{user_build_dirs}/pbuilder/result/*.tar.* r, + owner @{PROC}/@{pid}/fd/ r, + profile gpg { include diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot index 91ca7cd69..3e48a4bc7 100644 --- a/apparmor.d/profiles-s-z/snapshot +++ b/apparmor.d/profiles-s-z/snapshot @@ -11,10 +11,15 @@ include profile snapshot @{exec_path} flags=(attach_disconnected) { include include + include include include + include include - include + + network netlink raw, + + #aa:dbus own bus=session name=org.gnome.Snapshot @{exec_path} mr, @@ -23,8 +28,6 @@ profile snapshot @{exec_path} flags=(attach_disconnected) { owner @{user_pictures_dirs}/Camera/{,**} rw, owner @{user_videos_dirs}/Camera/{,**} rw, - @{sys}/devices/virtual/dmi/id/bios_vendor r, - include if exists } diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity index 441842fd4..5cdda4994 100644 --- a/apparmor.d/profiles-s-z/superproductivity +++ b/apparmor.d/profiles-s-z/superproductivity @@ -39,6 +39,8 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) { @{att}/@{run}/systemd/inhibit/@{int}.ref rw, + owner @{run}/user/@{uid}/speech-dispatcher/speechd.sock rw, + include if exists } diff --git a/apparmor.d/profiles-s-z/sysstat-sadc b/apparmor.d/profiles-s-z/sysstat-sadc index 7d9143938..30c5e0b3c 100644 --- a/apparmor.d/profiles-s-z/sysstat-sadc +++ b/apparmor.d/profiles-s-z/sysstat-sadc @@ -24,13 +24,10 @@ profile sysstat-sadc @{exec_path} { @{sys}/class/fc_host/ r, @{sys}/class/hwmon/ r, @{sys}/class/i2c-adapter/ r, - @{sys}/devices/@{pci}/net/*/duplex r, + @{sys}/devices/**/duplex r, @{sys}/devices/**/hwmon@{int}/ r, @{sys}/devices/**/name r, - @{sys}/devices/**/net/*/duplex r, - @{sys}/devices/**/net/*/speed r, - @{sys}/devices/virtual/net/*/duplex r, - @{sys}/devices/virtual/net/*/speed r, + @{sys}/devices/**/speed r, @{PROC}/@{pid}/net/* r, @{PROC}/diskstats r, diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem index 9d55b7cd2..1ec163874 100644 --- a/apparmor.d/profiles-s-z/totem +++ b/apparmor.d/profiles-s-z/totem @@ -13,6 +13,7 @@ profile totem @{exec_path} flags=(attach_disconnected) { include include include + include include include include @@ -21,7 +22,8 @@ profile totem @{exec_path} flags=(attach_disconnected) { signal (send) set=(kill) peer=totem//bwrap, - #aa:dbus own bus=session name=org.mpris.MediaPlayer2.totem + #aa:dbus own bus=session name=org.gnome.Totem + #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf index 47826d336..65ea284fa 100644 --- a/apparmor.d/profiles-s-z/ucf +++ b/apparmor.d/profiles-s-z/ucf @@ -33,6 +33,7 @@ profile ucf @{exec_path} { @{bin}/sed rix, @{bin}/seq rix, @{bin}/stat rix, + @{bin}/stty rix, @{bin}/tr rix, @{bin}/which{,.debianutils} rix, diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc index afcf3c249..50760f8c5 100644 --- a/apparmor.d/profiles-s-z/vlc +++ b/apparmor.d/profiles-s-z/vlc @@ -8,7 +8,7 @@ abi , include @{exec_path} = @{bin}/{c,}vlc -profile vlc @{exec_path} { +profile vlc @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include From 8ffbcfc0b5987b99a6de6cb2333efe0ad92e8378 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 22:28:51 +0200 Subject: [PATCH 782/798] feat(abs): improve signal and ptrace in the glycin stack. --- apparmor.d/abstractions/app/bwrap-glycin | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index a3a5ceee6..d1a17b6c8 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -16,11 +16,13 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=*//&glycin, - signal send set=kill peer=glycin//&*, + signal send set=kill peer=@{profile_name}, + signal send set=kill peer=@{profile_name}//&glycin, + signal send set=kill peer=glycin, - ptrace read peer=*//&glycin, - ptrace read peer=glycin//&*, + ptrace read peer=@{profile_name}, + ptrace read peer=@{profile_name}//&glycin, + ptrace read peer=glycin, @{bin}/bwrap mr, From 487bf85af201b4c1665bd5cd394bd9e01ca800a8 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:23:12 +0200 Subject: [PATCH 783/798] build: add build support for apparmor 4 vs apparmor 4.1 This is required to allow us the use of priority in apparmor 4.1+ --- pkg/prebuild/builder/abi.go | 17 +++++++++++++++++ pkg/prebuild/cli/cli.go | 9 ++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go index b0052d13f..f61316390 100644 --- a/pkg/prebuild/builder/abi.go +++ b/pkg/prebuild/builder/abi.go @@ -17,12 +17,19 @@ var ( ` all`, ` # all`, ` deny mqueue`, ` # deny mqueue`, }) + regApparmor41To40 = util.ToRegexRepl([]string{ + `priority=[0-9\-]*`, ``, + }) ) type ABI3 struct { prebuild.Base } +type APPARMOR40 struct { + prebuild.Base +} + func init() { RegisterBuilder(&ABI3{ Base: prebuild.Base{ @@ -30,8 +37,18 @@ func init() { Msg: "Build: convert all profiles from abi 4.0 to abi 3.0", }, }) + RegisterBuilder(&APPARMOR40{ + Base: prebuild.Base{ + Keyword: "apparmor4.0", + Msg: "Build: convert all profiles from apparmor 4.1 to 4.0 or less", + }, + }) } func (b ABI3) Apply(opt *Option, profile string) (string, error) { return regAbi4To3.Replace(profile), nil } + +func (b APPARMOR40) Apply(opt *Option, profile string) (string, error) { + return regApparmor41To40.Replace(profile), nil +} diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go index afed5aedf..868bf69d8 100644 --- a/pkg/prebuild/cli/cli.go +++ b/pkg/prebuild/cli/cli.go @@ -133,8 +133,15 @@ func Configure() { } switch prebuild.ABI { case 3: - builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0 + builder.Register("apparmor4.0") // Convert convert all profiles from apparmor 4.1 to 4.0 or less + case 4: + // priority support was added in 4.1 + if prebuild.Version == 4.0 { + builder.Register("apparmor4.0") + } + // Re-attach disconnected path if prebuild.Distribution == "ubuntu" && prebuild.Version >= 4.1 { // Ignored on ubuntu 25.04+ due to a memory leak that fully prevent From 36cd3bb8effaa9849a6b4694dfac932c63f60b58 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:35:25 +0200 Subject: [PATCH 784/798] feat(abs): add fontconfig-cache --- apparmor.d/abstractions/fontconfig-cache | 53 ++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 apparmor.d/abstractions/fontconfig-cache diff --git a/apparmor.d/abstractions/fontconfig-cache b/apparmor.d/abstractions/fontconfig-cache new file mode 100644 index 000000000..509c8a3ba --- /dev/null +++ b/apparmor.d/abstractions/fontconfig-cache @@ -0,0 +1,53 @@ +# apparmor.d - Full set of apparmor profiles +# Copyright (C) 2018-2021 Mikhail Morfikov +# Copyright (C) 2021-2024 Alexandre Pujol +# SPDX-License-Identifier: GPL-2.0-only + + # The fontconfig cache can be generated via the following command: + # $ fc-cache -f -v + # + # There is no need to give apps the ability to create cache for their own. + # However, apps can generate the fontconfig cache if some cache files are missing. + # Therefore, if this behavior is desirable, you can use + # + # If not, you can block writing to the cache directories with + # + + abi , + + /var/cache/fontconfig/ r, + /var/cache/fontconfig/CACHEDIR.TAG r, + /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{gdm_cache_dirs}/fontconfig/ r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{HOME}/.fontconfig/ r, + owner @{HOME}/.fontconfig/CACHEDIR.TAG r, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + owner @{user_cache_dirs}/fontconfig/ r, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG r, # {,.NEW,.LCK,.TMP-*} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r, # {,.NEW,.LCK,.TMP-*} r, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} r, + + # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to + # identify the font directory and is used to determine the cache filename if available. + /usr/share/**/.uuid r, + owner /usr/local/share/fonts/ r, + owner /usr/local/share/fonts/.uuid r, + owner @{HOME}/.fonts/ r, + owner @{HOME}/.fonts/.uuid r, + owner @{user_share_dirs}/fonts/ r, + owner @{user_share_dirs}/fonts/**/.uuid r, + + include if exists + +# vim:syntax=apparmor From a9fefa02932e03c3f43b0ba13a173ae2a1ee636d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Thu, 25 Sep 2025 23:36:22 +0200 Subject: [PATCH 785/798] feat(abs): rewrite fontconfig read and cache abs. --- apparmor.d/abstractions/fontconfig-cache-read | 14 ++- .../abstractions/fontconfig-cache-write | 93 ++++++++++++------- 2 files changed, 68 insertions(+), 39 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 306787378..1deddd130 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -3,14 +3,18 @@ # Copyright (C) 2021-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only - # The fontconfig cache can be generated via the following command: - # $ fc-cache -f -v - # There's no need to give apps the ability to create cache for their own. Apps can generate the - # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use - # the "fontconfig-cache-write" abstraction. +# See for documentation. abi , + include if exists + + owner @{gdm_cache_dirs}/fontconfig/ r, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}.cache-?{,.NEW,.LCK,.TMP-*} r, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r, + deny @{gdm_cache_dirs}/fontconfig/ w, + deny @{gdm_cache_dirs}/fontconfig/** w, + owner @{user_cache_dirs}/fontconfig/ r, deny @{user_cache_dirs}/fontconfig/ w, deny @{user_cache_dirs}/fontconfig/** w, diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write index 922a15a6a..a3b7379d2 100644 --- a/apparmor.d/abstractions/fontconfig-cache-write +++ b/apparmor.d/abstractions/fontconfig-cache-write @@ -3,42 +3,67 @@ # Copyright (C) 2022-2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# See for documentation. + abi , - owner @{user_cache_dirs}/fontconfig/ rw, - owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, - owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, - owner @{user_cache_dirs}/fontconfig/*-le64.cache-@{int} w, - owner @{user_cache_dirs}/fontconfig/*-le64.cache-@{int}{,TMP-@{rand6},NEW,LCK} w, - - owner @{HOME}/.fontconfig/ rw, - owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw, - owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk, - - owner @{HOME}/.fonts/ rw, - link @{HOME}/.fonts/.uuid.LCK -> @{HOME}/.fonts/.uuid.TMP-*, - owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} r, - owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*} w, - - # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to - # identify the font directory and is used to determine the cache filename if available. - owner /usr/local/share/fonts/ rw, - owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw, - link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*, - # Should writing to these dirs be blocked? - /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} r, - deny /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*} w, - - /var/cache/fontconfig/ rw, - owner /var/cache/fontconfig/** rw, - owner /var/cache/fontconfig/*.cache-@{int} rwk, - owner /var/cache/fontconfig/*.cache-@{int}.LCK rwl, - owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl, - - # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars) - owner @{user_share_dirs}/fonts/ rw, - owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw, - link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*, + include + + owner /var/cache/fontconfig/ w, + owner /var/cache/fontconfig/CACHEDIR.TAG w, + owner /var/cache/fontconfig/CACHEDIR.TAG.LCK wl, + owner /var/cache/fontconfig/CACHEDIR.TAG.NEW w, + owner /var/cache/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner /var/cache/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner /var/cache/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + + owner @{gdm_cache_dirs}/fontconfig/ w, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{gdm_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG w, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, + owner @{gdm_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + + owner @{HOME}/.fontconfig/ w, + owner @{HOME}/.fontconfig/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{HOME}/.fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{HOME}/.fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{HOME}/.fontconfig/CACHEDIR.TAG w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.LCK wl, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.NEW w, + owner @{HOME}/.fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, + + owner @{user_cache_dirs}/fontconfig/ w, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} wl, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{user_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.NEW w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.TMP-@{rand6} w, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d} wl, + owner @{user_cache_dirs}/fontconfig/@{uuid}-le{32,64}{,d4}.cache-@{d}.LCK wl, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG w, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.LCK wl, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.NEW w, + owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG.TMP-@{rand6} w, include if exists From 99c441c4cddf908f955959df582bb7becc54b934 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:01:23 +0200 Subject: [PATCH 786/798] feat(profile): reduce the number of transition in some profile, Bipass the error `profile x has too many specified profile transitions` --- apparmor.d/abstractions/fontconfig-cache-read | 2 +- apparmor.d/abstractions/trash-strict | 10 +++++----- apparmor.d/groups/gnome/gnome-software | 2 +- apparmor.d/groups/kde/kded | 4 ++-- apparmor.d/groups/kde/kwin_wayland | 4 ++-- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read index 1deddd130..26ba79f98 100644 --- a/apparmor.d/abstractions/fontconfig-cache-read +++ b/apparmor.d/abstractions/fontconfig-cache-read @@ -7,7 +7,7 @@ abi , - include if exists + include owner @{gdm_cache_dirs}/fontconfig/ r, owner @{gdm_cache_dirs}/fontconfig/@{hex32}.cache-?{,.NEW,.LCK,.TMP-*} r, diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict index a2b024d3e..30d518817 100644 --- a/apparmor.d/abstractions/trash-strict +++ b/apparmor.d/abstractions/trash-strict @@ -22,7 +22,7 @@ # Home trash location owner @{user_share_dirs}/Trash/ rw, owner @{user_share_dirs}/Trash/#@{int} rw, - owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl -> @{user_share_dirs}/Trash/#@{int}, + owner @{user_share_dirs}/Trash/directorysizes{,.*} rwl, owner @{user_share_dirs}/Trash/files/{,**} rw, owner @{user_share_dirs}/Trash/info/ rw, owner @{user_share_dirs}/Trash/info/*.trashinfo{,.*} rw, @@ -35,7 +35,7 @@ owner @{MOUNTS}/.Trash/ rw, owner @{MOUNTS}/.Trash/@{uid}/ rw, owner @{MOUNTS}/.Trash/@{uid}/#@{int} rw, - owner @{MOUNTS}/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash/@{uid}/#@{int}, + owner @{MOUNTS}/.Trash/@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/.Trash/@{uid}/files/{,**} rw, owner @{MOUNTS}/.Trash/@{uid}/info/ rw, owner @{MOUNTS}/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -47,7 +47,7 @@ # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner @{MOUNTS}/.Trash-@{uid}/ rw, owner @{MOUNTS}/.Trash-@{uid}/#@{int} rw, - owner @{MOUNTS}/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/.Trash-@{uid}/#@{int}, + owner @{MOUNTS}/.Trash-@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/.Trash-@{uid}/files/{,**} rw, owner @{MOUNTS}/.Trash-@{uid}/info/ rw, owner @{MOUNTS}/.Trash-@{uid}/info/*.trashinfo{,.*} rw, @@ -60,7 +60,7 @@ owner @{MOUNTS}/*/.Trash/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/#@{int} rw, - owner @{MOUNTS}/*/.Trash/@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash/@{uid}/#@{int}, + owner @{MOUNTS}/*/.Trash/@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/*/.Trash/@{uid}/files/{,**} rw, owner @{MOUNTS}/*/.Trash/@{uid}/info/ rw, owner @{MOUNTS}/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw, @@ -72,7 +72,7 @@ # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir owner @{MOUNTS}/*/.Trash-@{uid}/ rw, owner @{MOUNTS}/*/.Trash-@{uid}/#@{int} rw, - owner @{MOUNTS}/*/.Trash-@{uid}/directorysizes{,.*} rwl -> @{MOUNTS}/*/.Trash-@{uid}/#@{int}, + owner @{MOUNTS}/*/.Trash-@{uid}/directorysizes{,.*} rwl, owner @{MOUNTS}/*/.Trash-@{uid}/files/{,**} rw, owner @{MOUNTS}/*/.Trash-@{uid}/info/ rw, owner @{MOUNTS}/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 71719b170..33b7551c2 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -104,7 +104,7 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r, owner @{user_share_dirs}/flatpak/overrides/* r, owner @{user_share_dirs}/flatpak/repo/ rw, - owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**, + owner @{user_share_dirs}/flatpak/repo/** rwl, owner @{tmp}/#@{int} rw, owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded index 678c64e71..cc402bbd9 100644 --- a/apparmor.d/groups/kde/kded +++ b/apparmor.d/groups/kde/kded @@ -156,7 +156,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/icc/{,edid-*} r, owner @{user_share_dirs}/kcookiejar/#@{int} rw, owner @{user_share_dirs}/kcookiejar/cookies.lock rwk, - owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int}, + owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl, owner @{user_share_dirs}/kded{5,6}/{,**} rw, owner @{user_share_dirs}/kscreen/{,**} rwl, owner @{user_share_dirs}/kservices{5,6}/{,**} r, @@ -166,7 +166,7 @@ profile kded @{exec_path} { owner @{user_share_dirs}/user-places.xbel r, owner @{user_state_dirs}/#@{int} rw, - owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk -> @{user_state_dirs}/#@{int}, + owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk, @{run}/mount/utab r, @{run}/udev/data/c189:@{int} r, # for /dev/bus/usb/** diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland index ab33ba2bf..276f33262 100644 --- a/apparmor.d/groups/kde/kwin_wayland +++ b/apparmor.d/groups/kde/kwin_wayland @@ -97,13 +97,13 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{user_config_dirs}/breezerc r, owner @{user_config_dirs}/kdedefaults/* r, owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk, - owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl, owner @{user_config_dirs}/khotkeysrc r, owner @{user_config_dirs}/klaunchrc r, owner @{user_config_dirs}/kscreenlockerrc r, owner @{user_config_dirs}/kwinoutputconfig.json rw, owner @{user_config_dirs}/kwinrc.lock rwk, - owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int}, + owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl, owner @{user_config_dirs}/kwinrulesrc r, owner @{user_config_dirs}/kxkbrc r, owner @{user_config_dirs}/menus/** r, From 37290dd6124f507545347b083d553c799af78f9f Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:01:53 +0200 Subject: [PATCH 787/798] feat(profile): update userdbctl --- apparmor.d/groups/systemd/userdbctl | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl index fa7c13297..199d322b0 100644 --- a/apparmor.d/groups/systemd/userdbctl +++ b/apparmor.d/groups/systemd/userdbctl @@ -12,6 +12,7 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { include include + capability net_admin, capability dac_read_search, capability sys_resource, @@ -23,10 +24,17 @@ profile userdbctl @{exec_path} flags=(attach_disconnected) { /etc/gshadow r, /etc/shadow r, + /etc/userdb/ rw, /etc/machine-id r, + @{run}/userdb/ rw, + @{run}/credentials/systemd-userdb-load-credentials.service/ r, + @{PROC}/1/cgroup r, + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/gid_map r, owner @{PROC}/@{pid}/setgroups r, From 1e87a59f0aec73de548d20d616d65da8c036a68d Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:20:29 +0200 Subject: [PATCH 788/798] fix(profile): minor profile fixes. fix #877 --- .../groups/systemd-generators/systemd-generator-gpt-auto | 5 +++++ apparmor.d/groups/systemd/systemd-udevd | 2 ++ 2 files changed, 7 insertions(+) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 444315108..23f273dd6 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -22,8 +22,13 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { @{efi}/ r, /etc/fstab r, /usr/ r, + /home/ r, @{run}/systemd/generator.late/**.{,auto}mount w, + @{run}/systemd/generator.late/home.mount.wants/ w, + @{run}/systemd/generator.late/local-fs.target.d/ w, + @{run}/systemd/generator.late/local-fs.target.d/*.conf w, + @{run}/systemd/generator.late/local-fs.target.requires/ w, @{run}/systemd/generator.late/local-fs.target.wants/ w, @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r, diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd index decffb428..a40f1d160 100644 --- a/apparmor.d/groups/systemd/systemd-udevd +++ b/apparmor.d/groups/systemd/systemd-udevd @@ -94,6 +94,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) { /etc/systemd/network/ r, /etc/systemd/network/@{int2}-*.link r, + / r, + @{run}/credentials/systemd-udev-load-credentials.service/ r, @{run}/modprobe.d/ r, @{run}/systemd/network/ r, From 3edc59825a60cba2ad3314fb8f4763dddf0509a6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Fri, 26 Sep 2025 00:52:28 +0200 Subject: [PATCH 789/798] fix(profile): linter issues. --- apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 | 2 +- apparmor.d/abstractions/user-dirs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 index 0152774e1..3f70b35b4 100644 --- a/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 +++ b/apparmor.d/abstractions/bus/system/fi.w1.wpa_supplicant1 @@ -36,6 +36,6 @@ member=InterfaceRemoved peer=(name=@{busname}, label=wpa-supplicant), - include if exists + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/user-dirs b/apparmor.d/abstractions/user-dirs index c1b6c85a6..d33a6764c 100644 --- a/apparmor.d/abstractions/user-dirs +++ b/apparmor.d/abstractions/user-dirs @@ -8,7 +8,7 @@ /etc/xdg/user-dirs.defaults r, owner @{desktop_config_dirs}/user-dirs.dirs r, - + owner @{user_config_dirs}/user-dirs.dirs r, include if exists From e8cb99cfc56898ed8f13da24cbe7ce465c85d104 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 15:19:42 +0200 Subject: [PATCH 790/798] fix(profile): removed moved bus abstraction. --- apparmor.d/abstractions/app/chromium | 1 - 1 file changed, 1 deletion(-) diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium index 2b5dfbfa6..dee842ca1 100644 --- a/apparmor.d/abstractions/app/chromium +++ b/apparmor.d/abstractions/app/chromium @@ -29,7 +29,6 @@ include include include - include include include include From 7d9df934ea0feafaf81d49d14ea99b8301d2afa7 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:06:44 +0200 Subject: [PATCH 791/798] fix(profile): various small fixes in profiles. see #884 fix #877 #875 --- apparmor.d/groups/apparmor/aa-log | 2 ++ apparmor.d/groups/apt/apt | 2 ++ apparmor.d/groups/apt/apt-methods-file | 1 + apparmor.d/groups/apt/dpkg-scripts | 6 +++--- apparmor.d/groups/bus/dbus-session | 2 +- apparmor.d/groups/children/glycin | 2 ++ apparmor.d/groups/freedesktop/geoclue | 2 ++ .../groups/freedesktop/xdg-desktop-portal | 1 + apparmor.d/groups/gnome/gdm-generate-config | 3 +++ apparmor.d/groups/gnome/gnome-initial-setup | 1 + apparmor.d/groups/gnome/gnome-keyring-daemon | 5 +++++ apparmor.d/groups/gnome/gnome-session-ctl | 2 +- .../groups/gnome/gnome-session-init-worker | 8 ++++++++ apparmor.d/groups/gnome/gnome-session-service | 4 ++++ apparmor.d/groups/gnome/gsd-media-keys | 5 +---- apparmor.d/groups/gnome/gsd-wwan | 1 + apparmor.d/groups/gnome/nautilus | 1 + apparmor.d/groups/gnome/session-migration | 3 +++ apparmor.d/groups/gvfs/gvfsd-http | 3 ++- apparmor.d/groups/gvfs/gvfsd-recent | 1 + apparmor.d/groups/shadow/userdel | 1 + .../systemd-generator-openvpn | 2 ++ .../systemd-generators/systemd-generator-tpm2 | 1 + apparmor.d/groups/systemd/busctl | 2 ++ apparmor.d/groups/systemd/networkctl | 1 + apparmor.d/groups/systemd/systemd-coredump | 2 ++ apparmor.d/groups/systemd/systemd-homed | 5 +++-- apparmor.d/groups/systemd/systemd-machined | 9 ++++++--- apparmor.d/groups/systemd/systemd-networkd | 1 + apparmor.d/groups/systemd/systemd-nsresourced | 1 + .../groups/systemd/systemd-sleep-hdparm | 1 + apparmor.d/groups/systemd/systemd-sysusers | 5 +++++ .../groups/systemd/systemd-user-runtime-dir | 4 ++++ apparmor.d/groups/systemd/systemd-userdbd | 2 ++ apparmor.d/groups/ubuntu/apport | 1 + .../groups/ubuntu/software-properties-gtk | 2 +- .../groups/ubuntu/update-motd-fsck-at-reboot | 5 ++++- apparmor.d/groups/utils/lsfd | 19 ++++++++++--------- apparmor.d/groups/virt/cockpit-bridge | 1 + apparmor.d/profiles-m-r/pinentry-gnome3 | 11 ++++++++++- apparmor.d/profiles-m-r/pinentry-gtk | 11 +++++++++++ apparmor.d/profiles-m-r/pinentry-kwallet | 11 +++++++++++ apparmor.d/profiles-m-r/pinentry-qt | 11 +++++++++++ apparmor.d/profiles-m-r/remmina | 1 + apparmor.d/profiles-s-z/tlp | 2 ++ 45 files changed, 140 insertions(+), 27 deletions(-) diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log index 80e396125..aed8e3163 100644 --- a/apparmor.d/groups/apparmor/aa-log +++ b/apparmor.d/groups/apparmor/aa-log @@ -21,6 +21,8 @@ profile aa-log @{exec_path} { /var/log/audit/* r, /var/log/syslog* r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt index 8581fe724..31b539dcd 100644 --- a/apparmor.d/groups/apt/apt +++ b/apparmor.d/groups/apt/apt @@ -217,6 +217,8 @@ profile apt @{exec_path} flags=(attach_disconnected) { capability net_admin, capability sys_resource, + ptrace read peer=@{p_systemd}, + signal (send) set=(cont, term) peer=systemd-tty-ask-password-agent, @{bin}/systemd-tty-ask-password-agent rPx, diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file index 25afbcb35..6796a7563 100644 --- a/apparmor.d/groups/apt/apt-methods-file +++ b/apparmor.d/groups/apt/apt-methods-file @@ -39,6 +39,7 @@ profile apt-methods-file @{exec_path} { /etc/ r, /root/ r, + owner /var/lib/apt/lists/auxfiles/* rw, owner /var/lib/apt/lists/partial/* rw, /var/log/cron-apt/temp w, diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts index f49304709..138aac66c 100644 --- a/apparmor.d/groups/apt/dpkg-scripts +++ b/apparmor.d/groups/apt/dpkg-scripts @@ -51,9 +51,9 @@ profile dpkg-scripts @{exec_path} { #aa:lint ignore=too-wide # Maintainer scripts can legitimately start/restart anything # PU is only used as a safety fallback. - @{bin}/** PUx, - @{sbin}/** PUx, - @{lib}/** PUx, + @{bin}/** mPUx, + @{sbin}/** mPUx, + @{lib}/** mPUx, /etc/** PUx, /usr/share/** PUx, diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session index 7fafdfdb7..c4af45e11 100644 --- a/apparmor.d/groups/bus/dbus-session +++ b/apparmor.d/groups/bus/dbus-session @@ -58,7 +58,7 @@ profile dbus-session flags=(attach_disconnected) { # Dbus can receive any user files owner @{HOME}/** r, - owner @{att}/@{HOME}/** r, + owner @{att}/@{HOME}/** rk, owner @{HOME}/.var/app/*/**/.ref rw, owner @{HOME}/.var/app/*/**/logs/* rw, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 4bde8a957..0580a3ad6 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -18,6 +18,8 @@ profile glycin flags=(attach_disconnected,complain) { @{lib}/glycin-loaders/@{d}+/glycin-* Cx -> &glycin//loaders, # Safe deny of inherited files from parent process. + deny network inet dgram, + deny network inet6 dgram, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue index 3360c4881..e5697d4c9 100644 --- a/apparmor.d/groups/freedesktop/geoclue +++ b/apparmor.d/groups/freedesktop/geoclue @@ -37,6 +37,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) { /var/lib/nscd/services r, /var/lib/dbus/machine-id r, + @{run}/systemd/resolve/io.systemd.Resolve rw, + @{PROC}/@{pids}/cgroup r, @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r, diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 95f801a4a..379500040 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -22,6 +22,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { include include include + include include include include diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config index c5e6d4cd5..218b96e65 100644 --- a/apparmor.d/groups/gnome/gdm-generate-config +++ b/apparmor.d/groups/gnome/gdm-generate-config @@ -42,6 +42,7 @@ profile gdm-generate-config @{exec_path} { @{sys}/devices/system/node/node@{int}/meminfo r, @{PROC}/ r, + @{PROC}/@{pid}/ r, @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/cmdline r, @{PROC}/@{pids}/stat r, @@ -55,6 +56,8 @@ profile gdm-generate-config @{exec_path} { @{bin}/pkill mr, + @{PROC}/@{pid}/ r, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup index 1e8bc3623..22ac95148 100644 --- a/apparmor.d/groups/gnome/gnome-initial-setup +++ b/apparmor.d/groups/gnome/gnome-initial-setup @@ -38,6 +38,7 @@ profile gnome-initial-setup @{exec_path} { @{bin}/df rPx, @{bin}/dpkg rPx -> child-dpkg, @{bin}/locale rix, + @{bin}/lsb_release rPx, @{bin}/lscpu rPx, @{bin}/lspci rPx, @{bin}/xrandr rPx, diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon index 0dfac52bf..589919c5a 100644 --- a/apparmor.d/groups/gnome/gnome-keyring-daemon +++ b/apparmor.d/groups/gnome/gnome-keyring-daemon @@ -39,6 +39,11 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) { member=GetSession peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"), + dbus send bus=session path=/org/gnome/SessionManager + interface=org.gnome.SessionManager + member=Setenv + peer=(name=org.gnome.SessionManager, label="@{p_gnome_session}"), + @{exec_path} mr, @{bin}/ssh-add rix, diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl index 04c4ce628..74b628944 100644 --- a/apparmor.d/groups/gnome/gnome-session-ctl +++ b/apparmor.d/groups/gnome/gnome-session-ctl @@ -23,7 +23,7 @@ profile gnome-session-ctl @{exec_path} { dbus send bus=session path=/org/gnome/SessionManager interface=org.gnome.SessionManager member=Initialized - peer=(name=org.gnome.SessionManager, label=gnome-session-binary), + peer=(name=org.gnome.SessionManager, label="@{p_gnome_session}"), @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index 787bbda17..77f187ad7 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -9,9 +9,17 @@ include @{exec_path} = @{lib}/gnome-session-init-worker profile gnome-session-init-worker @{exec_path} { include + include + include + include + + signal receive set=term peer=gdm, + signal receive set=term peer=gdm-session, @{exec_path} mr, + owner @{run}/user/@{uid}/gnome-session-leader-fifo w, + include if exists } diff --git a/apparmor.d/groups/gnome/gnome-session-service b/apparmor.d/groups/gnome/gnome-session-service index 200c4ac2a..2012b957d 100644 --- a/apparmor.d/groups/gnome/gnome-session-service +++ b/apparmor.d/groups/gnome/gnome-session-service @@ -39,6 +39,10 @@ profile gnome-session-service @{exec_path} flags=(attach_disconnected) { @{etc_ro}/xdg/autostart/{,*.desktop} r, + owner @{user_config_dirs}/autostart/{,*.desktop} r, + + @{run}/systemd/users/@{uid} r, + @{run}/systemd/sessions/@{int} r, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys index 5002f3f39..f81a3698f 100644 --- a/apparmor.d/groups/gnome/gsd-media-keys +++ b/apparmor.d/groups/gnome/gsd-media-keys @@ -55,10 +55,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) { @{run}/udev/data/c13:@{int} r, # for /dev/input/* @{run}/udev/data/c189:@{int} r, # For /dev/bus/usb/** - @{sys}/devices/**/usb@{int}/{,**} r, - @{sys}/devices/@{pci}/sound/**/uevent r, - @{sys}/devices/platform/**/uevent r, - @{sys}/devices/virtual/**/uevent r, + @{sys}/devices/**/uevent r, @{PROC}/1/cgroup r, owner @{PROC}/@{pid}/cgroup r, diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan index 3a5ee53df..c6beba996 100644 --- a/apparmor.d/groups/gnome/gsd-wwan +++ b/apparmor.d/groups/gnome/gsd-wwan @@ -13,6 +13,7 @@ profile gsd-wwan @{exec_path} { include include include + include #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Wwan diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus index c405a3bf8..190c881da 100644 --- a/apparmor.d/groups/gnome/nautilus +++ b/apparmor.d/groups/gnome/nautilus @@ -131,6 +131,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/net/wireless r, @{PROC}/sys/dev/i915/perf_stream_paranoid r, + owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/cmdline r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/mountinfo r, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index b31532cae..84e47b109 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -19,7 +19,10 @@ profile session-migration @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/dconf rPx, + @{bin}/grep rix, @{bin}/gsettings rPx, + @{bin}/tr rix, + @{bin}/update-alternatives rPx, /usr/share/session-migration/scripts/* rix, /usr/share/session-migration/{,**} r, diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http index 94667e71f..e41ffdde4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-http +++ b/apparmor.d/groups/gvfs/gvfsd-http @@ -11,8 +11,9 @@ include profile gvfsd-http @{exec_path} { include include - include include + include + include include include include diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent index a7855beed..85822b6f4 100644 --- a/apparmor.d/groups/gvfs/gvfsd-recent +++ b/apparmor.d/groups/gvfs/gvfsd-recent @@ -13,6 +13,7 @@ profile gvfsd-recent @{exec_path} { include include include + include include include diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index 589c726d0..e82d5a117 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -51,6 +51,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /var/lib/*/{,**} rw, @{PROC}/ r, + @{PROC}/@{pid}/status r, @{PROC}/@{pids}/task/ r, include if exists diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn index 7b2130db3..a9a5be11c 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-openvpn +++ b/apparmor.d/groups/systemd-generators/systemd-generator-openvpn @@ -10,6 +10,8 @@ include profile systemd-generator-openvpn @{exec_path} flags=(attach_disconnected) { include + capability sys_admin, + ptrace read peer=@{p_systemd}, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 index ee5d924cc..3d23784a5 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 +++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 @@ -16,6 +16,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) { @{sys}/class/tpmrm/ r, @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r, + @{sys}/firmware@{efi}/efivars/LoaderTpm2ActivePcrBanks-@{uuid} r, @{PROC}/@{pid}/cgroup r, @{PROC}/1/cgroup r, diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl index eed7080f8..9d4217805 100644 --- a/apparmor.d/groups/systemd/busctl +++ b/apparmor.d/groups/systemd/busctl @@ -9,6 +9,7 @@ include @{exec_path} = @{bin}/busctl profile busctl @{exec_path} flags=(attach_disconnected) { include + include include include include @@ -65,6 +66,7 @@ profile busctl @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pid}/loginuid r, @{PROC}/@{pid}/sessionid r, @{PROC}/@{pid}/stat r, + @{PROC}/1/status r, include if exists } diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl index a0d1471f9..1a65a4ff6 100644 --- a/apparmor.d/groups/systemd/networkctl +++ b/apparmor.d/groups/systemd/networkctl @@ -51,6 +51,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) { /{run,var}/log/journal/@{hex32}/system.journal* r, /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r, + @{run}/systemd/netif/io.systemd.Network rw, @{att}/@{run}/systemd/netif/io.systemd.Network rw, @{run}/systemd/netif/links/ r, diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump index 061b93ffd..dd3a21bc2 100644 --- a/apparmor.d/groups/systemd/systemd-coredump +++ b/apparmor.d/groups/systemd/systemd-coredump @@ -39,11 +39,13 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted @{user_lib_dirs}/** r, /snap/*/@{int}/opt/** r, /snap/*/@{int}/usr/** r, + @{att}/ r, /etc/systemd/coredump.conf r, /etc/systemd/coredump.conf.d/{,**} r, owner @{HOME}/**.so* r, + owner @{HOME}/.var/app/*/** r, # Crash from flatpak apps /var/lib/systemd/coredump/{,**} rwl, diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed index c53be3a35..c4d4800b2 100644 --- a/apparmor.d/groups/systemd/systemd-homed +++ b/apparmor.d/groups/systemd/systemd-homed @@ -77,10 +77,11 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) { @{run}/systemd/notify w, @{sys}/bus/ r, - @{sys}/fs/ r, @{sys}/class/ r, - @{sys}/kernel/uevent_seqnum r, @{sys}/devices/**/read_ahead_kb r, + @{sys}/devices/**/uevent r, + @{sys}/fs/ r, + @{sys}/kernel/uevent_seqnum r, @{PROC}/@{pid}/cgroup r, @{PROC}/devices r, diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined index 520080082..4d8919cb0 100644 --- a/apparmor.d/groups/systemd/systemd-machined +++ b/apparmor.d/groups/systemd/systemd-machined @@ -7,7 +7,7 @@ abi , include @{exec_path} = @{lib}/systemd/systemd-machined -profile systemd-machined @{exec_path} flags=(attach_disconnected) { +profile systemd-machined @{exec_path} flags=(attach_disconnected,mediate_deleted) { include include include @@ -35,6 +35,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { signal send set=rtmin+6 peer=systemd-nspawn, + ptrace read peer=@{p_systemd}, + ptrace read peer=libvirtd, ptrace read peer=systemd-nspawn, unix type=stream addr=@@{udbus}/bus/systemd-machine/system, @@ -57,14 +59,15 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) { owner @{run}/systemd/nspawn/locks/ w, owner @{run}/systemd/nspawn/locks/** rwk, - @{run}/systemd/machine/{,**} rw, - @{run}/systemd/machines/{,**} rw, + @{run}/systemd/machine/{,**} rwl, + @{run}/systemd/machines/{,**} rwl, @{run}/systemd/notify w, @{PROC}/@{pid}/cgroup r, @{PROC}/@{pid}/fdinfo/@{int} r, @{PROC}/@{pid}/gid_map r, @{PROC}/@{pid}/setgroups r, + @{PROC}/@{pid}/stat r, @{PROC}/@{pid}/uid_map r, @{PROC}/pressure/cpu r, @{PROC}/pressure/io r, diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd index ccb6d9629..7bf649327 100644 --- a/apparmor.d/groups/systemd/systemd-networkd +++ b/apparmor.d/groups/systemd/systemd-networkd @@ -76,6 +76,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) { @{sys}/devices/@{pci}/ r, @{sys}/devices/@{pci}/rfkill@{int}/* r, @{sys}/devices/**/net/** r, + @{sys}/devices/**/uevent r, @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r, @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_version r, diff --git a/apparmor.d/groups/systemd/systemd-nsresourced b/apparmor.d/groups/systemd/systemd-nsresourced index 97dcb3b05..b11ab12b5 100644 --- a/apparmor.d/groups/systemd/systemd-nsresourced +++ b/apparmor.d/groups/systemd/systemd-nsresourced @@ -12,6 +12,7 @@ profile systemd-nsresourced @{exec_path} flags=(attach_disconnected) { include capability bpf, + capability net_admin, capability perfmon, capability sys_resource, diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 5b9c51dbe..982df7bad 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,6 +13,7 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, + @{bin}/grep ix, @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers index 2d250f63c..2b31e4bb8 100644 --- a/apparmor.d/groups/systemd/systemd-sysusers +++ b/apparmor.d/groups/systemd/systemd-sysusers @@ -12,10 +12,15 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) { include include + capability audit_write, capability chown, capability fsetid, capability net_admin, + network netlink raw, + + ptrace read peer=@{p_systemd}, + signal send set=cont peer=child-pager, @{exec_path} mr, diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir index 363b9a32d..d2b91016c 100644 --- a/apparmor.d/groups/systemd/systemd-user-runtime-dir +++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir @@ -31,6 +31,10 @@ profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) { /etc/machine-id r, + /dev/shm/ r, + /tmp/ r, + /var/tmp/ r, + @{run}/user/@{uid}/{,**} rw, include if exists diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd index f9fad3693..cb14a2c71 100644 --- a/apparmor.d/groups/systemd/systemd-userdbd +++ b/apparmor.d/groups/systemd/systemd-userdbd @@ -29,6 +29,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) /etc/shadow r, /etc/machine-id r, + /etc/userdb/{,**} r, @{att}/@{run}/systemd/notify w, @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw, @@ -36,6 +37,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted) @{att}/@{run}/systemd/userdb/io.systemd.Machine rw, @{run}/systemd/userdb/{,**} rw, + @{run}/userdb/ r, @{PROC}/@{pid}/cgroup r, @{PROC}/pressure/cpu r, diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport index 35267de3c..010f9139c 100644 --- a/apparmor.d/groups/ubuntu/apport +++ b/apparmor.d/groups/ubuntu/apport @@ -69,6 +69,7 @@ profile apport @{exec_path} flags=(attach_disconnected) { @{PROC}/@{pids}/cgroup r, @{PROC}/@{pids}/environ r, @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, @{PROC}/@{pids}/stat r, @{PROC}/@{pids}/status r, @{PROC}/sys/fs/suid_dumpable w, diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk index 836adbb55..702bc4732 100644 --- a/apparmor.d/groups/ubuntu/software-properties-gtk +++ b/apparmor.d/groups/ubuntu/software-properties-gtk @@ -59,7 +59,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) { /dev/shm/ r, owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6}, - owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6}, + owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/sem.@{rand6}, owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot index c244f2902..52f3b8659 100644 --- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot +++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot @@ -7,9 +7,11 @@ abi , include @{exec_path} = @{lib}/update-notifier/update-motd-fsck-at-reboot -profile update-motd-fsck-at-reboot @{exec_path} { +profile update-motd-fsck-at-reboot @{exec_path} flags=(attach_disconnected) { include + capability dac_read_search, + @{exec_path} mr, @{sbin}/dumpe2fs rPx, @@ -28,6 +30,7 @@ profile update-motd-fsck-at-reboot @{exec_path} { @{run}/motd.dynamic.new w, @{PROC}/uptime r, + @{PROC}/@{pid}/mountinfo r, /dev/tty@{int} rw, diff --git a/apparmor.d/groups/utils/lsfd b/apparmor.d/groups/utils/lsfd index 96e497ea6..adfdd207e 100644 --- a/apparmor.d/groups/utils/lsfd +++ b/apparmor.d/groups/utils/lsfd @@ -49,15 +49,16 @@ profile lsfd @{exec_path} flags=(attach_disconnected) { @{sys}/kernel/cpu_byteorder r, @{PROC}/ r, - @{PROC}/@{pid}/ r, - @{PROC}/@{pid}/comm r, - @{PROC}/@{pid}/fd/ r, - @{PROC}/@{pid}/fdinfo/@{int} r, - @{PROC}/@{pid}/mountinfo r, - @{PROC}/@{pid}/net/* r, - @{PROC}/@{pid}/stat r, - @{PROC}/@{pid}/syscall r, - @{PROC}/@{pid}/task/ r, + @{PROC}/@{pids}/ r, + @{PROC}/@{pids}/comm r, + @{PROC}/@{pids}/fd/ r, + @{PROC}/@{pids}/fdinfo/@{int} r, + @{PROC}/@{pids}/maps r, + @{PROC}/@{pids}/mountinfo r, + @{PROC}/@{pids}/net/* r, + @{PROC}/@{pids}/stat r, + @{PROC}/@{pids}/syscall r, + @{PROC}/@{pids}/task/ r, @{PROC}/devices r, @{PROC}/misc r, @{PROC}/partitions r, diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge index d8c71803d..33cbc2857 100644 --- a/apparmor.d/groups/virt/cockpit-bridge +++ b/apparmor.d/groups/virt/cockpit-bridge @@ -136,6 +136,7 @@ profile cockpit-bridge @{exec_path} { include include + @{run}/udev/data/b@{int}:* r, # For block devices @{run}/udev/data/n@{int} r, # For network interfaces include if exists diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3 index b60d929e2..40990bf9b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gnome3 +++ b/apparmor.d/profiles-m-r/pinentry-gnome3 @@ -10,12 +10,21 @@ include profile pinentry-gnome3 @{exec_path} { include include - include include include signal receive set=int, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, owner @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk index d07a64a5a..9cdcd432b 100644 --- a/apparmor.d/profiles-m-r/pinentry-gtk +++ b/apparmor.d/profiles-m-r/pinentry-gtk @@ -10,10 +10,21 @@ include @{exec_path} = @{bin}/pinentry-gtk{,-2} profile pinentry-gtk @{exec_path} { include + include include include include + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, @{PROC}/@{pid}/cmdline r, diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet index adff98c53..c70cdbf26 100644 --- a/apparmor.d/profiles-m-r/pinentry-kwallet +++ b/apparmor.d/profiles-m-r/pinentry-kwallet @@ -10,11 +10,22 @@ include @{exec_path} = @{bin}/pinentry-kwallet profile pinentry-kwallet @{exec_path} { include + include include include signal (send) set=(term, kill) peer=gpg-agent, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, @{bin}/date rix, diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt index 66729769f..947a57a70 100644 --- a/apparmor.d/profiles-m-r/pinentry-qt +++ b/apparmor.d/profiles-m-r/pinentry-qt @@ -10,6 +10,7 @@ include @{exec_path} = @{bin}/pinentry-qt profile pinentry-qt @{exec_path} { include + include include include include @@ -19,6 +20,16 @@ profile pinentry-qt @{exec_path} { ptrace read peer=gpg-agent, + dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int} + interface=org.gnome.keyring.internal.Prompter.Callback + member={PromptReady,PromptDone} + peer=(name=@{busname}), + + dbus send bus=session path=/org/gnome/keyring/Prompter + interface=org.gnome.keyring.internal.Prompter + member={BeginPrompting,PerformPrompt,StopPrompting} + peer=(name=org.gnome.keyring.SystemPrompter), + @{exec_path} mr, /etc/machine-id r, diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina index e8ed68727..7ea88646a 100644 --- a/apparmor.d/profiles-m-r/remmina +++ b/apparmor.d/profiles-m-r/remmina @@ -40,6 +40,7 @@ profile remmina @{exec_path} { @{exec_path} rm, @{open_path} rPx -> child-open-browsers, + @{bin}/lsb_release rPx, /usr/share/remmina/{,**} r, diff --git a/apparmor.d/profiles-s-z/tlp b/apparmor.d/profiles-s-z/tlp index 1592d3aee..d6891c2db 100644 --- a/apparmor.d/profiles-s-z/tlp +++ b/apparmor.d/profiles-s-z/tlp @@ -111,6 +111,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) { @{run}/tlp/lock_tlp rw, # file_inherit + @{run}/udev/data/b@{int}:* r, # For block devices + include if exists } From 76cafe08ba9f6ccba6ce076125e9f68d1cfbabcd Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:42:13 +0200 Subject: [PATCH 792/798] feat(profiles): add global support for glycin loaders MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Globally add bwrap transition to the glycin profile in the gtk{-sẗrict} abstractions. It can be overwritten in profile when bwrap is needed for other purposes. Only enabled on apparmor 4.1, as older version do not support priority rule, and are not concerned by this resent update.this resent update. fix #884 fix #886 fix #887 fix #881 --- apparmor.d/abstractions/app/bwrap-glycin | 9 +++++---- apparmor.d/abstractions/gtk-strict | 8 ++++++++ apparmor.d/abstractions/gtk.d/complete | 8 ++++++++ apparmor.d/groups/browsers/epiphany | 1 + apparmor.d/groups/browsers/firefox | 3 ++- apparmor.d/groups/children/glycin | 4 ++++ apparmor.d/groups/gnome/gnome-desktop-thumbnailers | 1 + apparmor.d/groups/gnome/gnome-extension-gsconnect | 1 - apparmor.d/groups/gnome/gnome-shell | 3 +-- apparmor.d/groups/gnome/gnome-software | 1 - apparmor.d/groups/gnome/loupe | 10 ---------- apparmor.d/profiles-a-f/fractal | 7 ------- apparmor.d/profiles-s-z/terminator | 2 -- apparmor.d/profiles-s-z/thunderbird | 3 ++- 14 files changed, 32 insertions(+), 29 deletions(-) diff --git a/apparmor.d/abstractions/app/bwrap-glycin b/apparmor.d/abstractions/app/bwrap-glycin index d1a17b6c8..9cdbd8a7f 100644 --- a/apparmor.d/abstractions/app/bwrap-glycin +++ b/apparmor.d/abstractions/app/bwrap-glycin @@ -1,9 +1,10 @@ # apparmor.d - Full set of apparmor profiles # Copyright (C) 2024 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only +# LOGPROF-SUGGEST: no # Base set of rules for glycin-loaders sandboxed with bwrap. -# - It is safe to use when used like in the glycin profile. +# - It is very safe to use when used like in the glycin profile. # - It is **not** safe to use when used by a profile stacking glycin # See https://github.com/roddhjav/apparmor.d/issues/881 for more details. @@ -16,9 +17,9 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=@{profile_name}, - signal send set=kill peer=@{profile_name}//&glycin, - signal send set=kill peer=glycin, + signal (send receive) set=kill peer=@{profile_name}, + signal (send receive) set=kill peer=@{profile_name}//&glycin, + signal (send receive) set=kill peer=glycin, ptrace read peer=@{profile_name}, ptrace read peer=@{profile_name}//&glycin, diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index ed016bb24..8b9fe0ce7 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -9,6 +9,14 @@ include include + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//loaders), + + signal send set=kill peer=glycin, + + #aa:only apparmor4.1 + priority=-1 @{bin}/bwrap Px -> glycin, + @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr, @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 2aff75be4..9aad66171 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -7,6 +7,14 @@ include include + unix type=stream peer=(label=glycin), + unix type=stream peer=(label=glycin//loaders), + + signal send set=kill peer=glycin, + + #aa:only apparmor4.1 + priority=-1 @{bin}/bwrap Px -> glycin, + @{lib}/{,@{multiarch}/}gtk*/** mr, /usr/share/glycin-loaders/{,**} r, diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany index 2787871db..5589c7dec 100644 --- a/apparmor.d/groups/browsers/epiphany +++ b/apparmor.d/groups/browsers/epiphany @@ -35,6 +35,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) { @{open_path} rPx -> child-open, @{bin}/bwrap rix, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> epiphany//&glycin//loaders, /usr/share/enchant*/{,**} r, diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox index 8d420789b..0f15e17ef 100644 --- a/apparmor.d/groups/browsers/firefox +++ b/apparmor.d/groups/browsers/firefox @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile firefox @{exec_path} flags=(attach_disconnected) { include - include + include #aa:only apparmor4.1 include include include @@ -34,6 +34,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> firefox//&firefox-glxtest, @{lib_dirs}/vaapitest rPx -> firefox//&firefox-vaapitest, + #aa:only apparmor4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> firefox//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> firefox//&glycin//&glycin//loaders, diff --git a/apparmor.d/groups/children/glycin b/apparmor.d/groups/children/glycin index 0580a3ad6..19ec6efb3 100644 --- a/apparmor.d/groups/children/glycin +++ b/apparmor.d/groups/children/glycin @@ -5,6 +5,9 @@ # Confine glycin-loaders sandboxed with bwrap. It also confines bwrap itself. # for this use case. +# Note: This profile does not specify an attachment path because it is +# intended to be used only via "Px -> glycin" exec transitions from other profiles. + abi , include @@ -20,6 +23,7 @@ profile glycin flags=(attach_disconnected,complain) { # Safe deny of inherited files from parent process. deny network inet dgram, deny network inet6 dgram, + deny /usr/share/icons/** r, deny owner @{HOME}/.*/** rw, deny owner /tmp/*/** w, deny /opt/*/** rw, diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers index b0bb1cb46..6d8d91ec7 100644 --- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers +++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers @@ -16,6 +16,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) { @{bin}/bwrap mr, @{bin}/*-thumbnailer rix, + @{lib}/glycin-loaders/@{d}+/glycin-* Px -> gnome-desktop-thumbnailers//&glycin//loaders, /usr/share/ladspa/rdf/{,**} r, /usr/share/poppler/{,**} r, diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect index ed52d09f7..700838ea8 100644 --- a/apparmor.d/groups/gnome/gnome-extension-gsconnect +++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect @@ -54,7 +54,6 @@ profile gnome-extension-gsconnect @{exec_path} { @{bin}/openssl rix, @{bin}/ssh-add rix, - @{bin}/bwrap rPx -> glycin, @{bin}/dconf rPx, @{bin}/ssh-keygen rPx, @{bin}/xdg-screensaver rPx, diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell index de94b49b1..76cdda644 100644 --- a/apparmor.d/groups/gnome/gnome-shell +++ b/apparmor.d/groups/gnome/gnome-shell @@ -198,7 +198,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { @{bin}/unzip rix, - @{bin}/bwrap rPx -> glycin, @{bin}/flatpak rPx, @{bin}/gjs-console rPx -> gnome-extension, @{bin}/glib-compile-schemas rPx, @@ -255,6 +254,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{gdm_cache_dirs}/ w, owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk, owner @{gdm_cache_dirs}/fontconfig/{,*} rwl, + owner @{gdm_cache_dirs}/glycin/{,**} rw, owner @{gdm_cache_dirs}/gstreamer-@{int}/ rw, owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw, owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw, @@ -337,7 +337,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) { owner @{tmp}/.org.chromium.Chromium.@{rand6}/ r, owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.@{icon_ext} r, owner @{tmp}/@{rand6}.shell-extension.zip rw, - owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw, @{att}/@{run}/systemd/inhibit/@{int}.ref rw, diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software index 33b7551c2..d8f3c3f00 100644 --- a/apparmor.d/groups/gnome/gnome-software +++ b/apparmor.d/groups/gnome/gnome-software @@ -107,7 +107,6 @@ profile gnome-software @{exec_path} { owner @{user_share_dirs}/flatpak/repo/** rwl, owner @{tmp}/#@{int} rw, - owner @{tmp}/gdk-pixbuf-glycin-tmp.@{rand6} rw, owner @{tmp}/ostree-gpg-@{rand6}/ rw, owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**, diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe index b40640b5c..5f58b6426 100644 --- a/apparmor.d/groups/gnome/loupe +++ b/apparmor.d/groups/gnome/loupe @@ -21,11 +21,6 @@ profile loupe @{exec_path} flags=(attach_disconnected) { include include - unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//loaders), - - signal send set=kill peer=glycin, - #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}" @@ -37,15 +32,10 @@ profile loupe @{exec_path} flags=(attach_disconnected) { @{exec_path} mr, - @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - /usr/share/glycin-loaders/{,**} r, - / r, - owner @{user_cache_dirs}/glycin/{,**} rw, - @{run}/mount/utab r, owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw, diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal index d50bc48cd..edbb8c754 100644 --- a/apparmor.d/profiles-a-f/fractal +++ b/apparmor.d/profiles-a-f/fractal @@ -22,19 +22,12 @@ profile fractal @{exec_path} flags=(attach_disconnected) { network inet6 stream, network netlink raw, - signal send set=kill peer=glycin, - - unix type=stream peer=(label=glycin), - unix type=stream peer=(label=glycin//loaders), - #aa:dbus own bus=session name=org.gnome.Fractal @{exec_path} mr, - @{bin}/bwrap rPx -> glycin, @{open_path} rPx -> child-open-help, - /usr/share/glycin-loaders/{,**} r, /usr/share/xml/iso-codes/{,**} r, owner @{tmp}/.@{rand6} rw, diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator index 2f38799d5..769771b6a 100644 --- a/apparmor.d/profiles-s-z/terminator +++ b/apparmor.d/profiles-s-z/terminator @@ -37,8 +37,6 @@ profile terminator @{exec_path} flags=(attach_disconnected) { @{bin}/ r, @{python_path} rix, - @{bin}/bwrap rPx -> glycin, - # The shell is not confined on purpose. @{bin}/@{shells} rUx, diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird index 0934e6986..fc40375bb 100644 --- a/apparmor.d/profiles-s-z/thunderbird +++ b/apparmor.d/profiles-s-z/thunderbird @@ -15,7 +15,7 @@ include @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name} profile thunderbird @{exec_path} flags=(attach_disconnected) { include - include + include #aa:only apparmor4.1 include include include @@ -27,6 +27,7 @@ profile thunderbird @{exec_path} flags=(attach_disconnected) { @{lib_dirs}/glxtest rPx -> thunderbird//&thunderbird-glxtest, @{lib_dirs}/vaapitest rPx -> thunderbird//&thunderbird-vaapitest, + #aa:only apparmor4.1 # glycin-loaders sandboxed profile stack @{bin}/bwrap Px -> thunderbird//&glycin, @{lib}/glycin-loaders/@{d}+/glycin-* Px -> thunderbird//&glycin//&glycin//loaders, From 2613ccee0bb876ef0191dbaf9783920f2c4c0501 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:48:05 +0200 Subject: [PATCH 793/798] chore: linter fix --- apparmor.d/abstractions/gtk-strict | 2 +- apparmor.d/abstractions/gtk.d/complete | 2 +- apparmor.d/groups/gnome/gnome-session-init-worker | 2 +- apparmor.d/groups/gnome/session-migration | 2 +- apparmor.d/groups/shadow/userdel | 2 +- apparmor.d/groups/systemd/systemd-sleep-hdparm | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/apparmor.d/abstractions/gtk-strict b/apparmor.d/abstractions/gtk-strict index 8b9fe0ce7..8dfa4c894 100644 --- a/apparmor.d/abstractions/gtk-strict +++ b/apparmor.d/abstractions/gtk-strict @@ -12,7 +12,7 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, + signal send set=kill peer=glycin, #aa:only apparmor4.1 priority=-1 @{bin}/bwrap Px -> glycin, diff --git a/apparmor.d/abstractions/gtk.d/complete b/apparmor.d/abstractions/gtk.d/complete index 9aad66171..c3ceda83d 100644 --- a/apparmor.d/abstractions/gtk.d/complete +++ b/apparmor.d/abstractions/gtk.d/complete @@ -10,7 +10,7 @@ unix type=stream peer=(label=glycin), unix type=stream peer=(label=glycin//loaders), - signal send set=kill peer=glycin, + signal send set=kill peer=glycin, #aa:only apparmor4.1 priority=-1 @{bin}/bwrap Px -> glycin, diff --git a/apparmor.d/groups/gnome/gnome-session-init-worker b/apparmor.d/groups/gnome/gnome-session-init-worker index 77f187ad7..a02ccc8c4 100644 --- a/apparmor.d/groups/gnome/gnome-session-init-worker +++ b/apparmor.d/groups/gnome/gnome-session-init-worker @@ -13,7 +13,7 @@ profile gnome-session-init-worker @{exec_path} { include include - signal receive set=term peer=gdm, + signal receive set=term peer=gdm, signal receive set=term peer=gdm-session, @{exec_path} mr, diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration index 84e47b109..b58a36206 100644 --- a/apparmor.d/groups/gnome/session-migration +++ b/apparmor.d/groups/gnome/session-migration @@ -19,7 +19,7 @@ profile session-migration @{exec_path} { @{sh_path} rix, @{python_path} rix, @{bin}/dconf rPx, - @{bin}/grep rix, + @{bin}/{,e}grep rix, @{bin}/gsettings rPx, @{bin}/tr rix, @{bin}/update-alternatives rPx, diff --git a/apparmor.d/groups/shadow/userdel b/apparmor.d/groups/shadow/userdel index e82d5a117..06e6bba3a 100644 --- a/apparmor.d/groups/shadow/userdel +++ b/apparmor.d/groups/shadow/userdel @@ -51,7 +51,7 @@ profile userdel @{exec_path} flags=(attach_disconnected) { /var/lib/*/{,**} rw, @{PROC}/ r, - @{PROC}/@{pid}/status r, + @{PROC}/@{pids}/status r, @{PROC}/@{pids}/task/ r, include if exists diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm index 982df7bad..3cb15904e 100644 --- a/apparmor.d/groups/systemd/systemd-sleep-hdparm +++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm @@ -13,7 +13,7 @@ profile systemd-sleep-hdparm @{exec_path} { @{exec_path} mr, @{sh_path} r, - @{bin}/grep ix, + @{bin}/{,e}grep ix, @{lib}/pm-utils/power.d/*hdparm-apm ix, include if exists From 0ef6041dc38ccfd1c87699170518a56f03e1d9e6 Mon Sep 17 00:00:00 2001 From: Alexandre Pujol Date: Sat, 27 Sep 2025 16:55:09 +0200 Subject: [PATCH 794/798] tests: generalise autopkgtest path Only enabled for when build with just complain-test --- apparmor.d/abstractions/apt | 3 --- apparmor.d/abstractions/base-strict | 3 +++ apparmor.d/groups/apt/dpkg-deb | 3 --- apparmor.d/groups/apt/dpkg-genbuildinfo | 3 --- apparmor.d/groups/apt/dpkg-genchanges | 3 --- apparmor.d/groups/apt/dpkg-split | 3 --- 6 files changed, 3 insertions(+), 15 deletions(-) diff --git a/apparmor.d/abstractions/apt b/apparmor.d/abstractions/apt index 25106ad6e..2802ac2a8 100644 --- a/apparmor.d/abstractions/apt +++ b/apparmor.d/abstractions/apt @@ -35,9 +35,6 @@ owner @{tmp}/#@{int} rw, owner @{tmp}/clearsigned.message.* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists # vim:syntax=apparmor diff --git a/apparmor.d/abstractions/base-strict b/apparmor.d/abstractions/base-strict index e65e45d62..8f8f3c4ce 100644 --- a/apparmor.d/abstractions/base-strict +++ b/apparmor.d/abstractions/base-strict @@ -129,6 +129,9 @@ # StackGuard, FormatGuard, etc., alerts can be properly logged. /dev/log w, + #aa:only test + /tmp/autopkgtest.@{rand6}/** rwk, + include if exists # vim:syntax=apparmor diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb index 97d4d382c..4fedbcd5f 100644 --- a/apparmor.d/groups/apt/dpkg-deb +++ b/apparmor.d/groups/apt/dpkg-deb @@ -33,9 +33,6 @@ profile dpkg-deb @{exec_path} { owner @{tmp}/dpkg-deb.@{rand6}/ rw, owner @{tmp}/dpkg-deb.@{rand6}/* rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo index 536098fa0..b9853ca32 100644 --- a/apparmor.d/groups/apt/dpkg-genbuildinfo +++ b/apparmor.d/groups/apt/dpkg-genbuildinfo @@ -37,9 +37,6 @@ profile dpkg-genbuildinfo @{exec_path} { owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges index 0ba28c80a..7c7ad1681 100644 --- a/apparmor.d/groups/apt/dpkg-genchanges +++ b/apparmor.d/groups/apt/dpkg-genchanges @@ -26,9 +26,6 @@ profile dpkg-genchanges @{exec_path} flags=(complain) { # For package building owner @{user_build_dirs}/** rw, - #aa:only test - /tmp/autopkgtest.@{rand6}/{,**} rw, - include if exists } diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split index 28dff622e..e307e9867 100644 --- a/apparmor.d/groups/apt/dpkg-split +++ b/apparmor.d/groups/apt/dpkg-split @@ -29,9 +29,6 @@ profile dpkg-split @{exec_path} { @{user_pkg_dirs}/** r, owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**, - #aa:only test - /tmp/autopkgtest.@{rand6}/** rwk, - include if exists } From 81d433ff441b2d6b531600a94d50f9e14fa39878 Mon Sep 17 00:00:00 2001 From: myrslint <6370-myrslint@users.noreply.gitlab.archlinux.org> Date: Mon, 29 Sep 2025 11:44:36 +0000 Subject: [PATCH 795/798] Add allowed paths for correct generation of swap target The generator for GPT mounts also creates a swap target, when a swap partition is available. Write access to paths relating to this target was missing. They were added in this commit. --- apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto index 23f273dd6..55dd48a19 100644 --- a/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto +++ b/apparmor.d/groups/systemd-generators/systemd-generator-gpt-auto @@ -25,7 +25,9 @@ profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected) { /home/ r, @{run}/systemd/generator.late/**.{,auto}mount w, + @{run}/systemd/generator.late/**.swap w, @{run}/systemd/generator.late/home.mount.wants/ w, + @{run}/systemd/generator.late/swap.target.wants/ w, @{run}/systemd/generator.late/local-fs.target.d/ w, @{run}/systemd/generator.late/local-fs.target.d/*.conf w, @{run}/systemd/generator.late/local-fs.target.requires/ w, From 72616edabbc527a1af17abb5e282bc8d57b3116c Mon Sep 17 00:00:00 2001 From: valoq Date: Thu, 2 Oct 2025 14:33:42 +0200 Subject: [PATCH 796/798] minor fixes --- apparmor.d/abstractions/app/firefox | 1 + apparmor.d/groups/gvfs/gvfsd-wsdd | 3 ++- apparmor.d/profiles-a-f/dnscrypt-proxy | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox index 0648e68d1..72fd1f7db 100644 --- a/apparmor.d/abstractions/app/firefox +++ b/apparmor.d/abstractions/app/firefox @@ -140,6 +140,7 @@ @{sys}/devices/virtual/dmi/id/product_name r, @{sys}/devices/virtual/dmi/id/product_sku r, @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r, + @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r, @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r, owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r, diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd index 9012682c4..01e50cfa3 100644 --- a/apparmor.d/groups/gvfs/gvfsd-wsdd +++ b/apparmor.d/groups/gvfs/gvfsd-wsdd @@ -15,7 +15,8 @@ profile gvfsd-wsdd @{exec_path} { include include - network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + ## network inet dgram, # ip=127.0.0.1 peer=(ip=127.0.0.*, port=53), + network inet dgram, network netlink raw, #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy index 5573aaf83..12323c9eb 100644 --- a/apparmor.d/profiles-a-f/dnscrypt-proxy +++ b/apparmor.d/profiles-a-f/dnscrypt-proxy @@ -51,6 +51,8 @@ profile dnscrypt-proxy @{exec_path} { @{PROC}/sys/kernel/hostname r, @{PROC}/sys/net/core/somaxconn r, + owner @{PROC}/@{pid}/cgroup r, + owner @{PROC}/@{pid}/mountinfo r, include if exists } From a17c93ca424c422313ec791f0c764a8f86849e74 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sat, 4 Oct 2025 12:20:11 +0200 Subject: [PATCH 797/798] Update xdg-desktop-portal DENIED xdg-desktop-portal open @{att}/ comm=pool-3 requested_mask=r denied_mask=r DENIED xdg-desktop-portal open @{att}/ comm=pool-1 requested_mask=r denied_mask=r DENIED xdg-desktop-portal open @{att}/ comm=pool-6 requested_mask=r denied_mask=r --- apparmor.d/groups/freedesktop/xdg-desktop-portal | 1 + 1 file changed, 1 insertion(+) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 379500040..5888efdbd 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -77,6 +77,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { @{open_path} mrPx -> child-open, / r, + @{att}/ r, @{att}/.flatpak-info r, owner /att/**/ r, From cdc782ce0836f3d5566fafb93cb43cbae21b3f58 Mon Sep 17 00:00:00 2001 From: JND94 <149390116+JND94@users.noreply.github.com> Date: Sat, 4 Oct 2025 10:47:10 +0200 Subject: [PATCH 798/798] Update xdg-desktop-portal-kde DENIED xdg-desktop-portal-kde link owner @{user_cache_dirs}/xdg-desktop-portal-kde/qmlcache/@{hex38}49.qmlc.HaAhtu -> @{user_cache_dirs}/xdg-desktop-portal-kde/qmlcache/#@{int8} comm=QQmlThread requested_mask=l denied_mask=l --- apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde index bd5981dcf..2b67cd19c 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde @@ -42,7 +42,7 @@ profile xdg-desktop-portal-kde @{exec_path} { owner @{desktop_config_dirs}/user-dirs.dirs r, - owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw, + owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rwl, owner @{user_config_dirs}/autostart/org.kde.*.desktop r, owner @{user_config_dirs}/breezerc r,