update apparmor profiles

parent 5545f3f2
......@@ -137,8 +137,9 @@
signal (receive) peer=htop,
signal (receive) set=(term, kill) peer=systemd-shutdown,
signal (receive) set=(term, kill) peer=openbox,
signal (receive) set=(cont) peer=su,
signal (receive) set=(cont) peer=sudo,
signal (receive) set=(hup) peer=xinit,
signal (receive) set=(cont) peer=su,
signal (receive) set=(cont) peer=sudo,
# Allow us to signal ourselves
signal [email protected]{profile_name},
......
......@@ -49,6 +49,7 @@
# CD-ROM
/dev/sr[0-9]* rk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
......
......@@ -49,6 +49,7 @@
# CD-ROM
/dev/sr[0-9]* rwk,
@{sys}/class/block/ r,
@{sys}/block/ r,
# To be able to look up each block device by major:minor numbers
@{sys}/dev/block/ r,
......
......@@ -13,6 +13,7 @@
/usr/share/enchant/ r,
/usr/share/enchant/enchant.ordering r,
/usr/share/enchant-[0-9]*/enchant.ordering r,
# aspell
#include <abstractions/aspell>
......
......@@ -16,8 +16,7 @@
/usr/share/fonts/ r,
/usr/share/fonts/** r,
/usr/share/fonts-*/**.{eot,svg,ttf,otf,woff,woff2} r,
/usr/share/fonts-*/{,**} r,
/etc/fonts/** r,
# Debian, openSUSE paths are different
......
......@@ -22,15 +22,43 @@ profile apt @{exec_path} flags=(complain) {
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
capability setgid,
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability dac_read_search,
# To remove the following error:
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# CheckDownloadDone (13: Permission denied)
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
......
......@@ -20,7 +20,7 @@ profile apt-extracttemplates @{exec_path} flags=(complain) {
#include <abstractions/apt-common>
#include <abstractions/apt-pkgcache>
capability dac_read_search,
#capability dac_read_search,
@{exec_path} mr,
......
......@@ -21,15 +21,43 @@ profile apt-get @{exec_path} flags=(complain) {
#include <abstractions/apt-archive>
#include <abstractions/nameservice-strict>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
capability setgid,
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability dac_read_search,
# To remove the following error:
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# CheckDownloadDone (13: Permission denied)
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
......
......@@ -34,9 +34,10 @@ profile apt-listbugs @{exec_path} {
/usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
/usr/share/rubygems-integration/** r,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/listbugs/ignore_bugs r,
/etc/apt/listbugs/{,*} r,
@{PROC}/@{pid}/loginuid r,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/aptcleanup
profile apt-listbugs-aptcleanup @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
#include if exists <local/apt-listbugs-aptcleanup>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/migratepins
profile apt-listbugs-migratepins @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/usr/share/rubygems-integration/*/specifications/ r,
/usr/share/rubygems-integration/*/specifications/* r,
/etc/apt/preferences r,
owner /tmp/pin_migration_*[email protected]{pid}-*/ w,
owner /tmp/pin_migration_*[email protected]{pid}-*/preferences w,
owner /tmp/pin_migration_*[email protected]{pid}-*/apt-listbugs w,
#include if exists <local/apt-listbugs-migratepins>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#abi <abi/3.0>,
#include <tunables/global>
@{exec_path} = /usr/libexec/apt-listbugs/prefclean
profile apt-listbugs-prefclean @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/ruby>
@{exec_path} r,
/{usr/,}bin/ruby2.[0-9]* rix,
/{usr/,}bin/date rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/cp rix,
owner /var/spool/apt-listbugs/lastprefclean rw,
#include if exists <local/apt-listbugs-prefclean>
}
......@@ -29,7 +29,7 @@ profile apt-methods-copy @{exec_path} flags=(complain) {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it.
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -29,7 +29,7 @@ profile apt-methods-file @{exec_path} flags=(complain) {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it.
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -29,7 +29,7 @@ profile apt-methods-gpgv @{exec_path} flags=(complain) {
@{exec_path} mr,
# The following get "no new privs" so "rix" them.
# The following get "no new privs" so "rix" them
/{usr/,}bin/apt-key rix,
/{usr/,}bin/apt-config rix,
/{usr/,}bin/dpkg rix,
......
......@@ -32,7 +32,7 @@ profile apt-methods-http @{exec_path} flags=(complain) {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it.
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/auth.conf.d/{,*} r,
......
......@@ -29,7 +29,7 @@ profile apt-methods-rred @{exec_path} flags=(complain) {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it.
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -29,7 +29,7 @@ profile apt-methods-store @{exec_path} flags=(complain) {
@{exec_path} mr,
# apt-helper gets "no new privs" so "rix" it.
# apt-helper gets "no new privs" so "rix" it
/{usr/,}lib/apt/apt-helper rix,
/etc/apt/apt.conf.d/{,*} r,
......
......@@ -38,8 +38,6 @@ profile apt-show-versions @{exec_path} flags=(complain) {
/var/lib/apt/extended_states r,
/var/cache/apt/pkgcache.bin r,
# file_inherit
owner /dev/tty[0-9]* rw,
owner /var/log/cron-apt/temp w,
......
......@@ -21,15 +21,43 @@ profile aptitude @{exec_path} flags=(complain) {
#include <abstractions/apt-common>
#include <abstractions/apt-archive>
# To remove the following errors:
# W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
# Item::QueueURI (1: Operation not permitted)
capability fowner,
# To remove the following errors:
# W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
# W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
# (1: Operation not permitted)
capability chown,
capability setgid,
# To remove the following errors:
# E: setgroups 65534 failed - setgroups (1: Operation not permitted)
# E: setegid 65534 failed - setegid (1: Operation not permitted)
# E: seteuid 100 failed - seteuid (1: Operation not permitted)
# E: setgroups 0 failed - setgroups (1: Operation not permitted)
capability setuid,
capability dac_read_search,
# To remove the following error:
capability setgid,
# To remove the following errors:
# W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
# CheckDownloadDone (13: Permission denied)
# PrepareFiles (13: Permission denied)
# E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
capability dac_read_search,
# To remove the following errors:
# E: Failed to fetch https://**.deb rename failed, Permission denied
# (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
# E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
capability dac_override,
# Needed? (##FIXME##)
capability kill,
capability fsetid,
capability sys_chroot,
......
......@@ -17,6 +17,7 @@
profile biosdecode @{exec_path} {
#include <abstractions/base>
# Needed to read the /dev/mem device
capability sys_rawio,
@{exec_path} mr,
......
......@@ -13,26 +13,14 @@
#include <tunables/global>
# pdf
# pdf, epub, txt, html, mhtml, ps, mobi, djvu
@{calibre_ext} = [pP][dF][fF]
# epub
@{calibre_ext} += [eE][pP][uU][bB]
# txt
@{calibre_ext} += [tT][xX][tT]
# html mhtml
@{calibre_ext} += {[mM],}[hH][tT][mM][lL]
# ps
@{calibre_ext} += [pP][sS]
# mobi
@{calibre_ext} += [mM][oO][bB][iI]
# djvu
@{calibre_ext} += [dD][jJ][vV][uU]
@{calibre_ext} += [eE][pP][uU][bB]
@{calibre_ext} += [tT][xX][tT]
@{calibre_ext} += {[mM],}[hH][tT][mM][lL]
@{calibre_ext} += [pP][sS]
@{calibre_ext} += [mM][oO][bB][iI]
@{calibre_ext} += [dD][jJ][vV][uU]
@{exec_path} = /{usr/,}bin/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
@{exec_path} += /{usr/,}bin/calibredb
......@@ -105,7 +93,7 @@ profile calibre @{exec_path} {
owner @{HOME}/.local/share/calibre-ebook.com/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/ rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rw,
owner @{HOME}/.local/share/calibre-ebook.com/calibre/** rwk,
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/calibre/ rw,
......@@ -126,19 +114,19 @@ profile calibre @{exec_path} {
owner /tmp/* rw,
@{PROC}/ r,
deny @{PROC}/sys/kernel/random/boot_id r,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/vmstat r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pids}/task/ r,
owner @{PROC}/@{pids}/task/@{tid}/status r,
owner @{PROC}/@{pids}/stat r,
deny owner @{PROC}/@{pid}/cmdline r,
owner @{PROC}/@{pid}/mountinfo r,
owner @{PROC}/@{pid}/mounts r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
deny owner @{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/net/route r,
deny @{PROC}/sys/kernel/random/boot_id r,
@{PROC}/sys/kernel/yama/ptrace_scope r,
@{PROC}/sys/fs/inotify/max_user_watches r,
@{PROC}/vmstat r,
/etc/fstab r,
......
......@@ -17,13 +17,18 @@
profile cpupower @{exec_path} {
#include <abstractions/base>
capability sys_admin,
# Needed to read the /dev/cpu/[0-9]*/msr device, and hence remove the following error:
# Could not read perf-bias value[-1]
capability sys_rawio,
# Needed to operate on CPU IDLE states
capability sys_admin,
@{exec_path} mr,
/{usr/,}bin/dash rix,
/{usr/,}bin/kmod rPx,
/{usr/,}bin/man rPx,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/ r,
@{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
......@@ -35,9 +40,11 @@ profile cpupower @{exec_path} {
@{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_setspeed rw,
@{sys}/devices/system/cpu/cpu[0-9]*/cpuidle/state[0-9]/disable rw,
@{sys}/devices/system/cpu/cpu[0-9]/online r,
@{sys}/devices/system/cpu/cpu[0-9]*/topology/{physical_package_id,core_id} r,
@{sys}/devices/system/cpu/cpu[0-9]*/online r,
/dev/cpu/*/msr r,
/dev/cpu/[0-9]*/msr r,
#include if exists <local/cpupower>
}
......@@ -17,14 +17,18 @@
profile dmidecode @{exec_path} {
#include <abstractions/base>
capability sys_rawio,
@{exec_path} mr,
@{sys}/firmware/dmi/tables/smbios_entry_point r,
@{sys}/firmware/dmi/tables/DMI r,
/dev/mem r,
# The following are needed when the --no-sysfs flag is used
#capability sys_rawio,
#/dev/mem r,
#@{sys}/firmware/efi/systab r,
# For dumping the output to a file
owner /tmp/dump.bin rw,
#include if exists <local/dmidecode>
}
......@@ -18,12 +18,17 @@ profile dpkg @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
# To remove the following errors:
# dpkg: error processing archive /var/cache/apt/archives/*.deb (--unpack):
# error setting ownership of './usr/bin/*': Operation not permitted
capability chown,
capability setgid,
capability fowner,
capability fsetid,
capability dac_read_search,
capability dac_override,
# Needed? (##FIXME##)
#deny capability setgid,
#deny capability fowner,
#deny capability fsetid,
#deny capability dac_read_search,
#deny capability dac_override,
@{exec_path} mr,
......@@ -39,8 +44,10 @@ profile dpkg @{exec_path} flags=(complain) {
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/diff rCx -> diff,
/{usr/,}bin/pager rCx -> diff,
/{usr/,}bin/less rCx -> diff,
/{usr/,}bin/more rCx -> diff,
/{usr/,}bin/diff rCx -> diff,
# Run the package maintainer's scripts
# What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
......@@ -74,7 +81,7 @@ profile dpkg @{exec_path} flags=(complain) {
/usr/ r,
/usr/** rwl -> /usr/**,
/lib/ r,
/lib/** rwl -> /{usr/,}lib/** ,
/lib/** rwl -> /lib/** ,
/bin/ r,
/bin/* rwl -> /bin/*,
/sbin/ r,
......@@ -104,8 +111,10 @@ profile dpkg @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
/{usr/,}bin/diff mr,
/{usr/,}bin/less mr,
/{usr/,}bin/pager mr,
/{usr/,}bin/less mr,
/{usr/,}bin/more mr,
/{usr/,}bin/diff mr,
owner @{HOME}/.lesshst r,
......
......@@ -18,7 +18,7 @@ profile dpkg-split @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
capability dac_read_search,
#capability dac_read_search,
@{exec_path} mr,
......
......@@ -18,11 +18,15 @@ profile f3fix @{exec_path} {
#include <abstractions/base>
#include <abstractions/disks-write>
# To remove the following errors:
# Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
# kernel of the change, probably because it/they are in use. As a result, the old partition(s)
# will remain in use. You should reboot now before making further changes.
capability sys_admin,
capability sys_rawio,
# Needed? It looks like it works without it.
deny ptrace (read),
audit deny capability sys_rawio,
audit deny ptrace (read),
@{exec_path} mr,
......
......@@ -18,18 +18,23 @@ profile fdisk @{exec_path} {
#include <abstractions/base>
#include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
capability sys_admin,
capability sys_rawio,
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
@{PROC}/partitions r,
# A place for backups and disk images
@{HOME}/** rwk,
/media/*/** rwk,
/etc/terminal-colors.d/fdisk.disable r,
# For disk images
owner @{HOME}/**.{iso,img} rwk,
owner /media/*/**.{img,img} rwk,
# For backups
owner @{HOME}/**.{bak,back} rwk,
owner /media/*/**.{bak,back} rwk,
#include if exists <local/fdisk>
}
......@@ -156,8 +156,8 @@ profile firefox @{exec_path} {
/{usr/,}bin/lsb_release rPx -> child-lsb_release,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}bin/xdg-open rCx -> open,
/{usr/,}bin/exo-open rCx -> open,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
# Allowed apps to open
......@@ -182,7 +182,9 @@ profile firefox @{exec_path} {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/exo-open mr,
/{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
# Allowed apps to open
/{usr/,}bin/vlc rPUx,
......
......@@ -39,6 +39,7 @@ profile firefox-minidump-analyzer @{exec_path} {
owner @{MOZ_CACHEDIR}/firefox/*.*/startupCache/*Cache* r,
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r,
#include if exists <local/firefox-minidump-analyzer>
}
......@@ -18,15 +18,24 @@ profile gdisk @{exec_path} {
#include <abstractions/base>
#include <abstractions/disks-write>
# Needed to inform the system of newly created/removed partitions
# ioctl(3, BLKRRPART) = -1 EACCES (Permission denied)
#
# Warning: The kernel is still using the old partition table.
# The new table will be used at the next reboot or after you
# run partprobe(8) or kpartx(8)
# The operation has completed successfully.
capability sys_admin,
capability dac_read_search,
capability dac_override,
@{exec_path} mr,
# A place for backups and disk images