update apparmor profiles

parent 5b86f7be
# vim:syntax=apparmor
# Profile for restricting lightdm guest session
# Author: Martin Pitt <[email protected]>
# This abstraction provides the majority of the confinement for guest sessions.
# It is in its own abstraction so we can have a centralized place for
# confinement for the various lightdm sessions (guest, freerdp, uccsconfigure,
# etc). Note that this profile intentionally omits chromium-browser.
# Requires apparmor 2.9
#include <abstractions/authentication>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/dbus-session>
#include <abstractions/dbus-accessibility>
#include <abstractions/nameservice>
#include <abstractions/wutmp>
# bug in compiz https://launchpad.net/bugs/697678
/etc/compizconfig/config rw,
/etc/compizconfig/unity.ini rw,
/ r,
/bin/ rmix,
/bin/fusermount Px,
/bin/** rmix,
/cdrom/ rmix,
/cdrom/** rmix,
/dev/ r,
/dev/** rmw, # audio devices etc.
owner /dev/shm/** rmw,
/etc/ r,
/etc/** rmk,
/etc/X11/Xsession ix,
/etc/X11/xdm/** ix, # needed for openSUSE's default session-wrapper
/etc/X11/xinit/** ix, # needed for openSUSE's default session-wrapper
/lib/ r,
/lib/** rmixk,
/lib32/ r,
/lib32/** rmixk,
/lib64/ r,
/lib64/** rmixk,
owner /{,run/}media/ r,
owner /{,run/}media/** rmwlixk, # we want access to USB sticks and the like
/opt/ r,
/opt/** rmixk,
@{PROC}/ r,
@{PROC}/* rm,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/asound rm,
@{PROC}/asound/** rm,
@{PROC}/ati rm,
@{PROC}/ati/** rm,
@{PROC}/sys/vm/overcommit_memory r,
owner @{PROC}/** rm,
# needed for gnome-keyring-daemon
@{PROC}/*/status r,
# needed for bamfdaemon and utilities such as ps and killall
@{PROC}/*/stat r,
/sbin/ r,
/sbin/** rmixk,
/sys/ r,
/sys/** rm,
# needed for confined trusted helpers, such as dbus-daemon
/sys/kernel/security/apparmor/.access rw,
/tmp/ rw,
owner /tmp/** rwlkmix,
/usr/ r,
/usr/** rmixk,
/var/ r,
/var/** rmixk,
/var/guest-data/** rw, # allow to store files permanently
/var/tmp/ rw,
owner /var/tmp/** rwlkm,
/{,var/}run/ r,
# necessary for writing to sockets, etc.
/{,var/}run/** rmkix,
/{,var/}run/mir_socket rw,
/{,var/}run/screen/** wl,
/{,var/}run/shm/** wl,
/{,var/}run/uuidd/request w,
# libpam-xdg-support/logind
owner /{,var/}run/user/*/** rw,
capability ipc_lock,
# allow processes in the guest session to signal and ptrace each other
signal [email protected]{profile_name},
ptrace [email protected]{profile_name},
# needed when logging out of the guest session
signal (receive) peer=unconfined,
unix peer=([email protected]{profile_name}),
unix (receive) peer=(label=unconfined),
unix (create),
unix (getattr, getopt, setopt, shutdown),
unix (bind, listen, accept, receive, send) type=stream addr="@/com/ubuntu/upstart-session/**",
unix (bind, listen) type=stream addr="@/tmp/dbus-*",
unix (bind, listen) type=stream addr="@/tmp/.ICE-unix/[0-9]*",
unix (bind, listen) type=stream addr="@/dbus-vfs-daemon/*",
unix (bind, listen) type=stream addr="@guest*",
unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-*"),
unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
unix (connect, receive, send) type=stream peer=(addr="@/dbus-vfs-daemon/*"),
unix (connect, receive, send) type=stream peer=(addr="@guest*"),
# silence warnings for stuff that we really don't want to grant
deny capability dac_override,
deny capability dac_read_search,
#deny /etc/** w, # re-enable once LP#697678 is fixed
deny /usr/** w,
deny /var/crash/ w,
# vim:syntax=apparmor
# Profile abstraction for restricting chromium in the lightdm guest session
# Author: Jamie Strandboge <[email protected]>
# The abstraction provides the additional accesses required to launch
# chromium based browsers from within an lightdm session. Because AppArmor
# cannot yet merge profiles and because we want to utilize the access rules
# provided in abstractions/lightdm, this abstraction must be separate from
# abstractions/lightdm.
# Requires apparmor 2.9
/usr/lib/chromium/chromium Cx -> chromium,
/usr/lib/chromium-browser/chromium-browser Cx -> chromium,
/usr/bin/webapp-container Cx -> chromium,
/usr/bin/webbrowser-app Cx -> chromium,
/usr/bin/ubuntu-html5-app-launcher Cx -> chromium,
/opt/google/chrome-stable/google-chrome-stable Cx -> chromium,
/opt/google/chrome-beta/google-chrome-beta Cx -> chromium,
/opt/google/chrome-unstable/google-chrome-unstable Cx -> chromium,
/opt/google/chrome/google-chrome Cx -> chromium,
# Allow ptracing processes in the chromium child profile
ptrace peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow receiving and sending signals to processes in the chromium child profile
signal (receive, send) peer=/usr/lib/lightdm/lightdm-guest-session//chromium,
# Allow communications with chromium child profile via unix sockets
unix peer=(label=/usr/lib/lightdm/lightdm-guest-session//chromium),
profile chromium {
# Allow all the same accesses as other applications in the guest session
#include <abstractions/lightdm>
# but also allow a few things because of chromium-browser's sandboxing that
# are not appropriate to other guest session applications.
owner @{PROC}/[0-9]*/oom_{,score_}adj w,
@{PROC}/sys/kernel/shmmax r,
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability setuid, # for sandbox to drop privileges
capability sys_ptrace, # chromium needs this to keep track of itself
@{PROC}/sys/kernel/yama/ptrace_scope r,
# Allow ptrace reads of processes in the lightdm-guest-session
ptrace (read) peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow other guest session processes to read and trace us
ptrace (readby, tracedby) peer=/usr/lib/lightdm/lightdm-guest-session,
ptrace (readby, tracedby) [email protected]{profile_name},
# Allow us to receive and send signals from processes in the
# lightdm-guest-session
signal (receive, send) set=("exists", "term") peer=/usr/lib/lightdm/lightdm-guest-session,
# Allow us to receive and send on unix sockets from processes in the
# lightdm-guest-session
unix (receive, send) peer=(label=/usr/lib/lightdm/lightdm-guest-session),
@{PROC}/[0-9]*/ r, # sandbox wants these
@{PROC}/[0-9]*/fd/ r, # sandbox wants these
@{PROC}/[0-9]*/statm r, # sandbox wants these
@{PROC}/[0-9]*/task/[0-9]*/stat r, # sandbox wants these
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pid}/gid_map w,
/selinux/ r,
/usr/lib/chromium/chrome-sandbox ix,
/usr/lib/chromium-browser/chromium-browser-sandbox ix,
/usr/lib/@{multiarch}/oxide-qt/chrome-sandbox ix,
/opt/google/chrome-*/chrome-sandbox ix,
}
......@@ -16,6 +16,7 @@ profile adduser @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
capability dac_override,
capability fsetid,
......@@ -38,8 +39,6 @@ profile adduser @{exec_path} {
/{usr/,}bin/chfn rPx,
/{usr/,}bin/chage rPx,
/etc/nsswitch.conf r,
/etc/{group,passwd,shadow} r,
/etc/adduser.conf r,
......
......@@ -16,6 +16,7 @@ profile adequate @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
capability sys_tty_config,
......@@ -38,8 +39,6 @@ profile adequate @{exec_path} flags=(complain) {
/var/lib/adequate/pending rwk,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/shadow r,
/usr/share/python{,3}/debian_defaults r,
......@@ -75,6 +74,7 @@ profile adequate @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
......@@ -100,8 +100,6 @@ profile adequate @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/mounts r,
@{HOME}/.Xauthority r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/shadow r,
}
......
......@@ -112,6 +112,7 @@ profile apt @{exec_path} flags=(complain) {
profile dpkg-source flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
/{usr/,}bin/dpkg-source mr,
/{usr/,}bin/perl r,
......@@ -128,10 +129,6 @@ profile apt @{exec_path} flags=(complain) {
/etc/dpkg/origins/debian r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
#include if exists <local/apt_dpkg-source>
}
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}bin/apt-cdrom
profile apt-cdrom @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/apt-common>
capability dac_read_search,
......@@ -51,10 +52,6 @@ profile apt-cdrom @{exec_path} flags=(complain) {
/var/lib/apt/lists/** rw,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
owner @{PROC}/@{pid}/fd/ r,
/var/lib/apt/cdroms.list{,.new} rw,
......
......@@ -15,6 +15,7 @@
profile aptitude @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/apt-common>
#include <abstractions/apt-archive>
......@@ -114,10 +115,6 @@ profile aptitude @{exec_path} flags=(complain) {
/var/lib/debtags/package-tags r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
# When run in a TTY, to remove the following error:
# aptitude[]: *** err
# aptitude[]: /dev/tty2: Permission denied
......@@ -127,6 +124,8 @@ profile aptitude @{exec_path} flags=(complain) {
# file_inherit
/var/log/cron-apt/temp w,
/dev/pts/[0-9]* rw,
profile sensible-pager flags=(complain) {
#include <abstractions/base>
......
......@@ -20,6 +20,7 @@ profile arandr @{exec_path} {
#include <abstractions/gtk>
#include <abstractions/python>
#include <abstractions/user-download-strict>
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/python2.[0-9]* r,
......@@ -36,8 +37,5 @@ profile arandr @{exec_path} {
/etc/fstab r,
/etc/nsswitch.conf r,
/etc/passwd r,
#include if exists <local/arandr>
}
......@@ -29,9 +29,16 @@ profile birdtray @{exec_path} {
# To be able to start Thunderbird
/{usr/,}bin/thunderbird rPx,
/{usr/,}bin/xdg-open rCx -> open,
owner @{HOME}/.config/ulduzsoft/ rw,
owner @{HOME}/.config/ulduzsoft/* rwkl -> /home/morfik/.config/ulduzsoft/*,
owner @{HOME}/.config/birdtray-config.json rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner @{HOME}/.config/birdtray-config.json.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
owner /tmp/birdtray.ulduzsoft.single.instance.server.socket w,
# Thunderbird mail dirs
owner @{HOME}/ r,
owner @{HOME}/.thunderbird/ r,
......@@ -61,10 +68,29 @@ profile birdtray @{exec_path} {
# Check for updates
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/openssl.cnf r,
/usr/share/ca-certificates/mozilla/*.crt r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
profile open {
#include <abstractions/base>
#include <abstractions/xdg-open>
/{usr/,}bin/xdg-open mr,
# Allowed apps to open
/{usr/,}lib/firefox/firefox rPUx,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
#include if exists <local/qpdfview_open>
}
#include if exists <local/birdtray>
}
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}sbin/cgrulesengd
profile cgrulesengd @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
capability net_admin,
capability sys_ptrace,
......@@ -35,8 +36,5 @@ profile cgrulesengd @{exec_path} {
/etc/cgconfig.conf r,
/etc/cgrules.conf r,
/etc/passwd r,
/etc/nsswitch.conf r,
#include if exists <local/cgrulesengd>
}
......@@ -15,12 +15,12 @@
profile chage @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability audit_write,
@{exec_path} mr,
/etc/nsswitch.conf r,
/etc/login.defs r,
/etc/.pwd.lock rwk,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}bin/chfn
profile chfn @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
capability audit_write,
capability setuid,
......@@ -22,8 +23,6 @@ profile chfn @{exec_path} {
owner @{PROC}/@{pid}/loginuid r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pam.d/* r,
/etc/login.defs r,
......
......@@ -162,7 +162,7 @@ profile chromium-chromium @{exec_path} {
/var/tmp/ r,
/tmp/ r,
owner /tmp/.org.chromium.Chromium.* rw,
owner /tmp/.org.chromium.Chromium.*/{,*} rw,
owner /tmp/.org.chromium.Chromium.*/{,**} rw,
# For the temp profile
owner /tmp/tmp.*/ rw,
......
......@@ -15,13 +15,13 @@
profile chsh @{exec_path} {
#include <abstractions/base>
#include <abstractions/wutmp>
#include <abstractions/nameservice-strict>
capability audit_write,
capability setuid,
@{exec_path} mr,
/etc/nsswitch.conf r,
/etc/login.defs r,
/etc/pam.d/* r,
......
......@@ -14,8 +14,9 @@
@{exec_path} = /usr/share/command-not-found/command-not-found /{usr/,}bin/command-not-found
profile command-not-found @{exec_path} {
#include <abstractions/base>
#include <abstractions/apt-common>
#include <abstractions/python>
#include <abstractions/nameservice-strict>
#include <abstractions/apt-common>
@{exec_path} r,
/{usr/,}bin/python3.[0-9]* r,
......@@ -24,8 +25,5 @@ profile command-not-found @{exec_path} {
/usr/share/command-not-found/{,**} r,
/etc/nsswitch.conf r,
/etc/group r,
#include if exists <local/command-not-found>
}
......@@ -23,6 +23,7 @@ profile convertall @{exec_path} {
#include <abstractions/dri-enumerate>
#include <abstractions/python>
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/nameservice-strict>
@{exec_path} r,
/{usr/,}bin/dash r,
......@@ -42,9 +43,6 @@ profile convertall @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/etc/nsswitch.conf r,
/etc/passwd r,
/var/lib/dbus/machine-id r,
/etc/machine-id r,
......
......@@ -30,6 +30,7 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
/usr/share/debconf/frontend r,
/{usr/,}bin/perl r,
......@@ -47,8 +48,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
/usr/share/debconf/templates/adequate.templates r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/shadow r,
}
......
......@@ -15,6 +15,7 @@
profile dlocate @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
@{exec_path} rix,
/{usr/,}bin/bash rix,
......@@ -48,10 +49,6 @@ profile dlocate @{exec_path} {
owner /tmp/sh-thd.* rw,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/group r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/fd/2 w,
......
......@@ -35,6 +35,8 @@ profile dpkg @{exec_path} flags=(complain) {
/{usr/,}bin/dpkg-deb rpx,
/{usr/,}bin/dpkg-split rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,
/{usr/,}bin/diff rCx -> diff,
/{usr/,}bin/less rCx -> diff,
......@@ -56,8 +58,6 @@ profile dpkg @{exec_path} flags=(complain) {
#/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
......@@ -96,7 +96,7 @@ profile dpkg @{exec_path} flags=(complain) {
# file_inherit
/dev/tty[0-9]* rw,
/dev/pts/[0-9]* rw,
profile diff flags=(complain) {
#include <abstractions/base>
......
......@@ -16,6 +16,7 @@ profile dpkg-deb @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/user-download-strict>
#include <abstractions/nameservice-strict>
capability sys_tty_config,
......@@ -56,12 +57,9 @@ profile dpkg-deb @{exec_path} flags=(complain) {
/var/cache/apt/archives/*.deb r,
/etc/nsswitch.conf r,
/etc/group r,
/etc/passwd r,
# file_inherit
/dev/tty[0-9]* rw,
/dev/pts/[0-9]* rw,
#include if exists <local/dpkg-deb>
}
......@@ -16,6 +16,7 @@ profile dpkg-preconfigure @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
capability sys_tty_config,
......@@ -30,8 +31,6 @@ profile dpkg-preconfigure @{exec_path} flags=(complain) {
/{usr/,}bin/apt-extracttemplates rPx,
/{usr/,}bin/whiptail rPx,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/shadow r,
/etc/inputrc r,
......
......@@ -27,6 +27,7 @@ profile dpkg-query @{exec_path} flags=(complain) {
# file_inherit
/dev/tty[0-9]* rw,
/dev/pts/[0-9]* rw,
/tmp/#[0-9]*[0-9] rw,
#include if exists <local/dpkg-query>
......
......@@ -27,5 +27,8 @@ profile dpkg-split @{exec_path} flags=(complain) {
/var/cache/apt/archives/*.deb r,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/dpkg-split>
}
......@@ -23,5 +23,8 @@ profile dpkg-trigger @{exec_path} flags=(complain) {
/var/lib/dpkg/triggers/ r,
/var/lib/dpkg/triggers/Unincorp{,.new} rw,
# file_inherit
/dev/pts/[0-9]* rw,
#include if exists <local/dpkg-trigger>
}
......@@ -16,6 +16,7 @@ profile frontend @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
capability sys_tty_config,
......@@ -33,6 +34,7 @@ profile frontend @{exec_path} flags=(complain) {
/{usr/,}bin/linux-check-removal rPx,
/{usr/,}bin/ucf rPx,
/{usr/,}sbin/pam-auth-update rPx,
/usr/share/debian-security-support/check-support-status.hook rPx,
# Run the package maintainer's scripts
# What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
......@@ -57,8 +59,6 @@ profile frontend @{exec_path} flags=(complain) {
/etc/inputrc r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/shadow r,
# The following is needed when debconf uses GUI frontends.
......@@ -78,6 +78,7 @@ profile frontend @{exec_path} flags=(complain) {
# file_inherit
/dev/tty[0-9]* rw,
/dev/pts/[0-9]* rw,
#include if exists <local/frontend>
}
......@@ -20,6 +20,7 @@ profile games-wesnoth @{exec_path} {
#include <abstractions/dri-common>
#include <abstractions/audio>
#include <abstractions/mesa>
#include <abstractions/nameservice-strict>
@{exec_path} mrix,
......@@ -32,9 +33,6 @@ profile games-wesnoth @{exec_path} {
/etc/machine-id r,
/var/lib/dbus/machine-id r,
/etc/nsswitch.conf r,
/etc/passwd r,
owner @{HOME}/.icons/default/index.theme r,
/usr/share/icons/*/index.theme r,
......
......@@ -17,6 +17,7 @@ profile glxgears @{exec_path} {
#include <abstractions/dri-common>
#include <abstractions/dri-enumerate>
#include <abstractions/mesa>
#include <abstractions/nameservice-strict>
capability sys_nice,
......@@ -26,8 +27,5 @@ profile glxgears @{exec_path} {
owner @{HOME}/.Xauthority r,
/etc/nsswitch.conf r,
/etc/passwd r,
#include if exists <local/glxgears>