update apparmor profiles

parent d8a17e5d
......@@ -132,6 +132,10 @@
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow signals from top/htop
signal (receive) peer=top,
signal (receive) peer=htop,
# Allow us to signal ourselves
signal [email protected]{profile_name},
......
......@@ -28,6 +28,7 @@ profile apt-mark @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]* rw,
#include if exists <local/apt-mark>
}
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/cdrom
profile apt-methods-cdrom @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
signal (receive) peer=apt,
signal (receive) peer=apt-get,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/copy
profile apt-methods-copy @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability setgid,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability setgid,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
signal (receive) peer=apt,
signal (receive) peer=apt-get,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/gpgv
profile apt-methods-gpgv @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability setgid,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/http{,s}
profile apt-methods-http @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
# For downloading packages
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/mirror{,+*}
profile apt-methods-mirror @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
signal (receive) peer=apt,
signal (receive) peer=apt-get,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/rred
profile apt-methods-rred @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability setgid,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/{r,s}sh
profile apt-methods-rsh @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
signal (receive) peer=apt,
signal (receive) peer=apt-get,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}lib/apt/methods/store
profile apt-methods-store @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
capability setgid,
......
......@@ -14,6 +14,7 @@
@{exec_path} = /{usr/,}bin/apt-show-versions
profile apt-show-versions @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/perl>
#include <abstractions/apt-common>
#include <abstractions/apt-pkgcache>
......
......@@ -82,6 +82,10 @@ profile aptitude @{exec_path} flags=(complain) {
owner @{HOME}/.cache/aptitude/metadata-download rwk,
/{usr/,}bin/sensible-pager rCx -> sensible-pager,
# For aptitude-run-state-bundle
owner /tmp/aptitudebug.*/ r,
owner /tmp/aptitudebug.*/** rwk,
/var/lib/apt-xapian-index/index r,
/var/cache/apt-xapian-index/index.[0-9]/*.glass r,
/var/cache/apt-xapian-index/index.[0-9]/iamglass r,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-changelog-parser
profile aptitude-changelog-parser @{exec_path} {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/{usr/,}bin/perl r,
/etc/dpkg/origins/debian r,
/**/debian/changelog r,
#include if exists <local/aptitude-changelog-parser>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-create-state-bundle
profile aptitude-create-state-bundle @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/which rix,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/gzip rix,
# Files included in the bundle
owner @{HOME}/.aptitude/{,*} r,
/var/lib/aptitude/{,*} r,
/var/lib/apt/{,**} r,
/var/cache/apt/ r,
/var/cache/apt/*.bin r,
/etc/apt/{,**} r,
/var/lib/dpkg/status r,
#include if exists <local/aptitude-create-state-bundle>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/aptitude-run-state-bundle
profile aptitude-run-state-bundle @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
@{exec_path} r,
/{usr/,}bin/bash r,
/{usr/,}bin/tar rix,
/{usr/,}bin/bzip2 rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/aptitude-curses rPx,
owner /tmp/aptitudebug.*/{,**} rw,
#include if exists <local/aptitude-run-state-bundle>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-architecture
profile dpkg-architecture @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/usr/bin/perl r,
/{usr/,}bin/{,@{multiarch}-}gcc-9 rix,
/{usr/,}bin/ccache rPUx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/dpkg/** r,
#include if exists <local/dpkg-architecture>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}bin/dpkg-vendor
profile dpkg-vendor @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/perl>
@{exec_path} r,
/usr/bin/perl r,
/etc/dpkg/origins/* r,
#include if exists <local/dpkg-vendor>
}
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
......@@ -22,8 +22,8 @@ profile speedtest @{exec_path} {
/{usr/,}bin/python3.[0-9]* r,
/{usr/,}bin/ r,
/usr/bin/file rix,
/usr/bin/uname rix,
/{usr/,}bin/file rix,
/{usr/,}bin/uname rix,
owner @{PROC}/@{pid}/fd/ r,
......
......@@ -52,6 +52,8 @@ profile top @{exec_path} {
@{PROC}/@{pids}/task/@{tid}/statm r,
@{PROC}/@{pids}/task/@{tid}/environ r,
@{PROC}/@{pids}/task/@{tid}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_{,score_}adj r,
@{PROC}/@{pids}/oom_score r,
@{PROC}/@{pids}/task/@{tid}/cgroup r,
@{PROC}/@{pids}/task/@{tid}/wchan r,
@{PROC}/@{pids}/task/@{tid}/status r,
......@@ -59,6 +61,9 @@ profile top @{exec_path} {
/etc/topdefaultrc r,
/etc/toprc r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/node[0-9]*/meminfo r,
owner @{HOME}/.config/procps/ rw,
owner @{HOME}/.config/procps/toprc rw,
......
......@@ -97,7 +97,7 @@ profile udisksd @{exec_path} {
@{sys}/class/ r,
@{sys}/class/block/ r,
@{sys}/devices/pci[0-9]*/**/{ata,usb}[0-9]/{,**/}uevent r,
@{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
# For powering off USB devices
@{sys}/devices/pci[0-9]*/**/{ata,usb}[0-9]/**/remove rw,
......@@ -109,7 +109,7 @@ profile udisksd @{exec_path} {
# Info on mounted devices
/{,var/}run/mount/utab{,.*} rw,
/{,var/}run/mount/utab.lock rwk,
/var/lib/udisks2/mounted-fs{,.*} rw,
/var/lib/udisks2/mounted-fs{,*} rw,
/{,var/}run/udisks2/ rw,
/{,var/}run/udisks2/loop{,.*} rw,
......
# vim:syntax=apparmor
#include <tunables/global>
/usr/sbin/tcpdump {
profile tcpdump /usr/sbin/tcpdump {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
......
......@@ -85,6 +85,8 @@ profile youtube-dl @{exec_path} {
/{usr/,}bin/gcc rix,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
/{usr/,}bin/rtmpdump rix,
/{usr/,}bin/git rix,
# Which files youtube-dl should be able to open
owner @{HOME}/ r,
......@@ -100,6 +102,8 @@ profile youtube-dl @{exec_path} {
owner @{HOME}/.cache/ rw,
owner @{HOME}/.cache/youtube-dl/{,**} rw,
owner @{HOME}/.config/git/config r,
# External apps
/{usr/,}bin/ffmpeg rPUx,
/{usr/,}bin/ffprobe rPUx,
......
......@@ -73,6 +73,7 @@ profile ytdl @{exec_path} {
/{usr/,}bin/ r,
/{usr/,}sbin/ldconfig rix,
/{usr/,}bin/uname rix,
# Which files youtube-dl should be able to open
owner @{HOME}/ r,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment