update apparmor profiles

parent 79069c9d
......@@ -54,6 +54,8 @@ profile amarok @{exec_path} {
#include <abstractions/vlc-art-cache-write>
#include <abstractions/nameservice-strict>
#include <abstractions/wutmp>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
ptrace (trace) [email protected]{profile_name},
......@@ -151,10 +153,6 @@ profile amarok @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ r,
/etc/ssl/certs/ca-certificates.crt r,
# file_inherit
deny /usr/share/anyremote/** r,
owner @{HOME}/.anyRemote/anyremote.stdout w,
......
......@@ -28,6 +28,8 @@ profile anki @{exec_path} {
#include <abstractions/qt5-compose-cache-write>
#include <abstractions/user-download-strict>
#include <abstractions/trash>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
signal (send) set=(term, kill) peer=anki//mpv,
......@@ -113,9 +115,6 @@ profile anki @{exec_path} {
/usr/share/hwdata/pnp.ids r,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/etc/mime.types r,
# SyncThread
......
......@@ -151,12 +151,11 @@ profile anyremote @{exec_path} {
profile curl {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
}
profile dbus {
......
......@@ -53,13 +53,11 @@ profile appstreamcli @{exec_path} flags=(complain) {
profile curl {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
}
#include if exists <local/appstreamcli>
......
......@@ -18,6 +18,7 @@ profile apt @{exec_path} flags=(complain) {
#include <abstractions/apt-common>
#include <abstractions/apt-archive>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
capability fowner,
capability chown,
......@@ -76,13 +77,12 @@ profile apt @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
/etc/ssl/certs/ca-certificates.crt r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/apt.conf.* rw,
owner /tmp/apt.data.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/#[0-9]*[0-9] rw,
profile sensible-editor flags=(complain) {
......
......@@ -31,6 +31,7 @@ profile apt-cache @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,
# file_inherit
/dev/pts/[0-9]* rw,
......
......@@ -29,6 +29,7 @@ profile apt-extracttemplates @{exec_path} flags=(complain) {
/var/lib/dpkg/status r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,
# deb archive location
/var/cache/apt/archives/*.deb r,
......
......@@ -86,6 +86,7 @@ profile apt-get @{exec_path} flags=(complain) {
owner /tmp/apt-tmp-index.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/#[0-9]*[0-9] rw,
# file_inherit
owner /var/log/cron-apt/temp w,
......
......@@ -54,6 +54,7 @@ profile apt-key @{exec_path} flags=(complain) {
profile gpg flags=(complain) {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/ssl_certs>
/{usr/,}bin/gpg mr,
/{usr/,}bin/gpgconf mr,
......@@ -79,7 +80,6 @@ profile apt-key @{exec_path} flags=(complain) {
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/gnupg/sks-keyservers.netCA.pem r,
/etc/hosts r,
......
......@@ -17,6 +17,7 @@ profile apt-listbugs @{exec_path} {
#include <abstractions/consoles>
#include <abstractions/ruby>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
capability sys_tty_config,
......@@ -35,8 +36,6 @@ profile apt-listbugs @{exec_path} {
/etc/apt/listbugs/ignore_bugs r,
/etc/ssl/openssl.cnf r,
@{PROC}/@{pid}/loginuid r,
# The following is needed when apt-listbugs uses debcconf GUI frontends.
......
......@@ -22,6 +22,10 @@ profile apt-methods-cdrom @{exec_path} flags=(complain) {
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -35,7 +35,9 @@ profile apt-methods-copy @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner /var/lib/apt/lists/{partial/,}*_{In,}Release{,.*} rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -35,6 +35,8 @@ profile apt-methods-file @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
......
......@@ -22,6 +22,10 @@ profile apt-methods-ftp @{exec_path} flags=(complain) {
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -59,8 +59,9 @@ profile apt-methods-gpgv @{exec_path} flags=(complain) {
owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
owner /tmp/apt.{conf,sig,data}.* rw,
/var/lib/apt/lists/ r,
/var/lib/apt/lists/{partial/,}*_{In,}Release rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
......
......@@ -15,6 +15,7 @@
profile apt-methods-http @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
# For downloading packages
#include <abstractions/user-download-strict>
......@@ -39,9 +40,9 @@ profile apt-methods-http @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/etc/ssl/certs/ca-certificates.crt r,
owner /var/lib/apt/lists/** rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
owner /var/cache/apt/archives/*/*.deb rw,
......
......@@ -22,6 +22,10 @@ profile apt-methods-mirror @{exec_path} flags=(complain) {
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -35,8 +35,9 @@ profile apt-methods-rred @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
/var/lib/apt/lists/** r,
/var/lib/apt/lists/partial/* rw,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -22,6 +22,10 @@ profile apt-methods-rsh @{exec_path} flags=(complain) {
@{exec_path} mr,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -35,8 +35,9 @@ profile apt-methods-store @{exec_path} flags=(complain) {
/usr/share/dpkg/cputable r,
/usr/share/dpkg/tupletable r,
owner /var/lib/apt/lists/** rw,
/var/lib/apt/lists/** r,
/var/lib/apt/lists/{,**} r,
owner /var/lib/apt/lists/* rw,
owner /var/lib/apt/lists/partial/* rw,
/usr/share/doc/*/changelog.* r,
......
......@@ -27,6 +27,7 @@ profile apt-show-versions @{exec_path} flags=(complain) {
owner /var/cache/apt-show-versions/files rw,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,
owner @{PROC}/@{pid}/fd/ r,
......
......@@ -97,6 +97,7 @@ profile aptitude @{exec_path} flags=(complain) {
owner /tmp/clearsigned.message.* rw,
owner /tmp/apt-dpkg-install-*/ rw,
owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
owner /tmp/#[0-9]*[0-9] rw,
# For the interactive mode
/usr/share/tasksel/descs/ r,
......
......@@ -17,6 +17,9 @@ profile at-spi-bus-launcher @{exec_path} {
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
# Needed?
deny capability sys_nice,
signal (send) set=(term, kill) peer=unconfined,
@{exec_path} mr,
......
......@@ -14,6 +14,10 @@
@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd
profile at-spi2-registryd @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
# Needed?
deny capability sys_nice,
@{exec_path} mr,
......@@ -23,6 +27,7 @@ profile at-spi2-registryd @{exec_path} {
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
owner /dev/tty[0-9]* rw,
#include if exists <local/at-spi2-registryd>
}
......@@ -23,6 +23,8 @@ profile birdtray @{exec_path} {
#include <abstractions/mesa>
#include <abstractions/dri-enumerate>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
@{exec_path} mr,
......@@ -65,12 +67,6 @@ profile birdtray @{exec_path} {
/var/lib/dbus/machine-id r,
/etc/machine-id r,
# Check for updates
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/openssl.cnf r,
/usr/share/ca-certificates/mozilla/*.crt r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -39,7 +39,7 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
/usr/share/debconf/confmodule r,
owner /tmp/debian-security-support.postinst.*/ rw,
owner /tmp/debian-security-support.postinst.*/output w,
owner /tmp/debian-security-support.postinst.*/output rw,
# file_inherit
/dev/pts/[0-9]* rw,
......@@ -54,6 +54,9 @@ profile check-support-status-hook @{exec_path} flags=(complain) {
owner /tmp/debian-security-support.postinst.*/output r,
# file_inherit
/dev/pts/[0-9]* rw,
}
profile frontend flags=(complain) {
......
......@@ -59,6 +59,7 @@ profile child-lsb_release {
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
# deny /tmp/gtalkplugin.log w,
/dev/pts/[0-9]* rw,
/dev/dri/card[0-9]* rw,
#include if exists <local/child-lsb_release>
}
......@@ -29,6 +29,7 @@ profile chromium-chromium @{exec_path} {
##include <abstractions/thumbnails-cache-write>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
#include <abstractions/ssl_certs>
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
......@@ -67,8 +68,6 @@ profile chromium-chromium @{exec_path} {
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
/etc/ssl/certs/ca-certificates.crt r,
# Chromium files
/usr/share/chromium/{,**} r,
......@@ -180,7 +179,10 @@ profile chromium-chromium @{exec_path} {
/{usr/,}bin/xdg-open mr,
/{usr/,}bin/dash rix,
# Allowed apps to open
/{usr/,}bin/smplayer rPx,
# file_inherit
......
......@@ -23,6 +23,7 @@ profile claws-mail @{exec_path} flags=(complain) {
#include <abstractions/nameservice-strict>
#include <abstractions/audio>
##include <abstractions/thumbnails-cache-write>
#include <abstractions/ssl_certs>
@{exec_path} mr,
......@@ -69,11 +70,6 @@ profile claws-mail @{exec_path} flags=(complain) {
/usr/share/sounds/freedesktop/stereo/*.oga r,
/usr/share/publicsuffix/*.dafsa r,
/etc/ssl/ r,
/etc/ssl/certs/ r,
/etc/ssl/certs/*.{crt,pem} r,
/usr/share/ca-certificates/mozilla/*.crt r,
# file_inherit
owner @{HOME}/.xsession-errors w,
owner @{HOME}/.local/share/sddm/{xorg,wayland}-session.log w,
......
......@@ -21,6 +21,7 @@ profile code @{exec_path} {
#include <abstractions/fontconfig-cache-read>
#include <abstractions/nameservice-strict>
#include <abstractions/dconf-deny>
#include <abstractions/ssl_certs>
# The following doesn't seem to be needed
##include <abstractions/mesa>
##include <abstractions/consoles>
......@@ -129,8 +130,6 @@ profile code @{exec_path} {
owner "/tmp/VSCode Crashes/" rw,
owner /tmp/vscode-typescript[0-9]*/ rw,
/etc/ssl/certs/ca-certificates.crt r,
owner /{var/,}run/user/[0-9]*/vscode-[0-9a-f]*-*-{shared,main}.sock rw,
owner /{var/,}run/user/[0-9]*/vscode-git-askpass-[0-9a-f]*.sock rw,
......
......@@ -12,7 +12,7 @@
#include <tunables/global>
@{exec_path} = /{usr/,}lib/colord/colord /usr/libexec/colord
profile colord @{exec_path} flags=(complain) {
profile colord @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
......
......@@ -19,6 +19,8 @@ profile conky @{exec_path} {
#include <abstractions/fonts>
#include <abstractions/fontconfig-cache-read>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
@{exec_path} mr,
......@@ -50,9 +52,6 @@ profile conky @{exec_path} {
/{usr/,}bin/lynx rCx -> lynx,
/{usr/,}bin/w3m rCx -> w3m,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
# Conky home files
owner @{HOME}/ r,
owner @{HOME}/.conky/ r,
......@@ -143,6 +142,8 @@ profile conky @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
/{usr/,}bin/wget mr,
......@@ -151,9 +152,6 @@ profile conky @{exec_path} {
owner @{HOME}/.conky/** rw,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/publicsuffix/public_suffix_list.* r,
# file_inherit
......@@ -165,13 +163,11 @@ profile conky @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
/{usr/,}bin/curl mr,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
/usr/share/publicsuffix/public_suffix_list.* r,
owner @{HOME}/.conky/** rw,
......@@ -195,6 +191,7 @@ profile conky @{exec_path} {
profile lynx {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
/{usr/,}bin/lynx mr,
......@@ -202,8 +199,6 @@ profile conky @{exec_path} {
/{usr/,}bin/dash rix,
/etc/ssl/certs/ca-certificates.crt r,
/etc/mime.types r,
/etc/mailcap r,
......@@ -218,6 +213,8 @@ profile conky @{exec_path} {
#include <abstractions/base>
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
/{usr/,}bin/w3m mr,
......@@ -232,9 +229,6 @@ profile conky @{exec_path} {
owner @{HOME}/.w3m/ rw,
owner @{HOME}/.w3m/** rw,
/usr/share/ca-certificates/mozilla/*.crt r,
/etc/ssl/openssl.cnf r,
# file_inherit
owner /dev/tty[0-9]* rw,
......
......@@ -17,13 +17,11 @@ profile curl @{exec_path} {
#include <abstractions/consoles>
#include <abstractions/nameservice-strict>
#include <abstractions/user-download-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
@{exec_path} mr,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
/usr/share/publicsuffix/public_suffix_list.* r,
@{PROC}/@{pids}/stat r,
......
......@@ -16,6 +16,8 @@ profile ddclient @{exec_path} {
#include <abstractions/base>
#include <abstractions/perl>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/perl r,
......@@ -25,11 +27,6 @@ profile ddclient @{exec_path} {
/etc/ddclient.conf r,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
/{,var/}run/ddclient.pid rw,
/var/cache/ddclient/ddclient.cache rw,
......
......@@ -17,6 +17,8 @@ profile debsecan @{exec_path} {
#include <abstractions/consoles>
#include <abstractions/python>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/python2.[0-9]* r,
......@@ -42,10 +44,6 @@ profile debsecan @{exec_path} {
owner @{PROC}/@{pid}/fd/ r,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
/usr/share/ca-certificates/mozilla/*.crt r,
# file_inherit
/tmp/#[0-9]*[0-9] rw,
......
......@@ -39,6 +39,7 @@ profile debtags @{exec_path} flags=(complain) {
/var/lib/dpkg/status r,
owner /tmp/clearsigned.message.* rw,
owner /tmp/#[0-9]*[0-9] rw,
# file_inherit
/var/log/cron-apt/temp w ,
......
......@@ -15,6 +15,7 @@
profile dhclient @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
capability net_bind_service,
capability net_raw,
......@@ -35,7 +36,5 @@ profile dhclient @{exec_path} {
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
/etc/ssl/openssl.cnf r,
#include if exists <local/dhclient>
}
......@@ -15,6 +15,8 @@
profile dhclient-script @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/ssl_certs>
capability sys_module,
......@@ -28,9 +30,6 @@ profile dhclient-script @{exec_path} {
# /sbin/dhclient-script: 133: hostname: Permission denied
/{usr/,}bin/hostname rPx,
/etc/ssl/openssl.cnf r,
/etc/ssl/certs/ca-certificates.crt r,
# To read scripts
/etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
......
......@@ -15,11 +15,10 @@
profile dig @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/openssl>
@{exec_path} mr,
/etc/ssl/openssl.cnf r,
owner @{PROC}/@{pid}/task/@{tid}/comm rw,
owner @{HOME}/.digrc r,
......
......@@ -15,6 +15,7 @@
profile dirmngr @{exec_path} {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
#include <abstractions/ssl_certs>
@{exec_path} mr,