update apparmor profiles

parent 97e4ae5b
......@@ -38,6 +38,14 @@ profile discord @{exec_path} {
@{exec_path} mrix,
# The following rules are needed only when the kernel.unprivileged_userns_clone option is set
# to "1".
capability sys_admin,
capability sys_chroot,
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/gid_map w,
owner @{PROC}/@{pid}/uid_map w,
/{usr/,}bin/dash rix,
/{usr/,}bin/xdg-open rCx -> open,
......@@ -53,6 +61,7 @@ profile discord @{exec_path} {
@{DISCORD_LIBDIR}/libffmpeg.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libEGL.so mr,
# @{DISCORD_LIBDIR}/swiftshader/libGLESv2.so mr,
@{DISCORD_LIBDIR}/chrome-sandbox rPx,
owner @{DISCORD_HOMEDIR}/ rw,
owner @{DISCORD_HOMEDIR}/** rwk,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{DISCORD_LIBDIR} = /usr/share/discord
@{DISCORD_HOMEDIR} = @{HOME}/.config/discord
@{DISCORD_CACHEDIR} = @{HOME}/.cache/discord
@{exec_path} = @{DISCORD_LIBDIR}/chrome-sandbox
profile discord-chrome-sandbox @{exec_path} {
#include <abstractions/base>
# For kernel unprivileged user namespaces
capability sys_admin,
capability sys_chroot,
capability setuid,
capability setgid,
# optional
capability sys_resource,
@{exec_path} mr,
# Do not strip env to avoid errors like the following:
# /usr/share/discord/Discord: error while loading shared libraries: libffmpeg.so: cannot open
# shared object file: No such file or directory
# [1] 777862 trace trap discord
@{DISCORD_LIBDIR}/Discord rpx,
@{PROC}/@{pids}/ r,
deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
#include if exists <local/discord-chrome-sandbox>
}
......@@ -40,6 +40,7 @@ profile dpkg @{exec_path} flags=(complain) {
# Run the package maintainer's scripts
# What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
# Move it to a child profile once more transitions will be available
/var/lib/dpkg/ r,
/var/lib/dpkg/** rwkl -> /var/lib/dpkg/**,
/var/lib/dpkg/info/*.config rPUx,
......@@ -48,6 +49,14 @@ profile dpkg @{exec_path} flags=(complain) {
/var/lib/dpkg/tmp.ci/config rPUx,
/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
/var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx,
#/var/lib/dpkg/info/*.config rCx -> scripts,
#/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
#/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/config rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
#/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts,
/etc/dpkg/dpkg.cfg.d/{,*} r,
/etc/dpkg/dpkg.cfg r,
......@@ -103,5 +112,22 @@ profile dpkg @{exec_path} flags=(complain) {
}
profile scripts flags=(complain) {
#include <abstractions/base>
/var/lib/dpkg/info/*.config r,
/var/lib/dpkg/info/*.{preinst,postinst} r,
/var/lib/dpkg/info/*.{prerm,postrm} r,
/var/lib/dpkg/tmp.ci/config r,
/var/lib/dpkg/tmp.ci/{preinst,postinst} r,
/var/lib/dpkg/tmp.ci/{prerm,postrm} r,
/{usr/,}/bin/ r,
/{usr/,}/bin/* rPUx,
/{usr/,}/sbin/ r,
/{usr/,}/sbin/* rPUx,
}
#include if exists <local/dpkg>
}
......@@ -54,6 +54,7 @@ profile gpartedbin @{exec_path} {
/{usr/,}sbin/mkntfs rPx,
/{usr/,}sbin/ntfslabel rPx,
/{usr/,}sbin/ntfsresize rPx,
/{usr/,}bin/ntfsinfo rPx,
# FAT16/32
# The following tools link to mtools:
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
......@@ -19,3 +19,6 @@
# For lintian
/media/*/pbuilder/result/*.deb r,
# For installing linux via debootstrap
/mnt/var/cache/apt/archives/*.deb r,
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
......@@ -16,3 +16,7 @@
#
owner /media/*/download/ r,
owner /media/*/download/* rw,
# For installing linux via debootstrap
owner /mnt/var/lib/apt/** rw,
owner /mnt/var/cache/apt/** rw,
......@@ -54,10 +54,13 @@ profile ucf @{exec_path} flags=(complain) {
owner /tmp/* rw,
/etc/default/* rw,
# Fror md5sum
# For md5sum
/etc/** r,
/usr/share/*/conffiles/* r,
# For writing new config files
/etc/** rw,
/usr/share/debconf/confmodule r,
......
......@@ -33,6 +33,7 @@ profile unmkinitramfs @{exec_path} {
/{usr/,}bin/cpio rix,
owner /boot/initrd.img-* r,
owner /tmp/initrd.img-* r,
/var/tmp/ r,
owner /var/tmp/unmkinitramfs_* rw,
......
# vim:syntax=apparmor
# ------------------------------------------------------------------
#
# Copyright (C) 2020 Mikhail Morfikov
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
# License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
#include <tunables/global>
@{exec_path} = /{usr/,}sbin/update-ca-certificates
profile update-ca-certificates @{exec_path} flags=(complain) {
#include <abstractions/base>
#include <abstractions/ssl_certs>
@{exec_path} r,
/{usr/,}bin/dash r,
/{usr/,}bin/basename rix,
/{usr/,}bin/cat rix,
/{usr/,}bin/chmod rix,
/{usr/,}bin/mktemp rix,
/{usr/,}bin/mv rix,
/{usr/,}bin/readlink rix,
/{usr/,}bin/rm rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/sort rix,
/{usr/,}bin/wc rix,
/{usr/,}bin/find rix,
/etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore,
/{usr/,}bin/run-parts rCx -> run-parts,
/etc/ca-certificates.conf r,
/etc/ssl/certs/ca-certificates.crt rw,
/{usr/,}lib/locale/locale-archive r,
owner /tmp/ca-certificates{,.crt}.tmp.* rw,
@{PROC}/filesystems r,
profile run-parts flags=(complain) {
#include <abstractions/base>
/{usr/,}bin/run-parts mr,
/etc/ca-certificates/update.d/ r,
}
profile jks-keystore flags=(complain) {
#include <abstractions/base>
#include <abstractions/nameservice-strict>
/etc/ca-certificates/update.d/jks-keystore mr,
/{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix,
/{usr/,}bin/dash rix,
/{usr/,}bin/sed rix,
/{usr/,}bin/head rix,
/{usr/,}bin/mountpoint rix,
/{usr/,}bin/dpkg-query rPx,
/{usr/,}bin/dpkg rPx -> child-dpkg,
/usr/share/ca-certificates-java/ca-certificates-java.jar r,
/usr/share/java/java-atk-wrapper.jar r,
/etc/default/cacerts r,
/etc/ssl/certs/ r,
/etc/ssl/certs/java/cacerts rw,
/etc/java-[0-9]*-openjdk/{,**} r,
owner @{PROC}/@{pid}/cgroup r,
owner @{PROC}/@{pid}/mountinfo r,
@{sys}/fs/cgroup/** r,
owner /tmp/hsperfdata_root/ r,
owner /tmp/hsperfdata_root/[0-9]*[0-9] rw,
}
#include if exists <local/update-ca-certificates>
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment