commit: 277d210fe82228bfd80013cb630a385605f5e27f
parent bb320fd495d22de3ac543fe2b95352fab2910616
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Mon, 14 Aug 2023 22:27:39 +0200
apparmor-profile upstream update
Diffstat:
75 files changed, 803 insertions(+), 99 deletions(-)
diff --git a/abstractions/X b/abstractions/X
@@ -17,6 +17,7 @@
# .ICEauthority files required for X authentication, per user
owner @{HOME}/.ICEauthority r,
+ owner @{run}/user/*/ICEauthority r,
# .Xauthority files required for X connections, per user
owner @{HOME}/.Xauthority r,
@@ -29,7 +30,7 @@
owner @{run}/user/*/xauth_* r,
# the unix socket to use to connect to the display
- /tmp/.X11-unix/* r,
+ /tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
@@ -51,6 +52,8 @@
# Xcompose
owner @{HOME}/.XCompose r,
+ /var/cache/libx11/compose/* r,
+ deny /var/cache/libx11/compose/* wlk,
# mouse themes
/etc/X11/cursors/ r,
diff --git a/abstractions/apache2-common b/abstractions/apache2-common
@@ -6,6 +6,10 @@
include <abstractions/nameservice>
+ # Allow other processes to read our /proc entries
+ ptrace (readby),
+ # Allow other processes to trace us by default
+ ptrace (tracedby),
# Allow unconfined processes to send us signals by default
signal (receive) peer=unconfined,
# Allow apache to send us signals by default
diff --git a/abstractions/apparmor_api/is_enabled b/abstractions/apparmor_api/is_enabled
@@ -15,5 +15,6 @@ abi <abi/3.0>,
include <abstractions/apparmor_api/find_mountpoint>
@{sys}/module/apparmor/parameters/enabled r,
+@{sys}/module/apparmor/parameters/available r,
# TODO: add alternate apparmorfs interface for enabled
diff --git a/abstractions/audio b/abstractions/audio
@@ -85,5 +85,8 @@ owner @{HOME}/.local/share/openal/hrtf/{,**} r,
# wildmidi
/etc/wildmidi/wildmidi.cfg r,
+# pipewire
+/usr/share/pipewire/client.conf r,
+
# Include additions to the abstraction
include if exists <abstractions/audio.d>
diff --git a/abstractions/authentication b/abstractions/authentication
@@ -2,7 +2,7 @@
#
# Copyright (C) 2002-2009 Novell/SUSE
# Copyright (C) 2009-2012 Canonical Ltd
-# Copyright (C) 2019 Christian Boltz
+# Copyright (C) 2019-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -36,6 +36,8 @@
# SuSE's pwdutils are different:
@{etc_ro}/default/passwd r,
@{etc_ro}/login.defs r,
+ @{etc_ro}/login.defs.d/ r,
+ @{etc_ro}/login.defs.d/*.defs r,
# nis
include <abstractions/nis>
diff --git a/abstractions/base b/abstractions/base
@@ -12,6 +12,7 @@
abi <abi/3.0>,
+ include <abstractions/crypto>
# (Note that the ldd profile has inlined this file; if you make
# modifications here, please consider including them in the ldd
@@ -35,8 +36,8 @@
/usr/share/locale-langpack/** r,
/usr/share/locale/** r,
/usr/share/**/locale/** r,
- /usr/share/zoneinfo/ r,
- /usr/share/zoneinfo/** r,
+ /usr/share/zoneinfo{,-icu}/ r,
+ /usr/share/zoneinfo{,-icu}/** r,
/usr/share/X11/locale/** r,
@{run}/systemd/journal/dev-log w,
# systemd native journal API (see sd_journal_print(4))
@@ -102,13 +103,11 @@
@{PROC}/cpuinfo r,
@{sys}/devices/system/cpu/ r,
@{sys}/devices/system/cpu/online r,
+ @{sys}/devices/system/cpu/possible r,
# glibc's *printf protections read the maps file
@{PROC}/@{pid}/{maps,auxv,status} r,
- # libgcrypt reads some flags from /proc
- @{PROC}/sys/crypto/* r,
-
# some applications will display license information
/usr/share/common-licenses/** r,
diff --git a/abstractions/crypto b/abstractions/crypto
@@ -0,0 +1,27 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2021 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ @{etc_ro}/gcrypt/hwf.deny r,
+ @{etc_ro}/gcrypt/random.conf r,
+ @{PROC}/sys/crypto/fips_enabled r,
+
+ # libgcrypt reads some flags from /proc
+ @{PROC}/sys/crypto/* r,
+
+ # crypto policies used by various libraries
+ /etc/crypto-policies/*/*.txt r,
+ /usr/share/crypto-policies/*/*.txt r,
+
+ include if exists <abstractions/crypto.d>
diff --git a/abstractions/exo-open b/abstractions/exo-open
@@ -29,8 +29,8 @@
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
-# # Add if accesibility access is considered as required
-# # (for message boxe in case exo-open fails)
+# # Add if accessibility access is considered as required
+# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # < add additional allowed applications here >
@@ -51,13 +51,6 @@
/{,usr/}bin/which rix,
- # Deny DBus
-
- # for GTK error message dialog, not required exo-open to work.
- deny dbus send
- bus=session
- path=/org/gtk/vfs/mounttracker,
-
# System files
/etc/xdg/{,xdg-*/}xfce4/helpers.rc r,
diff --git a/abstractions/fonts b/abstractions/fonts
@@ -54,6 +54,8 @@
owner @{HOME}/.fonts.conf.d/** r,
owner @{HOME}/.config/fontconfig/ r,
owner @{HOME}/.config/fontconfig/** r,
+ owner @{HOME}/.Fontmatrix/Activated/ r,
+ owner @{HOME}/.Fontmatrix/Activated/** r,
/usr/local/share/fonts/ r,
/usr/local/share/fonts/** r,
diff --git a/abstractions/freedesktop.org b/abstractions/freedesktop.org
@@ -20,7 +20,7 @@
@{system_share_dirs}/mime/** r,
# per-user configurations
- owner @{HOME}/.icons/ r,
+ owner @{HOME}/.icons/{,**} r,
owner @{HOME}/.recently-used.xbel* rw,
owner @{HOME}/.local/share/recently-used.xbel* rw,
owner @{HOME}/.config/user-dirs.dirs r,
diff --git a/abstractions/groff b/abstractions/groff
@@ -0,0 +1,67 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2023 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ # Note: executing groff and nroff themself is not included in this abstraction
+ # so that you can choose to ix, Px or Cx them in your profile
+
+ # groff/nroff helpers, preprocessors, and postprocessors
+ /usr/bin/addftinfo mrix,
+ /usr/bin/afmtodit mrix,
+ /usr/bin/chem mrix,
+ /usr/bin/eqn mrix,
+ /usr/bin/eqn2graph mrix,
+ /usr/bin/gdiffmk mrix,
+ /usr/bin/geqn mrix,
+ /usr/bin/grap2graph mrix,
+ /usr/bin/grn mrix,
+ /usr/bin/grodvi mrix,
+ /usr/bin/groffer mrix,
+ /usr/bin/grog mrix,
+ /usr/bin/grolbp mrix,
+ /usr/bin/grolj4 mrix,
+ /usr/bin/gropdf mrix,
+ /usr/bin/grops mrix,
+ /usr/bin/grotty mrix,
+ /usr/bin/gtbl mrix,
+ /usr/bin/hpftodit mrix,
+ /usr/bin/indxbib mrix,
+ /usr/bin/lkbib mrix,
+ /usr/bin/lookbib mrix,
+ /usr/bin/mmroff mrix,
+ /usr/bin/neqn mrix,
+ /usr/bin/pdfmom mrix,
+ /usr/bin/pdfroff mrix,
+ /usr/bin/pfbtops mrix,
+ /usr/bin/pic mrix,
+ /usr/bin/pic2graph mrix,
+ /usr/bin/post-grohtml mrix,
+ /usr/bin/pre-grohtml mrix,
+ /usr/bin/preconv mrix,
+ /usr/bin/refer mrix,
+ /usr/bin/roff2dvi mrix,
+ /usr/bin/roff2html mrix,
+ /usr/bin/roff2pdf mrix,
+ /usr/bin/roff2ps mrix,
+ /usr/bin/roff2text mrix,
+ /usr/bin/roff2x mrix,
+ /usr/bin/soelim mrix,
+ /usr/bin/tbl mrix,
+ /usr/bin/tfmtodit mrix,
+ /usr/bin/troff mrix,
+ /usr/bin/xtotroff mrix,
+
+ # at least its macros and fonts
+ /usr/libexec/groff/** r,
+ /usr/share/groff/** r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/groff.d>
diff --git a/abstractions/gtk b/abstractions/gtk
@@ -0,0 +1,55 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+ abi <abi/3.0>,
+
+ /usr/share/themes/{,**} r,
+
+ /usr/share/gtksourceview-[0-9]*/{,**} r,
+
+ /usr/share/gtk-2.0/ r,
+ /usr/share/gtk-2.0/gtkrc r,
+
+ /usr/share/gtk-{3,4}.0/ r,
+ /usr/share/gtk-{3,4}.0/settings.ini r,
+
+ /etc/gtk-2.0/ r,
+ /etc/gtk-2.0/gtkrc r,
+
+ /etc/gtk-{3,4}.0/ r,
+ /etc/gtk-{3,4}.0/*.conf r,
+
+ /etc/gtk/gtkrc r,
+
+ owner @{HOME}/.themes/{,**} r,
+ owner @{HOME}/.local/share/themes/{,**} r,
+
+ owner @{HOME}/.gtk r,
+ owner @{HOME}/.gtkrc r,
+ owner @{HOME}/.gtkrc-2.0 r,
+ owner @{HOME}/.gtk-bookmarks r,
+ owner @{HOME}/.config/gtkrc r,
+ owner @{HOME}/.config/gtkrc-2.0 r,
+ owner @{HOME}/.config/gtk-{3,4}.0/ rw,
+ owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
+ owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
+ owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
+
+ # for gtk file dialog
+ owner @{HOME}/.config/gtk-2.0/ rw,
+ owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,
+
+ # .Xauthority file required for X connections
+ owner @{HOME}/.Xauthority r,
+
+ # Xsession errors file
+ owner @{HOME}/.xsession-errors w,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/gtk.d>
diff --git a/abstractions/ibus b/abstractions/ibus
@@ -16,5 +16,14 @@
owner @{HOME}/.config/ibus/bus/ rw,
owner @{HOME}/.config/ibus/bus/* rw,
+ # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
+ # This should use this, but due to LP: #1856738 we cannot
+ #unix (connect, receive, send)
+ # type=stream
+ # peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
+ unix (connect, receive, send)
+ type=stream
+ peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
# Include additions to the abstraction
include if exists <abstractions/ibus.d>
diff --git a/abstractions/kde b/abstractions/kde
@@ -41,8 +41,11 @@ owner @{HOME}/.config/Trolltech.conf rwk,
owner @{HOME}/.config/baloofilerc r, # indexing options (excludes, etc), used by KFileWidget
owner @{HOME}/.config/dolphinrc r, # settings used by KFileWidget
owner @{HOME}/.config/kde.org/libphonon.conf r, # for KNotifications::sendEvent()
+owner @{HOME}/.config/kdedefaults/kdeglobals r, # QPlatformThemeFactory::create() -> KDEPlasmaPlatformTheme.so
+owner @{HOME}/.config/kdedefaults/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/kdeglobals r, # global settings, used by Breeze style, etc.
owner @{HOME}/.config/klanguageoverridesrc r, # per-application languages, for KDEPrivate::initializeLanguages() from libKF5XmlGui.so
+owner @{HOME}/.config/kwinrc r, # QStyleFactory::create() -> qt5/plugins/styles/breeze.so
owner @{HOME}/.config/trashrc r, # Used by KFileWidget
/usr/share/X11/XKeysymDB r,
diff --git a/abstractions/kde-open5 b/abstractions/kde-open5
@@ -29,8 +29,8 @@
# include <abstractions/ubuntu-browsers>
# include <abstractions/ubuntu-email>
#
-# # Add if accesibility access is considered as required
-# # (for message boxe in case exo-open fails)
+# # Add if accessibility access is considered as required
+# # (for message box in case exo-open fails)
# include <abstractions/dbus-accessibility>
#
# # Add if audio support for message box is
diff --git a/abstractions/kerberosclient b/abstractions/kerberosclient
@@ -22,6 +22,11 @@
/usr/lib/@{multiarch}/krb5/plugins/preauth/ r,
/usr/lib/@{multiarch}/krb5/plugins/preauth/* mr,
+ /usr/lib{,32,64}/krb5/plugins/authdata/ r,
+ /usr/lib{,32,64}/krb5/plugins/authdata/* mr,
+ /usr/lib/@{multiarch}/krb5/plugins/authdata/ r,
+ /usr/lib/@{multiarch}/krb5/plugins/authdata/* mr,
+
/etc/krb5.keytab rk,
/etc/krb5.conf r,
/etc/krb5.conf.d/ r,
diff --git a/abstractions/mesa b/abstractions/mesa
@@ -10,13 +10,22 @@
# (src/intel/perf/gen_perf.c, load_oa_metrics())
@{PROC}/sys/dev/i915/perf_stream_paranoid r,
+ @{sys}/devices/pci[0-9]*/**/{revision,config} r,
+
# User files
owner @{HOME}/.cache/ w, # if user clears all caches
- owner @{HOME}/.cache/mesa_shader_cache/ w,
+ owner @{HOME}/.cache/mesa_shader_cache/ rw,
owner @{HOME}/.cache/mesa_shader_cache/index rw,
- owner @{HOME}/.cache/mesa_shader_cache/??/ w,
- owner @{HOME}/.cache/mesa_shader_cache/??/* rwk,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+ owner @{HOME}/.cache/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
+ # Fallback location when @{HOME}/.cache is not available
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/ rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/index rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/ rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]* rw,
+ owner /tmp/Temp-[a-f0-9]*/mesa_shader_cache/[a-f0-9][a-f0-9]/[0-9a-f]*.tmp rwk,
# Include additions to the abstraction
include if exists <abstractions/mesa.d>
diff --git a/abstractions/nss-systemd b/abstractions/nss-systemd
@@ -24,6 +24,7 @@
@{run}/systemd/userdb/io.systemd.DynamicUser rw, # systemd-exec users
@{run}/systemd/userdb/io.systemd.Home rw, # systemd-home dirs
@{run}/systemd/userdb/io.systemd.NameServiceSwitch rw, # UNIX/glibc NSS
+ @{run}/systemd/userdb/io.systemd.Machine rw, # systemd-machined
@{PROC}/sys/kernel/random/boot_id r,
diff --git a/abstractions/nvidia b/abstractions/nvidia
@@ -23,9 +23,13 @@
@{sys}/devices/system/memory/block_size_bytes r,
+ owner @{HOME}/.cache/nvidia/ w,
+ owner @{HOME}/.cache/nvidia/GLCache/ rw,
+ owner @{HOME}/.cache/nvidia/GLCache/** rwk,
owner @{HOME}/.nv/ w,
owner @{HOME}/.nv/GLCache/ rw,
owner @{HOME}/.nv/GLCache/** rwk,
+ owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
diff --git a/abstractions/openssl b/abstractions/openssl
@@ -11,9 +11,10 @@
abi <abi/3.0>,
/etc/ssl/openssl.cnf r,
+ /etc/ssl/openssl-*.cnf r,
+ /etc/ssl/{engdef,engines}.d/ r,
+ /etc/ssl/{engdef,engines}.d/*.cnf r,
/usr/share/ssl/openssl.cnf r,
- @{PROC}/sys/crypto/fips_enabled r,
-
# Include additions to the abstraction
include if exists <abstractions/openssl.d>
diff --git a/abstractions/php b/abstractions/php
@@ -13,26 +13,25 @@
abi <abi/3.0>,
# shared snippets for config files
- /etc/php{,5,7}/**/ r,
- /etc/php{,5,7}/**.ini r,
+ /etc/php{,5,7,8}/** r,
# Xlibs
/usr/X11R6/lib{,32,64}/lib*.so* mr,
# php extensions
- /usr/lib{64,}/php{,5,7}/*/*.so mr,
+ /usr/lib{64,}/php{,5,7,8}/*/*.so mr,
# ICU (unicode support) data tables
/usr/share/icu/*/*.dat r,
# php session mmap socket
- /var/lib/php{,5,7}/session_mm_* rwlk,
+ /var/lib/php{,5,7,8}/session_mm_* rwlk,
# file based session handler
- /var/lib/php{,5,7}/sess_* rwlk,
- /var/lib/php{,5,7}/sessions/* rwlk,
+ /var/lib/php{,5,7,8}/sess_* rwlk,
+ /var/lib/php{,5,7,8}/sessions/* rwlk,
# php libraries
- /usr/share/php{,5,7}/ r,
- /usr/share/php{,5,7}/** mr,
+ /usr/share/php{,5,7,8}/ r,
+ /usr/share/php{,5,7,8}/** mr,
# MySQL extension
/usr/share/mysql/** r,
diff --git a/abstractions/postfix-common b/abstractions/postfix-common
@@ -2,7 +2,7 @@
#
# Copyright (C) 2002-2005 Novell/SUSE
# Copyright (C) 2015-2018 Canonical, Ltd.
-# Copyright (C) 2020 Christian Boltz
+# Copyright (C) 2020-2021 Christian Boltz
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of version 2 of the GNU General Public
@@ -26,6 +26,7 @@
/etc/mailname r,
/etc/postfix/*.cf r,
/etc/postfix/*.db rk,
+ /etc/postfix/*.lmdb rk,
@{PROC}/net/if_inet6 r,
/usr/lib/postfix/*.so mr,
/usr/lib{,32,64}/sasl2/* mr,
diff --git a/abstractions/private-files-strict b/abstractions/private-files-strict
@@ -24,7 +24,7 @@
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kmail{,2}/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
-
+ audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
# Include additions to the abstraction
include if exists <abstractions/private-files-strict.d>
diff --git a/abstractions/python b/abstractions/python
@@ -12,18 +12,17 @@
abi <abi/3.0>,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{pyc,so} mr,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/**.{egg,py,pth} r,
- /usr/lib{,32,64}/python{2.[4-7],3.[0-9]}/{site,dist}-packages/ r,
- /usr/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
-
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{pyc,so} mr,
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/**.{egg,py,pth} r,
- /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]}/{site,dist}-packages/ r,
- /usr/local/lib{,32,64}/python3.[0-9]/lib-dynload/*.so mr,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth} r,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.dist-info/{METADATA,namespace_packages.txt} r,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.VERSION r,
+ /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/*.egg-info/PKG-INFO r,
+ /usr/{local/,}lib{,32,64}/python3.{1,}[0-9]/lib-dynload/*.so mr,
# Site-wide configuration
- /etc/python{2.[4-7],3.[0-9]}/** r,
+ /etc/python{2.[4-7],3.[0-9],3.1[0-9]}/** r,
# shared python paths
/usr/share/{pyshared,pycentral,python-support}/** r,
@@ -36,7 +35,7 @@
/usr/lib/wx/python/*.pth r,
# python build configuration and headers
- /usr/include/python{2.[4-7],3.[0-9]}*/pyconfig.h r,
+ /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
# Include additions to the abstraction
include if exists <abstractions/python.d>
diff --git a/abstractions/samba b/abstractions/samba
@@ -13,6 +13,8 @@
/etc/samba/* r,
/usr/lib*/ldb/*.so mr,
+ /usr/lib*/ldb2/*.so mr,
+ /usr/lib*/ldb2/modules/ldb/*.so mr,
/usr/lib*/samba/ldb/*.so mr,
/usr/share/samba/*.dat r,
/usr/share/samba/codepages/{lowcase,upcase,valid}.dat r,
@@ -21,16 +23,19 @@
/var/lib/samba/** rwk,
/var/log/samba/cores/ rw,
/var/log/samba/cores/** rw,
- /var/log/samba/* w,
- @{run}/samba/ w,
- @{run}/samba/*.tdb rw,
- @{run}/samba/msg.lock/ rwk,
- @{run}/samba/msg.lock/[0-9]* rwk,
+ /var/log/samba/* rw,
+ @{run}/{,lock/}samba/ w,
+ @{run}/{,lock/}samba/*.tdb rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/ rwk,
+ @{run}/{,lock/}samba/msg.{lock,sock}/[0-9]* rwk,
+ /var/cache/samba/*.tdb rwk,
/var/cache/samba/msg.lock/ rwk,
/var/cache/samba/msg.lock/[0-9]* rwk,
# required for clustering
/var/lib/ctdb/** rwk,
+ deny capability net_admin, # noisy setsockopt() calls from systemd
+
# Include additions to the abstraction
include if exists <abstractions/samba.d>
diff --git a/abstractions/samba-rpcd b/abstractions/samba-rpcd
@@ -0,0 +1,30 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+# This file contains basic permissions for samba rpcd_xyz services
+
+ abi <abi/3.0>,
+
+ include <abstractions/base>
+ include <abstractions/nameservice>
+ include <abstractions/samba>
+
+ capability setgid,
+ capability setuid,
+
+ signal receive set=term peer=smbd,
+
+ @{PROC}/sys/kernel/core_pattern r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ # Include additions to the abstraction
+ include if exists <abstractions/samba-rpcd.d>
+
diff --git a/abstractions/snap_browsers b/abstractions/snap_browsers
@@ -0,0 +1,42 @@
+profile snap_browsers {
+ include if exists <abstractions/snap_browsers.d>
+ include <abstractions/base>
+ include <abstractions/dbus-session-strict>
+
+ /etc/passwd r,
+ /etc/nsswitch.conf r,
+ /etc/fstab r,
+
+ # noisy
+ deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
+
+ /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
+ /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
+ /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
+ /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
+ /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
+ /var/lib/snapd/system-key r,
+ /run/snapd.socket rw,
+
+ @{PROC}/version r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/net/core/somaxconn r,
+ @{PROC}/sys/kernel/seccomp/actions_avail r,
+ @{PROC}/sys/kernel/random/uuid r,
+ owner @{PROC}/@{pid}/cgroup r,
+ owner @{PROC}/@{pid}/mountinfo r,
+ owner @{HOME}/.snap/auth.json r, # if exists, required
+
+ dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
+ dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
+
+ /sys/kernel/security/apparmor/features/ r,
+
+ # allow launching official browser snaps.
+ /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
+ /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
+ /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
+
+ /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+ # add other browsers here
+}
diff --git a/abstractions/ssl_certs b/abstractions/ssl_certs
@@ -11,20 +11,17 @@
abi <abi/3.0>,
- /etc/ssl/ r,
- /etc/ssl/certs/ r,
- /etc/ssl/certs/* r,
- /etc/pki/trust/ r,
- /etc/pki/trust/* r,
- /etc/pki/trust/anchors/ r,
- /etc/pki/trust/anchors/** r,
- /usr/share/ca-certificates/ r,
- /usr/share/ca-certificates/** r,
+ /etc/ca-certificates/{,**} r,
+ /etc/{,libre}ssl/ r,
+ /etc/{,libre}ssl/cert.pem r,
+ /etc/{,libre}ssl/certs/{,**} r,
+ /{etc,usr/share}/pki/bl[ao]cklist/{,*} r,
+ /{etc,usr/share}/pki/trust/{,*} r,
+ /{etc,usr/share}/pki/trust/{bl[oa]cklist,anchors}/{,**} r,
+ /usr/share/ca-certificates/{,**} r,
/usr/share/ssl/certs/ca-bundle.crt r,
- /usr/local/share/ca-certificates/ r,
- /usr/local/share/ca-certificates/** r,
- /var/lib/ca-certificates/ r,
- /var/lib/ca-certificates/** r,
+ /usr/local/share/ca-certificates/{,**} r,
+ /var/lib/ca-certificates/{,**} r,
# acmetool
/var/lib/acme/certs/*/chain r,
diff --git a/abstractions/svn-repositories b/abstractions/svn-repositories
@@ -14,7 +14,7 @@
# it is intended to be included in profiles for svnserve/apache2 and maybe
# some repository viewers like trac/viewvc
- # no hooks exec by default; please define whatever you need explicitely.
+ # no hooks exec by default; please define whatever you need explicitly.
/srv/svn/**/conf/* r,
/srv/svn/**/format r,
diff --git a/abstractions/trash b/abstractions/trash
@@ -0,0 +1,75 @@
+abi <abi/3.0>,
+
+# requires <tunables/home>
+
+ owner @{HOME}/.config/trashrc rw,
+ owner @{HOME}/.config/trashrc.lock rwk,
+ owner @{HOME}/.config/#[0-9]*[0-9] rwk,
+ owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
+
+ owner @{run}/user/@{uid}/#[0-9]*[0-9] rw,
+ owner @{run}/user/@{uid}/trash.so*.[0-9].slave-socket rwl -> @{run}/user/@{uid}/#[0-9]*[0-9],
+
+ # Home trash location
+ owner @{HOME}/.local/share/Trash/ rw,
+ owner @{HOME}/.local/share/Trash/#[0-9]*[0-9] rw,
+ owner @{HOME}/.local/share/Trash/directorysizes{,.*} rwl -> @{HOME}/.local/share/Trash/#[0-9]*[0-9],
+ owner @{HOME}/.local/share/Trash/files/{,**} rw,
+ owner @{HOME}/.local/share/Trash/info/ rw,
+ owner @{HOME}/.local/share/Trash/info/*.trashinfo{,.*} rw,
+ owner @{HOME}/.local/share/Trash/expunged/ rw,
+ owner @{HOME}/.local/share/Trash/expunged/[0-9]* rw,
+ owner @{HOME}/.local/share/Trash/expunged/[0-9]*/ rw,
+ owner @{HOME}/.local/share/Trash/expunged/[0-9]*/** rw,
+
+ # Partitions' trash location when the admin creates the .Trash/ folder in the top lvl dir
+ owner /media/*/.Trash/ rw,
+ owner /media/*/.Trash/@{uid}/ rw,
+ owner /media/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
+ owner /media/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash/@{uid}/#[0-9]*[0-9],
+ owner /media/*/.Trash/@{uid}/files/{,**} rw,
+ owner /media/*/.Trash/@{uid}/info/ rw,
+ owner /media/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
+ owner /media/*/.Trash/@{uid}/expunged/ rw,
+ owner /media/*/.Trash/@{uid}/expunged/[0-9]* rw,
+ owner /media/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
+ owner /media/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
+
+ # Partitions' trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
+ owner /media/*/.Trash-@{uid}/ rw,
+ owner /media/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
+ owner /media/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/.Trash-@{uid}/#[0-9]*[0-9],
+ owner /media/*/.Trash-@{uid}/files/{,**} rw,
+ owner /media/*/.Trash-@{uid}/info/ rw,
+ owner /media/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
+ owner /media/*/.Trash-@{uid}/expunged/ rw,
+ owner /media/*/.Trash-@{uid}/expunged/[0-9]* rw,
+ owner /media/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
+ owner /media/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
+
+ # Removable media's trash location when the admin creates the .Trash/ folder in the top lvl dir
+ owner /media/*/*/.Trash/ rw,
+ owner /media/*/*/.Trash/@{uid}/ rw,
+ owner /media/*/*/.Trash/@{uid}/#[0-9]*[0-9] rw,
+ owner /media/*/*/.Trash/@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash/@{uid}/#[0-9]*[0-9],
+ owner /media/*/*/.Trash/@{uid}/files/{,**} rw,
+ owner /media/*/*/.Trash/@{uid}/info/ rw,
+ owner /media/*/*/.Trash/@{uid}/info/*.trashinfo{,.*} rw,
+ owner /media/*/*/.Trash/@{uid}/expunged/ rw,
+ owner /media/*/*/.Trash/@{uid}/expunged/[0-9]* rw,
+ owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/ rw,
+ owner /media/*/*/.Trash/@{uid}/expunged/[0-9]*/** rw,
+
+ # Removable media's trash location when the admin doesn't create the .Trash/ folder in the top lvl dir
+ owner /media/*/*/.Trash-@{uid}/ rw,
+ owner /media/*/*/.Trash-@{uid}/#[0-9]*[0-9] rw,
+ owner /media/*/*/.Trash-@{uid}/directorysizes{,.*} rwl -> /media/*/*/.Trash-@{uid}/#[0-9]*[0-9],
+ owner /media/*/*/.Trash-@{uid}/files/{,**} rw,
+ owner /media/*/*/.Trash-@{uid}/info/ rw,
+ owner /media/*/*/.Trash-@{uid}/info/*.trashinfo{,.*} rw,
+ owner /media/*/*/.Trash-@{uid}/expunged/ rw,
+ owner /media/*/*/.Trash-@{uid}/expunged/[0-9]* rw,
+ owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/ rw,
+ owner /media/*/*/.Trash-@{uid}/expunged/[0-9]*/** rw,
+
+ include if exists <abstractions/trash.d>
diff --git a/abstractions/ubuntu-browsers b/abstractions/ubuntu-browsers
@@ -38,3 +38,4 @@
/usr/lib/icecat-*/icecat Cx -> sanitized_helper,
/usr/bin/opera Cx -> sanitized_helper,
/opt/google/chrome{,-beta,-unstable}/google-chrome{,-beta,-unstable} Cx -> sanitized_helper,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Cx -> sanitized_helper,
diff --git a/abstractions/ubuntu-browsers.d/ubuntu-integration b/abstractions/ubuntu-browsers.d/ubuntu-integration
@@ -28,10 +28,7 @@
/usr/lib/mozilla/kmozillahelper Cxr -> sanitized_helper,
# Exo-aware applications
- /usr/bin/exo-open ixr,
- /usr/lib/@{multiarch}/xfce4/exo-1/exo-helper-1 ixr,
- /etc/xdg/xdg-xubuntu/xfce4/helpers.rc r,
- /etc/xdg/xfce4/helpers.rc r,
+ include <abstractions/exo-open>
# unity webapps integration. Could go in its own abstraction
owner /run/user/*/dconf/user rw,
diff --git a/abstractions/ubuntu-browsers.d/user-files b/abstractions/ubuntu-browsers.d/user-files
@@ -14,6 +14,7 @@
audit deny @{HOME}/.gnome2_private/{,**} mrwkl,
audit deny @{HOME}/.kde{,4}/{,share/,share/apps/} w,
audit deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
+ audit deny @{HOME}/.local/share/kwalletd/{,**} mrwkl,
# Comment this out if using gpg plugin/addons
audit deny @{HOME}/.gnupg/{,**} mrwkl,
diff --git a/abstractions/ubuntu-helpers b/abstractions/ubuntu-helpers
@@ -36,6 +36,7 @@
profile sanitized_helper {
include <abstractions/base>
include <abstractions/X>
+ include if exists <local/ubuntu-helpers>
# Allow all networking
network inet,
@@ -72,8 +73,16 @@ profile sanitized_helper {
/opt/google/chrome{,-beta,-unstable}/chrome-sandbox PUxr,
/opt/google/chrome{,-beta,-unstable}/google-chrome Pixr,
/opt/google/chrome{,-beta,-unstable}/chrome Pixr,
+ /opt/google/chrome{,-beta,-unstable}/chrome_crashpad_handler Pixr,
/opt/google/chrome{,-beta,-unstable}/{,**/}lib*.so{,.*} m,
+ # The same is needed for Brave
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome-sandbox PUxr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave-browser{,-beta,-dev,-nightly} Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/brave Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/chrome_crashpad_handler Pixr,
+ /opt/brave.com/brave{,-beta,-dev,-nightly}/{,**/}lib*.so{,.*} m,
+
# Full access
/ r,
/** rwkl,
diff --git a/abstractions/video b/abstractions/video
@@ -4,8 +4,17 @@
abi <abi/3.0>,
# System devices
- @{sys}/class/video4linux r,
+ @{sys}/class/video4linux/ r,
@{sys}/class/video4linux/** r,
+ owner /dev/shm/libv4l-* rw,
+ /dev/video[0-9]* rw,
+ @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
+ @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r,
+
+ @{sys}/devices/virtual/dmi/id/sys_vendor r,
+ @{sys}/devices/virtual/dmi/id/product_{name,version} r,
+ @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+
# Include additions to the abstraction
include if exists <abstractions/video.d>
diff --git a/abstractions/wayland b/abstractions/wayland
@@ -14,5 +14,8 @@
owner @{run}/user/*/wayland-[0-9]* rw,
owner @{run}/user/*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+ #For compositors based on wlroots
+ owner /dev/shm/wlroots-* rw,
+
# Include additions to the abstraction
include if exists <abstractions/wayland.d>
diff --git a/abstractions/wutmp b/abstractions/wutmp
@@ -14,7 +14,8 @@
# some services update wtmp, utmp, and lastlog with per-user
# connection information
/var/log/lastlog rwk,
- /var/log/wtmp wk,
+ /var/log/wtmp rwk,
+ /var/log/btmp rwk,
@{run}/utmp rwk,
# Include additions to the abstraction
diff --git a/abstractions/xdg-open b/abstractions/xdg-open
@@ -41,7 +41,7 @@
include <abstractions/base>
- # for openin with `exo-open`
+ # for opening with `exo-open`
include <abstractions/exo-open>
# for opening with `gio open <uri>`
diff --git a/local/samba-bgqd b/local/samba-bgqd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'samba-bgqd'
diff --git a/local/samba-dcerpcd b/local/samba-dcerpcd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'samba-dcerpcd'
diff --git a/local/samba-rpcd b/local/samba-rpcd
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'samba-rpcd'
diff --git a/local/samba-rpcd-classic b/local/samba-rpcd-classic
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'samba-rpcd-classic'
diff --git a/local/samba-rpcd-spoolss b/local/samba-rpcd-spoolss
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'samba-rpcd-spoolss'
diff --git a/local/usr.lib.dovecot.director b/local/usr.lib.dovecot.director
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.director'
diff --git a/local/usr.lib.dovecot.doveadm-server b/local/usr.lib.dovecot.doveadm-server
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.doveadm-server'
diff --git a/local/usr.lib.dovecot.replicator b/local/usr.lib.dovecot.replicator
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'usr.lib.dovecot.replicator'
diff --git a/local/zgrep b/local/zgrep
@@ -0,0 +1 @@
+# Site-specific additions and overrides for 'zgrep'
diff --git a/lsb_release b/lsb_release
@@ -18,7 +18,7 @@ profile lsb_release {
/dev/tty rw,
/usr/bin/lsb_release r,
- /usr/bin/python3.[0-9] mr,
+ /usr/bin/python3.{1,}[0-9] mr,
/etc/debian_version r,
/etc/default/apport r,
@@ -30,6 +30,8 @@ profile lsb_release {
/{usr/,}bin/dash ixr,
/usr/bin/basename ixr,
/usr/bin/dpkg-query ixr,
+ /usr/bin/cat ixr,
+ /usr/bin/cut ixr,
/usr/bin/getopt ixr,
/usr/bin/sed ixr,
/usr/bin/tr ixr,
diff --git a/nvidia_modprobe b/nvidia_modprobe
@@ -54,10 +54,10 @@ profile nvidia_modprobe {
# System files
/etc/modprobe.d/{,*.conf} r,
- /etc/nvidia/current/*.conf r,
+ /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
@{sys}/module/ipmi_devintf/initstate r,
@{sys}/module/ipmi_msghandler/initstate r,
- @{sys}/module/nvidia/initstate r,
+ @{sys}/module/{drm,nvidia}/initstate r,
@{PROC}/cmdline r,
}
diff --git a/php-fpm b/php-fpm
@@ -16,8 +16,6 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
# read the system certificates
include <abstractions/ssl_certs>
- /etc/php{,5,7}/** r,
-
capability net_admin,
# change user/group of a pool
capability setuid,
@@ -37,6 +35,7 @@ profile php-fpm /usr/sbin/php-fpm* flags=(attach_disconnected) {
# we need to be able to create all sockets
@{run}/php{,-fpm}/php*-fpm.pid rw,
+ @{run}/php*-fpm.pid rw,
@{run}/php{,-fpm}/php*-fpm.sock rwlk,
# to reload
diff --git a/samba-bgqd b/samba-bgqd
@@ -0,0 +1,24 @@
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-bgqd /usr/lib*/samba/{,samba/}samba-bgqd {
+ include <abstractions/base>
+ include <abstractions/cups-client>
+ include <abstractions/nameservice>
+ include <abstractions/openssl>
+ include <abstractions/samba>
+
+ signal receive set=term peer=smbd,
+
+ @{PROC}/sys/kernel/core_pattern r,
+ owner @{PROC}/@{pid}/fd/ r,
+
+ @{run}/{,samba/}samba-bgqd.pid rwk,
+
+ /usr/lib*/samba/{,samba/}samba-bgqd mr,
+ /var/cache/samba/printing/*.tdb rwk,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-bgqd>
+}
diff --git a/samba-dcerpcd b/samba-dcerpcd
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {
+ include <abstractions/samba-rpcd>
+
+ @{run}/{,samba/}samba-dcerpcd.pid rwk,
+
+ /usr/lib*/samba/{,samba/}samba-dcerpcd mr,
+
+ /usr/lib*/samba/ r,
+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} Px -> samba-rpcd,
+ /usr/lib*/samba/{,samba/}rpcd_classic Px -> samba-rpcd-classic,
+ /usr/lib*/samba/{,samba/}rpcd_spoolss Px -> samba-rpcd-spoolss,
+
+ @{run}/samba/ncalrpc/ rw,
+ @{run}/samba/ncalrpc/** rw,
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-dcerpcd>
+}
diff --git a/samba-rpcd b/samba-rpcd
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} {
+ include <abstractions/samba-rpcd>
+ /usr/lib*/samba/{,samba/}rpcd_{mdssvc,epmapper,rpcecho,fsrvp,lsad,winreg} mr,
+
+ @{run}/samba/ncalrpc/np/winreg wr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd>
+}
diff --git a/samba-rpcd-classic b/samba-rpcd-classic
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-classic /usr/lib*/samba/{,samba/}rpcd_classic {
+ include <abstractions/samba-rpcd>
+ include <abstractions/wutmp>
+
+ /usr/lib*/samba/{,samba/}rpcd_classic mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd-classic>
+}
diff --git a/samba-rpcd-spoolss b/samba-rpcd-spoolss
@@ -0,0 +1,32 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim:syntax=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile samba-rpcd-spoolss /usr/lib*/samba/{,samba/}rpcd_spoolss {
+ include <abstractions/samba-rpcd>
+
+ /usr/lib*/samba/{,samba/}rpcd_spoolss mr,
+ /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+ /var/cache/samba/printing/ w,
+ /var/cache/samba/printing/*.tdb rwk,
+ @{run}/{,samba/}samba-bgqd.pid rk,
+
+ /dev/urandom rw,
+
+ @{run}/samba/ncalrpc/ rw,
+ @{run}/samba/ncalrpc/** rw,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/samba-rpcd-spoolss>
+}
diff --git a/sbin.syslog-ng b/sbin.syslog-ng
@@ -61,6 +61,7 @@ profile syslog-ng /{usr/,}{bin,sbin}/syslog-ng {
/{var,var/run,run}/log/journal/ r,
/{var,var/run,run}/log/journal/*/ r,
/{var,var/run,run}/log/journal/*/*.journal r,
+ /{var,var/run,run}/log/journal/*.journal r,
@{run}/syslog-ng.ctl a,
@{run}/syslog-ng/additional-log-sockets.conf r,
diff --git a/sbin.syslogd b/sbin.syslogd
@@ -30,12 +30,17 @@ profile syslogd /{usr/,}{bin,sbin}/syslogd {
/dev/log wl,
/var/lib/*/dev/log wl,
+ /dev/kmsg r,
+ /proc/kmsg r,
/dev/tty* w,
/dev/xconsole rw,
/etc/syslog.conf r,
+ /etc/syslog.d/ r,
+ /etc/syslog.d/* r,
/{usr/,}{bin,sbin}/syslogd rmix,
/var/log/** rw,
+ @{run}/syslog.pid krwl,
@{run}/syslogd.pid krwl,
@{run}/utmp rw,
/var/spool/compaq/nic/messages_fifo rw,
diff --git a/tunables/etc b/tunables/etc
@@ -13,11 +13,15 @@
# with the goal of having only user-modified config files in /etc/, directories
# like /usr/etc/ get introduced for storing the default config.
-# @{etc_ro} contains read-only directories with configuration files.
+# @{etc_ro} contains directories with configuration files, including read-only directories.
# Do not use @{etc_ro} in rules that allow write access.
@{etc_ro}=/etc/ /usr/etc/
# @{etc_rw} contains directories where writing to configuration files is allowed.
+# @{etc_rw} should always be a subset of @{etc_ro}.
+#
+# Only use @{etc_rw} if the profile allows writing to a configuration file.
+# For rules that only allows read access, use @{etc_ro}.
@{etc_rw}=/etc/
# Also, include files in tunables/etc.d/ for site-specific adjustments to
diff --git a/tunables/home b/tunables/home
@@ -9,17 +9,17 @@
#
# ------------------------------------------------------------------
+# @{HOMEDIRS} is a space-separated list of where user home directories
+# are stored, for programs that must enumerate all home directories on a
+# system.
+@{HOMEDIRS}=/home/
+
# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/
-# @{HOMEDIRS} is a space-separated list of where user home directories
-# are stored, for programs that must enumerate all home directories on a
-# system.
-@{HOMEDIRS}=/home/
-
# Also, include files in tunables/home.d for site-specific adjustments to
# @{HOMEDIRS}.
include <tunables/home.d>
diff --git a/usr.lib.dovecot.director b/usr.lib.dovecot.director
@@ -0,0 +1,27 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+include <tunables/global>
+
+profile dovecot-director /usr/lib/dovecot/director flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/nameservice>
+
+ capability setuid,
+ capability sys_chroot,
+
+ /run/dovecot/login/proxy-notify rw,
+ /usr/lib/dovecot/director mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.director>
+}
diff --git a/usr.lib.dovecot.doveadm-server b/usr.lib.dovecot.doveadm-server
@@ -0,0 +1,22 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 SUSE LLC
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+
+include <tunables/global>
+
+profile dovecot-doveadm-server /usr/lib/dovecot/doveadm-server flags=(attach_disconnected) {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+
+ /usr/lib/dovecot/doveadm-server mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.doveadm-server>
+}
diff --git a/usr.lib.dovecot.imap b/usr.lib.dovecot.imap
@@ -21,7 +21,6 @@ profile dovecot-imap /usr/lib/dovecot/imap {
include <abstractions/dovecot-common>
capability setuid,
- deny capability block_suspend,
network unix stream,
@@ -36,6 +35,7 @@ profile dovecot-imap /usr/lib/dovecot/imap {
owner /tmp/dovecot.imap.* rw,
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ @{PROC}/@{pid}/stat r,
/usr/bin/doveconf rix,
/usr/lib/dovecot/imap mrix,
/usr/share/dovecot/** r,
diff --git a/usr.lib.dovecot.lmtp b/usr.lib.dovecot.lmtp
@@ -31,6 +31,8 @@ profile dovecot-lmtp /usr/lib/dovecot/lmtp {
@{HOME}/.dovecot.svbin r,
@{PROC}/@{pid}/attr/{apparmor/,}current rw,
+ owner @{PROC}/@{pid}/io r,
+ owner @{PROC}/@{pid}/stat r,
@{PROC}/*/mounts r,
/tmp/dovecot.lmtp.* rw,
/usr/lib/dovecot/lmtp mr,
diff --git a/usr.lib.dovecot.pop3 b/usr.lib.dovecot.pop3
@@ -26,6 +26,7 @@ profile dovecot-pop3 /usr/lib/dovecot/pop3 {
@{DOVECOT_MAILSTORE}/** rwkl,
@{HOME} r, # ???
+ @{PROC}/@{pid}/stat r,
/usr/lib/dovecot/pop3 mr,
# Site-specific additions and overrides. See local/README for details.
diff --git a/usr.lib.dovecot.replicator b/usr.lib.dovecot.replicator
@@ -0,0 +1,36 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2020 SUSE LLC
+# Copyright (C) 2009-2010 Canonical Ltd.
+# Copyright (C) 2011-2013 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# vim: ft=apparmor
+# for https://wiki.dovecot.org/Replication
+
+include <tunables/dovecot>
+include <tunables/global>
+
+profile dovecot-replicator /usr/lib/dovecot/replicator {
+ include <abstractions/base>
+ include <abstractions/dovecot-common>
+ include <abstractions/nameservice>
+
+ network unix stream,
+
+ /etc/dovecot/conf.d/ r,
+ /etc/dovecot/conf.d/** r,
+ /etc/dovecot/dovecot.conf r,
+ /usr/lib/dovecot/replicator mr,
+ /usr/share/dovecot/** r,
+ /{,var/}run/dovecot/auth-master rw,
+ @{DOVECOT_MAILSTORE}/ rw,
+ @{DOVECOT_MAILSTORE}/** rwlk,
+ /var/lib/dovecot/replicator.db rw,
+ # Site-specific additions and overrides. See local/README for details.
+ include if exists <local/usr.lib.dovecot.replicator>
+}
diff --git a/usr.lib.dovecot.stats b/usr.lib.dovecot.stats
@@ -20,6 +20,10 @@ profile dovecot-stats /usr/lib/dovecot/stats {
capability setuid,
capability sys_chroot,
+ # for metrics end-point (Prometheus)
+ network inet stream,
+ network inet6 stream,
+
/usr/lib/dovecot/stats mr,
# Site-specific additions and overrides. See local/README for details.
diff --git a/usr.sbin.avahi-daemon b/usr.sbin.avahi-daemon
@@ -1,7 +1,7 @@
abi <abi/3.0>,
include <tunables/global>
-profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
+profile avahi-daemon /usr/{bin,sbin}/avahi-daemon flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/consoles>
include <abstractions/dbus>
@@ -22,6 +22,9 @@ profile avahi-daemon /usr/{bin,sbin}/avahi-daemon {
/etc/avahi/services/ r,
/etc/avahi/services/*.service r,
@{PROC}/@{pid}/fd/ r,
+ @{PROC}/1/environ r,
+ @{PROC}/cmdline r,
+ @{PROC}/sys/kernel/osrelease r,
/usr/{bin,sbin}/avahi-daemon mr,
/usr/share/avahi/introspection/*.introspect r,
/usr/share/dbus-1/interfaces/org.freedesktop.Avahi.*.xml r,
diff --git a/usr.sbin.dnsmasq b/usr.sbin.dnsmasq
@@ -70,8 +70,6 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
# access to iface mtu needed for Router Advertisement messages in IPv6
# Neighbor Discovery protocol (RFC 2461)
@{PROC}/sys/net/ipv6/conf/*/mtu r,
- # closing superfluous file descriptors scans /proc/self/fd/ to find open ones
- @{PROC}/@{pid}/fd/ r,
# for the read-only TFTP server
@{TFTP_DIR}/ r,
@@ -109,18 +107,27 @@ profile dnsmasq /usr/{bin,sbin}/dnsmasq flags=(attach_disconnected) {
@{run}/NetworkManager/dnsmasq.pid w,
@{run}/NetworkManager/NetworkManager.pid w,
+ # dnsname plugin in podman
+ @{run}/containers/cni/dnsname/*/dnsmasq.conf r,
+ @{run}/containers/cni/dnsname/*/addnhosts r,
+ @{run}/containers/cni/dnsname/*/pidfile rw,
+ owner @{run}/user/*/containers/cni/dnsname/*/dnsmasq.conf r,
+ owner @{run}/user/*/containers/cni/dnsname/*/addnhosts r,
+ owner @{run}/user/*/containers/cni/dnsname/*/pidfile rw,
+
+ # waydroid lxc-net pid file
+ @{run}/waydroid-lxc/dnsmasq.pid rw,
+
profile libvirt_leaseshelper {
include <abstractions/base>
/etc/libnl-3/classid r,
- /usr/lib{,64}/libvirt/libvirt_leaseshelper m,
- /usr/libexec/libvirt_leaseshelper m,
+ /usr/lib{,64}/libvirt/libvirt_leaseshelper mr,
+ /usr/libexec/libvirt_leaseshelper mr,
owner @{PROC}/@{pid}/net/psched r,
- owner @{PROC}/@{pid}/status r,
- @{sys}/devices/system/cpu/ r,
@{sys}/devices/system/node/ r,
@{sys}/devices/system/node/*/meminfo r,
diff --git a/usr.sbin.dovecot b/usr.sbin.dovecot
@@ -33,8 +33,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
capability sys_chroot,
capability sys_resource,
- signal send set=(int,quit,term) peer=/usr/lib/dovecot/*,
- signal send set=(int,quit,term) peer=dovecot-*,
+ signal send peer=/usr/lib/dovecot/*,
+ signal send peer=dovecot-*,
unix (receive, send) type=stream peer=(label=/usr/lib/dovecot/anvil),
unix (receive, send) type=stream peer=(label=dovecot-anvil),
@@ -50,6 +50,8 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
/usr/lib/dovecot/auth mrPx,
/usr/lib/dovecot/config mrPx,
/usr/lib/dovecot/dict mrPx,
+ /usr/lib/dovecot/director mrPx,
+ /usr/lib/dovecot/doveadm-server mrPx,
/usr/lib/dovecot/dovecot-auth Pxmr,
/usr/lib/dovecot/imap Pxmr,
/usr/lib/dovecot/imap-login Pxmr,
@@ -59,11 +61,13 @@ profile dovecot /usr/{bin,sbin}/dovecot flags=(attach_disconnected) {
/usr/lib/dovecot/managesieve-login Pxmr,
/usr/lib/dovecot/pop3 mrPx,
/usr/lib/dovecot/pop3-login Pxmr,
+ /usr/lib/dovecot/replicator mrPx,
/usr/lib/dovecot/script-login Px,
/usr/lib/dovecot/ssl-build-param rix,
/usr/lib/dovecot/ssl-params mrPx,
/usr/lib/dovecot/stats Px,
/usr/{bin,sbin}/dovecot mrix,
+ /usr/share/dovecot/dh.pem r,
/usr/share/dovecot/protocols.d/ r,
/usr/share/dovecot/protocols.d/** r,
/var/lib/dovecot/ w,
diff --git a/usr.sbin.nmbd b/usr.sbin.nmbd
@@ -13,9 +13,6 @@ profile nmbd /usr/{bin,sbin}/nmbd {
/usr/{bin,sbin}/nmbd mr,
- /var/cache/samba/gencache.tdb rwk,
- /var/cache/samba/gencache_notrans.tdb rwk,
- /var/cache/samba/names.tdb rwk,
/var/{cache,lib}/samba/browse.dat* rw,
/var/{cache,lib}/samba/gencache.dat rw,
/var/{cache,lib}/samba/wins.dat* rw,
diff --git a/usr.sbin.nscd b/usr.sbin.nscd
@@ -23,6 +23,7 @@ profile nscd /usr/{bin,sbin}/nscd {
capability setgid,
capability setuid,
+ /etc/machine-id r,
/etc/netgroup r,
/etc/nscd.conf r,
/usr/{bin,sbin}/nscd rmix,
@@ -30,7 +31,7 @@ profile nscd /usr/{bin,sbin}/nscd {
@{run}/nscd/ rw,
@{run}/nscd/db* rwl,
@{run}/nscd/socket wl,
- /{var/cache,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
+ /{var/cache,var/db,var/lib,var/run,run}/nscd/{passwd,group,services,hosts,netgroup} rw,
@{run}/{nscd/,}nscd.pid rwl,
/var/lib/libvirt/dnsmasq/ r,
/var/lib/libvirt/dnsmasq/*.status r,
@@ -40,6 +41,13 @@ profile nscd /usr/{bin,sbin}/nscd {
@{PROC}/@{pid}/fd/* r,
@{PROC}/@{pid}/mounts r,
+ # systemd-userdb
+ /{etc,run,run/host,/usr/lib}/userdb/ r,
+ /{etc,run,run/host,/usr/lib}/userdb/*.{user,user-privileged,group,group-privileged} r,
+
+ # needed by unscd
+ @{run}/systemd/notify w,
+
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.nscd>
}
diff --git a/usr.sbin.ntpd b/usr.sbin.ntpd
@@ -17,6 +17,7 @@ profile ntpd /usr/{bin,sbin}/{,open}ntpd flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/openssl>
+ include <abstractions/ssl_certs>
include <abstractions/xad>
capability dac_override,
diff --git a/usr.sbin.smbd b/usr.sbin.smbd
@@ -8,6 +8,7 @@ profile smbd /usr/{bin,sbin}/smbd {
include <abstractions/consoles>
include <abstractions/cups-client>
include <abstractions/nameservice>
+ include <abstractions/openssl>
include <abstractions/samba>
include <abstractions/user-tmp>
include <abstractions/wutmp>
@@ -24,6 +25,8 @@ profile smbd /usr/{bin,sbin}/smbd {
capability sys_resource,
capability sys_tty_config,
+ signal send set=term peer=samba-bgqd,
+
/etc/mtab r,
/etc/netgroup r,
/etc/printcap r,
@@ -35,27 +38,35 @@ profile smbd /usr/{bin,sbin}/smbd {
/usr/lib*/samba/charset/*.so mr,
/usr/lib*/samba/gensec/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{,samba/}samba-bgqd Px -> samba-bgqd,
+ /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
/usr/lib*/samba/{lowcase,upcase,valid}.dat r,
/usr/lib/@{multiarch}/samba/*.so{,.[0-9]*} mr,
/usr/lib/@{multiarch}/samba/**/ r,
/usr/lib/@{multiarch}/samba/**/*.so{,.[0-9]*} mr,
+ /usr/share/samba/** r,
/usr/{bin,sbin}/smbd mr,
/usr/{bin,sbin}/smbldap-useradd Px,
/var/cache/samba/** rwk,
/var/{cache,lib}/samba/printing/printers.tdb mrw,
+ /var/lib/nscd/netgroup r,
/var/lib/samba/** rwk,
/var/lib/sss/pubconf/kdcinfo.* r,
@{run}/dbus/system_bus_socket rw,
- @{run}/smbd.pid rwk,
+ @{run}/{,samba/}smbd.pid rwk,
@{run}/samba/** rk,
@{run}/samba/ncalrpc/ rw,
@{run}/samba/ncalrpc/** rw,
- @{run}/samba/smbd.pid rw,
/var/spool/samba/** rw,
@{HOMEDIRS}/** lrwk,
/var/lib/samba/usershares/{,**} lrwk,
+ # Permissions for all configured shares (file autogenerated by
+ # update-apparmor-samba-profile on service startup on Debian and openSUSE)
+ include if exists <samba/smbd-shares>
+ include if exists <local/usr.sbin.smbd-shares>
+
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.sbin.smbd>
}
diff --git a/usr.sbin.winbindd b/usr.sbin.winbindd
@@ -6,6 +6,7 @@ profile winbindd /usr/{bin,sbin}/winbindd {
include <abstractions/base>
include <abstractions/nameservice>
include <abstractions/samba>
+ include <abstractions/kerberosclient>
deny capability block_suspend,
@@ -26,9 +27,10 @@ profile winbindd /usr/{bin,sbin}/winbindd {
/usr/lib*/samba/idmap/*.so mr,
/usr/lib*/samba/nss_info/*.so mr,
/usr/lib*/samba/pdb/*.so mr,
+ /usr/lib*/samba/{,samba/}samba-dcerpcd Px -> samba-dcerpcd,
/usr/{bin,sbin}/winbindd mr,
/var/cache/krb5rcache/* rwk,
- /var/cache/samba/*.tdb rwk,
+ /var/lib/sss/pubconf/kdcinfo.* r,
/var/log/samba/log.winbindd rw,
@{run}/{samba/,}winbindd.pid rwk,
@{run}/samba/winbindd/ rw,
diff --git a/zgrep b/zgrep
@@ -0,0 +1,66 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2022 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile zgrep /usr/bin/{x,}zgrep {
+ include <abstractions/base>
+ include <abstractions/bash>
+
+ /dev/tty rw,
+ /usr/bin/{ba,da,}sh ix,
+ /usr/bin/bzip2 Cx -> helper,
+ /usr/bin/cat ix,
+ /usr/bin/egrep Cx -> helper,
+ /usr/bin/expr ix,
+ /usr/bin/fgrep Cx -> helper,
+ /usr/bin/grep Cx -> helper,
+ /usr/bin/gzip Cx -> helper,
+ /usr/bin/mktemp ix,
+ /usr/bin/rm ix,
+ /usr/bin/sed Cx -> sed,
+ /usr/bin/xz Cx -> helper,
+ /usr/bin/xzgrep r,
+ /usr/bin/zgrep Cx -> helper,
+ /usr/bin/zstd Cx -> helper,
+ owner /tmp/zgrep* rw,
+ /usr/bin/zgrep r,
+
+ include if exists <local/zgrep>
+
+ profile helper {
+ include <abstractions/base>
+
+ capability dac_override,
+ capability dac_read_search,
+
+ /dev/tty w,
+
+ /usr/bin/{ba,da,}sh ix,
+ /usr/bin/bzip2 mr,
+ /usr/bin/grep mrix,
+ /usr/bin/gzip mr,
+ /usr/bin/xz mr,
+ /usr/bin/zstd mr,
+ /{,**} r,
+
+ }
+
+ profile sed {
+ include <abstractions/base>
+
+ /dev/tty rw,
+ /usr/bin/{ba,da,}sh ix,
+ /usr/bin/sed mr,
+
+ }
+}